Putting the Port of Nagoya Cyberattack in Context

By Luke McNamara, Principal Analyst – Mandiant, Google Cloud 

The recent cyberattack on the Port of Nagoya has once again highlighted both the criticality of the maritime industry and how the threat of ransomware is not going away. One of the busiest ports in Japan, the Port of Nagoya was reportedly forced to halt cargo loading operations in early July following a ransomware attack.

Threat actors associated with Lockbit 3.0 claimed responsibility. While the port has since been able to recover operations, this event once again underscored that cybersecurity is at the core of maintaining secure maritime infrastructure and facilitating robust economic supply chains. From the typical IT business networks that facilitate administrative processes like any other industry, to the operational technology (OT) assets that handle the movement of cargo around the facility, the attack surface and significance of ports can represent an attractive target for a variety of bad actors. 

Ransomware Operations Today

To better understand the Port of Nagoya cyberattack in context, it is important to first assess the current state of ransomware. The last several years have witnessed a growing spate of ransomware attacks across the globe that have disrupted and impacted virtually every sector. Since late 2019, an increasing number of these operations have been coupled with data theft and the threat to leak internal, often sensitive information to the public. This has given threat actors another vector to extort organizations beyond just the encryption of their data and systems, causing halts to workforce operations. Such leaked data on “name and shame” sites operated by extortion actors can spell brand and reputation damage for the victim organizations. 

Over the years the public success of these operations has attracted additional entrants into this criminal industry, who have facilitated and specialized in niche aspects from providing initial access to post-compromise exploitation to development of the ransomware itself. Often hackers will work with and switch between various Ransomware-as-a-Service providers and partners. Even nation state groups have seen the value offered by this disruptive and often deniable capability, with utilization of ransomware by suspected Russian, North Korea, and Iranian actors–among others and for differing reasons. Overall, while Mandiant responded to fewer investigations involving ransomware in 2022 than the year prior, this threat continues to be elevated. 

Cybersecurity and the Maritime Sector 

So why target ports? Broadly speaking, the two primary categories of adversaries that maritime infrastructure faces are criminal and state-sponsored threats. For criminal and financially motivated hackers, while data theft has increasingly become an attractive extortion tactic as discussed above, certain sectors are more sensitive to the actual shutdown caused by ransomware itself. For example, quarter after quarter, Mandiant has observed the manufacturing industry to be one of the most heavily targeted sectors by ransomware threat actors. Corporations in this sector are much more sensitive to any downtime caused by a loss of continuity of operations, and can often directly ascribe a monetary impact to these events. The same holds true for much of the transportation and maritime sectors as well. Even though many threat actors in the ransomware space are sector-agnostic in their targeting, some may have a tendency to pursue targets more who they believe have a greater incentive to recover operations. 

In looking at nation-state threats, perhaps one of the most significant cyberattacks on maritime infrastructure and ports was the 2017 NotPetya cyberattack. While not initially targeted at port infrastructure, the wormable capability of the malware expanded beyond initial targets in Ukraine to impact the operations of maritime giant Maersk, among others. Though it initially appeared to be ransomware, with no actual means for decryption it functioned more similar to a wiper malware in bricking the assets it impacted, and was ultimately attributed to Russia. 

Ports are not the only targets within the maritime sector at risk from state-sponsored hackers. In August 2022, Mandiant publicly uncovered a suspected Iranian cyber intrusion campaign targeting shipping entities among other industries. The assessment of the analysts who examined this campaign was that the purpose of the activity was likely espionage, especially as some of the targeted entities handled the shipping for sensitive components. This set of activity was also notable given some of the very public incidents of kinetic engagement between Iranian naval assets and commercial shipping in the Persian Gulf. Using cyber espionage to potentially gaining access to information about shipping routes and planned travel could facilitate such operations and ultimately provided another notable case study as to how nation states might target the maritime sector. 

Anticipating Future Threats 

Regardless of the vector or intent, an important question to ponder is how the targeting of maritime infrastructure and ports may evolve given the many public incidents over the years, up to and including the Port of Nagoya cyberattack. Successful, public cyber operations–even those with limited impact–can beget further operations. Financially motivated criminals see opportunities to make money. State-sponsored groups might see ways to disable or disrupt key economic nodes under the plausible deniability of pretending to be criminal operations. In regions where the geopolitical environment is fraught with increased tensions–such as those faced by the neighbors of the cyber-capable and antagonistic North Korean state–preparation and a proactive security posture is paramount. 

How should security professionals at ports respond to current and future threats? First, segmenting and hardening networks from the tactics, techniques, and procedures (TTPs) most common to disruptive actors of any kind can make infrastructure more resilient. In particular, increasing the difficulty of a successful compromise by a threat actor into the IT infrastructure to move laterally into OT infrastructure is key. Having backups, and testing being able to restore from backups is also essential. Lastly, threat intelligence that is tracking both new and emerging threats as well as the campaigns from known actors, can be key to ensuring proactive defenses. Though there is sometimes the view that activity such as ransomware is more of a concern for organizations in the United States or Europe, as the Port of Nagoya cyberattack demonstrated, actors such as those behind Lockbit 3.0 can launch attacks against targets globally. As ports have an important role to play in the global economy, ensuring their security and continued operations is in the interests of all of us. 

Luke McNamara is a Mandiant Principal Analyst at Google Cloud.

Unlock Exclusive Insights Today!

Join the gCaptain Club for curated content, insider opinions, and vibrant community discussions.

Sign Up