When people talk about “pirates” and “hacking” together, it usually refers to those who release versions of software with the digital rights management systems removed or disabled. In this case, it was different. Revealed as part of Verizon’s 2015 Data Breach Investigation Report, Verizon’s RISK security response team were called in to assist a global shipping company who had fallen victim to network intrusions that were in turn used to assist in high-seas piracy.
The incident first came to light when the shipping company noticed an odd pattern in the attacks of pirates on their vessels. Instead of the typical approach of ransoming the crew and cargo of a target ship, the pirates instead operated hit-and-run attacks, seizing specific high-value shipping containers and making off with it alone.
The response team discovered that the shipping company had used a “homegrown” Web-based content management system to manage the content of their cargo ships. Upon analysis, it turned out that a malicious shell script had been uploaded to the server via a vulnerability in the software. The script gave the pirates backdoor access to the server, allowing them to upload and download files, including the bills of lading for the ships, as well as compromising a number of user passwords.
Mistakes made by the hackers allowed the hack to be uncovered easy by the response team, the primary one the script’s use of plain HTTP instead of making use of the server’s support for SSL encryption. This exposed every transmission of data to and from the server by the pirates when using the script. When put together, the team were able to see every command issued by the hackers, including a large number of spelling mistakes made in their commands. So while these cyber-attacks were certainly effective while paired with the physical attacks on the ships, those perpetrating the attacks were seemingly amateur. The biggest flaw in their hacks, however, was a complete disregard for operational security, using no proxies or other intermediaries, instead connecting directly from their home network. As a result, all it took to end the attack was the banning of the pirate hacker’s IP address.
Cyber-crime may be a serious threat in the world today, however, events like this have proven that attacks that combine both cyber and physical elements can be the most effective. Thankfully in this incident, the hackers proved themselves to have a level of incompetence that allowed them to be thwarted, but companies should be sure, more than ever, to defend themselves, not just in the physical world, but the online too.
This begs the question: if the pirates were using nothing to mask their origin, how come they weren’t slammed with the full force of the law, SWAT, helos and the wrath of God?
“Yes, we have an IP on them, let’s not honey-pot it, let’s just ban the IP address”… *slow clap* how effing stupid is that? Or are these bums too lazy to dial up the Feds? “Our SLA doesn’t cover that…” kind of thing..?
Also, this isn’t really a win for Verizon’s crack squad of white hats… it was just poor execution from the hackers’ side… which speaks volumes about the audience and the prestidigitation that goes on in the security business.