The cyber threat to marine transportation

Estimative language

The chart below matches estimative language with appropriate percentages. these percentages are not derived via statistical analysis, but are based on logic, available information, prior judgements, and methods that increase the accuracy of estimates.

Long description - Estimative language chart

• 1 to 9% Almost no chance
• 10 to 24% Very unlikely/very improbable
• 25 to 39% Unlikely/improbable
• 40 to 59% Roughly even chance
• 60 to 74% Likely/probably
• 75 to 89% Very likely/very probable
• 90 to 99% Almost certainly

Key judgements

• We assess that financially motivated cybercriminals are the most likely cyber threat to affect the marine transportation sector. We assess that cybercriminals will almost certainly continue to exploit marine transportation and supporting organizations through extortion tied to ransomware, in addition to selling or exploiting stolen personal or proprietary business information. We assess that ransomware is almost certainly the most likely disruptive cyber threat to affect marine transportation operations.
• The marine transportation sector’s importance to Canada’s economic and strategic supply chains makes it a high priority target for state-sponsored cyber threat activity. We assess that state-sponsored cyber threat actors will very likely continue targeting the Canadian marine transportation sector and supporting organizations to steal logistical and operational data that can be leveraged for economic advantage, and to steal intellectual property that can be used to support state commercial, military, and intelligence priorities.
• We assess that the marine transportation sector is a strategic target for disruption or destruction by state-sponsored cyber threat actors. However, we judge that these actors would likely only intentionally disrupt or damage Canadian marine transportation infrastructure in times of crisis or conflict between states.
• We assess that non-state cyber threat actors will very likely continue targeting the Canadian marine transportation sector in connection to international events and conflicts, primarily though distributed denial-of-service (DDoS) attacks and website defacements.

Introduction

The marine transportation sector (MTS) plays a pivotal role in Canada’s economy by supporting the movement of goods and travelers to and from domestic and international markets. Marine transportation and its supporting activities contributed over $8.3 billion to Canada’s gross domestic product in 2022 and accounted for 24% of Canadian merchandise imports and 18% of Canadian merchandise exports in 2023.^{Footnote 1} Marine transportation is a key method of connection for communities and industries across Canada’s expansive geography and is the sole option for resupply in some northern communities.^{Footnote 2} The MTS’s importance to Canada makes the cyber security of Canadian ports, vessels, supporting infrastructure, and the organizations that operate them a matter of critical importance for Canada’s national and economic security.

Cyber threat activity against the MTS can have significant consequences. Cyber-enabled fraud and scams are costly for victims,^{Footnote 3} and disruptive cyber threat activity such as ransomware can interfere with marine transportation operations, implicating safety and causing costly disruptions to supply chains. For example, in 2017, the NotPetya wiper malware affected organizations worldwide, including global shipping company A.P. Møller-Maersk.^{Footnote 4} Maersk was forced to entirely rebuild the affected computer systems and experienced global operational interruptions. Maersk experienced an estimated $250 to $300 million USD in damages, and unknown additional damages on the part of Maersk customers stemming from supply chain interruptions and shipping delays.^{Footnote 5}

Digitalization is expanding the sector threat surface

The MTS is digitalizing its operations to improve efficiency and address environmental challenges such as decarbonization. Digitalization refers to the incorporation of data-informed decision making, connected technology, and automation throughout the scope of marine transportation operations. Digitalization is supported by the wide deployment of sensors that collect operational and environmental data—for example, smart buoys, video-based container recognition systems, and shipboard sensors—that provide enhanced situational awareness and allow for centralized management over marine transportation operations.^{Footnote 6} It also involves the adoption of digitally transformed operational technology (OT) and industrial systems within ports and on vessels, such as ship-to-shore cranes and physical access control systems.

Digitalization is expanding the MTS’s threat surface. Increased adoption of connected OT systems provides cyber threat actors more opportunities to exploit those systems to disrupt their functioning, or to use them to gain access to business or OT networks. New methods of connection such as very short aperture terminal satellite Internet connections extend the reach of cyber threat actors to vessels and OT systems even in remote areas. Further, the growing volume of operational and environmental data being collected and shared within and across organizations, and the systems supporting that growth, are valuable targets for commercial or strategic espionage and potential targets for disruption.

As the MTS continues to digitalize, the associated threat surface from proprietary information and data being shared with third-party service providers expands.

Arrangements where suppliers have remote access to organizational networks, or where they provide a product with consistent data exchange between organizations, increase the opportunities for supplier-based compromise by cyber threat actors.^{Footnote 9} This may include organizations that provide information technology services such as cloud or managed service providers, software-as-a-service providers, and suppliers for digitally transformed technology.

The threat from cybercriminals

The MTS is an attractive target for extortion by cybercriminals because of the economic importance of supply chains and the dependence of its clients on the continuity of shipping operations. Some cybercriminals specifically target organizations such as ports or shipping companies that may be willing to pay large ransoms to recover from disruptions as quickly as possible. However, most cybercriminal activity opportunistically targets organizations regardless of their size by exploiting vulnerable Internet-exposed devices or through bulk phishing or password spraying campaigns.^{Footnote 10}

