All hands on deck: cyber-attackers have found their way into the maritime industry (3/4)

Knowing your adversaries and knowing yourself is vital to becoming victorious. In the previous part of the series, we looked into what challenges lie ahead for innovative companies in the maritime industry and how they relate to cybersecurity issues. In this third part, we will dive into who the main threats are and why they are attacking, with in this part Iran and North Korea.

Iran

For a long time in history, Iran’s ideals and culture dominated a large part of the Middle East. Home to one of the oldest civilizations of the world, Iran’s soil fostered a developed and prosperous people. In modern times, however, things took a turn for the worst. After first an Anglo-American coup in 1953 and the subsequent Islamic Revolution in 1979, Iran has struggled to meet its ambitions, which are fueled by the awareness of its rich history, to become a regional and international power once again. There are plenty of reasons why Iran is not succeeding in its idealistic mission. There is a lot of regional hostility, driven by religious reasons, but also by the threat of the Iranian nuclear program. These hostilities have resulted in numerous violent incidents, but have also motivated international sanctions, which are limiting Iran’s ability to meet its ambitions and have crushed the economy.

Part of Iran’s ambition of becoming a regional power is modernizing its commercial and military fleet1. Iran is abundant with resources and the best way to ship them is through the ocean. Once international sanctions are lifted, Iran could use its surrounding oceans to boost the economy and make the country prosper once again. In order to control the maritime industry, the Iranian regime founded the Iran Marine Fund (IMF) with the goal of aligning the maritime industry with Iran’s national interest. This highlights the value the regime assigns to its maritime capabilities. Adding to that, Iran needs a strong fleet to safeguard itself from foreign threats, such as archenemy Saudi Arabia, and to back its territorial claims in the Strait of Hormuz, Caspian Sea and the Persian Gulf.

Iran does not have the required knowledge, funds and technology within its borders to meet their high ambitions. To succeed, Iran must look beyond its borders. The international sanctions make it nearly impossible to find the resources they need in a legal way. This is why Iran has developed and encouraged state-sponsored hacker groups that could steal the technologies they need. Over the years, reports on Iranian APTs conducting espionage have seen a stark increase.

Hunt & Hackett has observed 23 APTs originating from Iran that have shown an interest in maritime and related industries at some point in time. In their efforts to steal intellectual property and foreign technologies, they have deployed 250 TTPs and 222 Tools. Hunt & Hackett tracks these APTs and their preferred ways of attacking to know what partners can expect when being attacked and how to defend from them.

Variable Key stats on Iran: Maritime and Related Industries
APTs 23
APT names APT33, APT35, APT39, Bahamut, BlackOasis, Cadelle, Charming Kitten, CHRYSENE, Cutting Kitten, DNSpionage, Domestic Kitten, Fox Kitten, Group5, Infy, IRIDIUM, Madi, MuddyWater, Nazar, Rampant Kitten, Sima, Tortoiseshell, TRACER KITTEN
Level of sophistication Medium
Main motives Espionage; Information Theft
TTPs 250
Tools 222

Table 1 - Key statistics on APTs originating from Iran, and the TTPs and Tools they use in the maritime and related industries as observed by Hunt & Hackett.

 

North Korea

North Korea is in somewhat the same position as Iran: great ambitions, even greater limitations. The communist country has focused on acquiring a nuclear arsenal and has had some success in its efforts. However, the nuclear program, along with neglect of human rights, has incited drastic international sanctions. Many nations have imposed sanctions on North Korea, ranging from the banning of luxury goods to the prohibition of conducting trade. North Korea has been trying to adapt to these unnatural challenges by setting up a global smuggling network. The most important way of smuggling much needed goods, but also to provide in the Supreme Leader’s luxurious needs, is through the seaways surrounding North Korea.

 

Whether working to smuggle coal, oil, luxury goods, or military equipment, North Korea’s maritime fleets have been a key component of Pyongyang’s sanctions evasion methods for years.

- Asia Maritime Transparency Initiative, 2021

The sanctions have made it impossible, however, for DPRK government and companies to acquire new ships or the know-how on how to build modern ships. Or at least, they should have. North Korea has been quite successful in its attempts to evade the international sanctions and has been getting its hands on ships. The latest success was only this year, when two oil tankers were added to the DPRK fleet. This shows that North Korea knows how to walk the illicit path and is not afraid to do so2.

Under Kim Jong-Un’s rule, North Korea has built a capable cyber-army with the intention of achieving its strategic goals illegally. These cyber-groups follow instructions from Pyongyang and perform cyber-attacks on financial institutions, companies in the technology industry and manufacturers. It is only logical that the North Koreans have set their eye on maritime industries as well, as waterways are so important to them.

Data gathered by Hunt & Hackett supports this last suspicion. Hunt & Hackett has observed 6 North Korean APTs to be active, now or in the past, in maritime and related industries. In their efforts, they have deployed 133 attacking techniques and 220 tools. Hunt & Hackett tracks these techniques and tools to keep its partners safe from North Korean espionage.

 

Variable Key stats on North Korea: Maritime and Related Industries
APTs 6
APT names APT37, APT38, Kimsuky, Wassonite
Level of sophistication High
Main motives Espionage; Information Theft
TTPs 133
Tools 220

Table 2 - Key statistics on APTs originating from North Korea, and the TTPs and Tools they use in the maritime and related industries as observed by Hunt & Hackett.

 

In this post, the threat posed by Iran and North Korea to maritime industries was analyzed. This concludes the profiles of the countries that are attacking the maritime industry the most. In table 3 below, an overview of the discussed countries is shown. In the next and last post, Hunt & Hackett will take a closer look at the Netherlands to find out why they are such a popular target among APTs.

 

Key stats of the four most active countries in attacking maritime and related industries
  China Russia Iran North Korea
Key strategic objective(s) Catching up with western level of technology Modernizing outdated merchant and military fleet Modernizing outdated merchant and military fleet; enabling trade despite severe sanctions Enabling trade despite severe sanctions
Level of cyber capabilities High High Medium High
Known motives for cyber deployment Espionage; Information Theft Espionage; Information Theft; Financial Gain Espionage; Information Theft Espionage; Information Theft
#APT groups 67 27 23 6
#TTPs 650 523 250 133
#Tools 675 339 222 220

Table 3 - Overview of the most active attacking countries in maritime and related industries.

 

Sources:
1. http://www.idro.ir/en-us/Projects/Documents/Strategic%20Plan%20for%20Iranian%20Marine%20Industries.pdf
2. https://amti.csis.org/north-korea-still-obtaining-new-oil-tankers-despite-sanctions/

 

Keep me informed

Sign up for the newsletter