A U.S. Coast Guard base was crippled in a ransomware attack late December that interrupted cameras, door access control systems and critical monitoring systems.

The attack against an unnamed base, formally a Maritime Transportation Security Act regulated facility involved the Ryuk ransomware and is believed to have entered the network of the base via a phishing email.

“Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology network files, and encrypt them, preventing the facility’s access to critical files,” a Maritime Safety Information Bulletin on the attack stated.

The base and its port operations were disrupted for over 30 hours as a result of the attack.

Initially linked to North Korea in 2017 but more recently tied to a Russian criminal syndicate, Ryuk is a popular form of ransomware. It has been used in high-profile attacks such as attacks on Florida cities in June and a North Carolina water utility in October 2018. It was most recently in the news following at attack on Mexican state-owned petroleum company Petróleos Mexicanos in November.

“The U.S. Coast Guard’s announcement that a computer virus forced a maritime base offline… is the latest in a growing trend of specialized ransomware attacks, which includes last month’s on the city of New Orleans,” Bill Conner, chief executive officer of cybersecurity firm SonicWall Inc., told SiliconANGLE. “While global ransomware volume was down 10% through November 2019, cybercriminals are being more targeted than ever before, focusing on lucrative and defined targets over massive volume.”

Stuart Reed, vice president of cybersecurity for domain registrar Nominet, said that ransomware was one of the most disruptive forms of cyberattack in 2019 and it seems that that will continue to be the case in 2020.

“With countless emails and links being sent across the network it is no small task to mitigate the risk of employees falling victim to an attack, and reminds us of the importance of a layered approach to security,” Reed explained. “While access control should limit the path of an attacker and robust backups can restore systems as soon as possible, it is also important to have broad visibility of the network to identify and eliminate an attack quickly. Technical protection and defense must dovetail with business processes; ensuring employees are educated to become a strong line of defense, while a rock-solid incident response plan can deliver a swift recovery.”

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, noted that attackers define the rules of engagement in an attack, and targeting governmental and military assets will always be valuable for those seeking to disrupt society.

“This incident highlights lessons for everyone to take – whether you’re in government or in a corporate setting,” Mackey said. “Vigilance starts with preparedness.”

Photo: Department of Defense