Top 10 ransomware threats to Canada in 2024 by rank

1. AKIRA
   Ransomware-as-a-service: Yes

2. PLAY
   Ransomware-as-a-service: Yes

3. MEDUSA
   Ransomware-as-a-service: Yes

4. LOCKBIT
   Ransomware-as-a-service: Yes

5. BLACK BASTA
   Ransomware-as-a-service: Yes

6. RANSOMHUB
   Ransomware-as-a-service: Yes

7. CACTUS
   Ransomware-as-a-service: Unknown

8. CL0P
   Ransomware-as-a-service: No

9. HUNTERS INTERNATIONAL
   Ransomware-as-a-service: Yes

10. QILIN
    Ransomware-as-a-service: Yes

Cybercriminals are continuously evolving their tactics to increase their ability to extract profit from victim organizations. Illicit marketplaces for cybercrime tools and services reduce the barrier to entry for cybercriminal activity, and the proliferation of prebuilt cyber tools such as ransomware-as-a-service (RaaS) variants increases the impact even low sophistication cybercriminals can have on their victims.^{Footnote 10} In the RaaS model, a cybercrime group maintains their own version of ransomware and leases it to other cybercriminals in exchange for a portion of ransom payments they receive. In the January to March 2024 period, 8 of the top 10 most impactful ransomware variants by number and severity of incidents were assessed as being RaaS.^{Footnote 10}

The threat from state-sponsored cyber actors

State-sponsored cyber threat actors are capable of highly sophisticated threat activity that is difficult to detect and attribute and may maintain persistence within compromised environments for years before being detected.^{Footnote 21} State-sponsored threat actors, including from the People’s Republic of China (PRC), Russia, and Iran, have consistently targeted the MTS for espionage, to intimidate or project power against adversaries, and to disrupt adversary commercial and military supply chains.

The threat from non-state cyber threat actors

Ideologically motivated non-state actors, sometimes referred to as hacktivists, have become an increasingly common feature of the cyber threat environment. In 2023, pro-Russia non-state (PRNS) actors were responsible for 2 wide-spread DDoS attack campaigns against Canada intended to undermine Canadian support for Ukraine. These DDoS attacks primarily affected the public facing websites of government and private organizations across the country, including within the MTS and affecting several Canadian ports.^{Footnote 32} However, DDoS attacks by PRNS actors in September 2023 had additional disruptive effects to airports where check-in kiosks lost connectivity and caused delays. ^{Footnote 33}

Some non-state actors have attempted to maximize the disruptive impact of their DDoS attacks by targeting Internet-exposed IT infrastructure. This activity increases the risk that DDoS attacks will inadvertently affect other Internet-exposed systems and services, including edge devices, web-based applications such as Port Information Management Systems, and Internet-facing interfaces for connected industrial systems.

In May 2024, the Cyber Centre and partners issued a joint advisory warning of PRNS actors targeting Internet-exposed industrial systems. These actors opportunistically identify targets using publicly available scanning tools to search for Internet-exposed systems with vulnerable configurations. For example, they may look for systems that use default or weak passwords and without multi-factor authentication.^{Footnote 34}

It is important to note that non-state cyber threat actors may not have the expertise to correctly identify or understand the system they have compromised, may exaggerate claims of disruptive effects, and may entirely fabricate claims that they have compromised or disrupted Internet-exposed OT. False or exaggerated claims can serve to build the reputation of the groups involved and may still have a disruptive effect by causing fear and degrading trust in the system.

Outlook

The cyber security of Canada’s MTS is critical for Canada’s national and economic security. The MTS’s economic and strategic importance to Canada also makes it a compelling target for cyber threat actors with financial, ideological, or disruptive intent. As the sector continues to digitalize its operations and its threat surface grows, cyber threat actors will have additional opportunities to compromise marine transportation organizations and new ways in which to maximize the disruptive or destructive impact of their activities. This threat is compounded by the sectors already complex and interconnected nature, which creates risk that disruptions to key organizations or systems within the MTS will widely affect the safety and continuity of marine transportation operations.

Many cyber threats can be mitigated through awareness and best practices in cyber security and business continuity. The Cyber Centre encourages all critical infrastructure network owners to take appropriate measures to protect your systems against the cyber threats detailed in this assessment.

Please refer to the following online resources for more information and for useful advice and guidance.

General cyber threat information

• An introduction to the cyber threat environment
• National Cyber Threat Assessments
• Protect your organization from malware (ITSAP.00.057)
• Security considerations for critical infrastructure (ITSAP.10.100)
• Preventative security tools (ITSAP.00.058)
• Defending against data exfiltration threats (ITSM.40.110)

Digitalization and connected OT

• Cyber threat bulletin: Cyber threat to operational technology
• Protect your operational technology (ITSAP.00.051)
• Baseline security requirements for network security zones (ITSP.80.022)
• Network security zoning – Design considerations for placement of services within zones (ITSG-38)
• Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)
• Satellite communications (ITSAP.80.029)

Supply chain and supplier-based threat

• The cyber threat from supply chains
• Supply chain threats and commercial espionage
• Cyber supply chain: An approach to assessing risk (ITSAP.10.070)
• Protecting your organization from software supply chain threats (ITSM.10.071)
• Cyber supply chain security for small and medium-sized organizations (ITSAP.00.070)

Cybercrime

• Baseline cyber threat assessment: Cybercrime
• Cyber Centre ransomware overview page
• Ransomware: How to prevent and recover (ITSAP.00.099)
• Ransomware playbook (ITSM.00.099)

State-sponsored cyber threats

• Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity
• Joint cyber security advisory on Russian state-sponsored and criminal cyber threats to critical infrastructure
• Cyber threat bulletin: Cyber Centre urges Canadians to be aware of and protect against PRC cyber threat activity

DDoS attacks

• Defending against distributed denial of service (DDoS) attacks (ITSM.80.110)
• Protecting your organization against denial-of-service attacks (ITSAP.80.100)
• Distributed denial of service attacks - prevention and preparation (ITSAP.80.110)