DNV has confirmed a recent cyberattack on its ShipManager software impacted around 70 customers operating some 1000 vessels.

The risk-management company’s ShipManager servers were subject to a ransomware attack on 7 January.

It announced the attack two days later, saying it had immediately shut down its servers.

In an update on Wednesday this week (18 January) DNV said it was working to restore the functionality of the servers.

“External technical experts have been engaged to investigate the attack, which also has been reported to the police and other relevant authorities,” it said.

“All vessels can still use the onboard, offline functionalities of the ShipManager software, other systems onboard the vessels are not impacted. The cyber-attack does not affect the vessels’ ability to operate.”

DNV said there are no indications any other data or DNV servers have been affected. It said the server outage does not impact any of the company’s other services.

DNV said the attack has been reported to the Norwegian Police, Norwegian National Security Authority, the Norwegian Data Protection Authority and the German Cyber Security Authority.

“All affected customers have been notified about their responsibility to notify relevant Data Protection Authorities in their countries.”

DNV said it is working with global IT security partners to analyse the incident as part of the investigation and is in contact with all ShipManager customers.

It said all affected customers have been advised to consider mitigation measures depending on the types of data they had uploaded to the system.

Understanding the threat

The cyberattack against DNV has drawn the attention of some cybersecurity experts.

Senior cyber threat analyst Joshua Cruse, of transportation security and data company Shift5, said there are a concerning number of attacks against operational technology (OT) and critical infrastructure sectors.

However, he said ransomware groups look for specific vulnerabilities and scan the internet for an opportunity to deploy against potential victims that might pay.

Mr Cruse used the example of Lockbit, which recently attacked the Port of Lisbon, and which typically uses leaked passwords and public facing applications.

“It’s unclear whether DNV was attacked due to the critical nature of its operations to the global economy or simply because there was an opportunity, but any attack against this type of OT-centric organisation is concerning,” Mr Cruse said.

“Although this data has not appeared on major marketplaces yet, assuming the attack was successful, it’s only a matter of time.

“Valuable exfiltrated data from a company like DNV likely includes data from onboard operational tech, which could make it quite simple for a bad actor to gain insight into the operational environment and potentially develop a cyberattack on the operational systems.

“Given the fact that operational technology has historically relied on security through obscurity, it would be incredibly easy to leverage that information for malicious reasons, potentially bringing fleets to a halt.”

And Dan Mayer, threat researcher at threat detection and response company Stairwell said most financially motivated attacks are opportunistic in nature.

“It’s possible that the attackers expect that logistics companies are more likely to pay due to the high cost of operational disruptions,” Mr Mayer said.

“As far as the targets, whether it’s attacking an organisation like the Port of Lisbon or a software vendor like DNV that supports multiple logistics companies, both cause disruption which is a strong motivator to make ransom payments.”

Mr Mayer said the recent examples demonstrate how impactful data exertion can be.

“As we have seen in recent years, supply chains are not always resilient and can have global impacts on industry and individuals,” he said.

“The risk of harm is not just from the information locked up, but all of the economic value lost while operations are affected.

“It continues to show the efficacy of these attacks and how much they put the extorted party under economic pressure to pay.”

Mr Mayer said companies need to be able to move quickly to determine whether attackers are in their environment and oust them from the corporate network before the ransomware can be deployed.

“This means detecting all the steps leading up to data extortion, such as phishing or the exploitation of known vulnerabilities as the initial point of entry, the installation of remote administration tools or post-exploitation frameworks, and the escalation of privileges through credential dumping and lateral movement until they reach domain admin.

“All of these actions make noise that can be caught in a timely manner with adequate detection and hunting capabilities.

“A commonality amongst all ransomware intrusions is that the threat actor must become domain administrator to deploy their ransomware enterprise-wide.”