Part 3: A very modern form of piracy: Cybercrime against the shipping industry – Data Protection
UK & Europe
Cyber hackers continue to hone in on the shipping industry, considered a vulnerable and highly lucrative target, as demonstrated by the 400% increase in attempted cyber hacks on maritime companies between February and June 20201. Ransomware attackers are reported to have made at least USD 350 million worth of cryptocurrency in 20202, a steep rise from under USD 50 million in 2018. With these numbers in mind, maritime sector participants, from the smaller shipping outfit to the largest players would be well advised to think about their potential exposure to cyber-risk as well as the steps they should be taking to mitigate the risk of a cyber security incident such as a ransomware attack.
A ransomware attack, a malicious software programme installed remotely to block a user's access to its computer systems or data with the intent of extorting a ransom payment in exchange for access, typically strikes unexpectedly. A shipping business locked out of its IT systems would have difficulty communicating with its clients, suppliers, shipping agents, port authorities, and be unable to retrieve data, shipping documents, contact details. Although malware has been found aboard ship's IT systems, the majority of cyber-attacks have been perpetrated on shore-based systems, business offices and data centres from which ships, clients and personnel are managed and the logistics of transport organised.
A ransomware attack not only encrypts a business’ IT system, crippling it operationally, but it is also often accompanied by a threat to publish sensitive information publicly or to the highest bidder on the dark web. The implications of this “double extortion” could be potentially damaging, even catastrophic. The cruise line sector, which holds large amounts of customer data, is particularly vulnerable. Hurtigruten, a Norwegian cruise line operator recently hit by a ransomware attack would have had to consider this threat and the possibility that the potential release of customer details could also raise serious data protection issues. We will be examining the subject of data protection more closely in our next update.
The financial impact for a shipping business could be severe. Aside from the losses associated with the disruption of the maritime operations and the prospective ransom payment itself, there are the increasingly expensive costs of responding to the incident and the business interruption resulting from the disruption to the business. Add to this the expense of handling potential complaints from clients/customers, the costs of engaging and responding to regulators or government authorities and any ensuing third party litigation from individuals whose personal information was impacted in the incident, as well as the cost of any possible regulatory fines, and the amount continues to build up considerably. This is before factoring in a potential drop in company share value, investment and funding from a loss of confidence. By way of example, Maersk estimated the cost of the 2017 NotPetya attack to be somewhere between USD 250 million and USD 300 million.3
The reputational damage is also likely to translate in the loss of current and potential business opportunities, and may lead to the long-term loss of customers keen to avoid dealing with a maritime business seen as vulnerable, particularly if the breach was perceived as avoidable.
Following any digital disruption, a maritime company's first instinct will be to try to urgently restore its systems and resume operational control. It will also seek to prevent any threat of external data disclosure. The first thing to consider should be whether, aside from potentially paying the ransom, there are alternative viable options for performing a recovery of the systems/data. If so, these should be explored in parallel with promptly identifying and re-securing the system and associated vulnerabilities to prevent repeated attacks.
Where the threat actor alleges to have obtained data illicitly, it is important for the shipping company to validate this information. Have the hackers genuinely infiltrated the systems and obtained a copy of this data or are they making false assertions and/or relying on information collected externally from open sources?
In the process of engaging in discussions and negotiations with the threat actor, has it been possible to establish an attacker profile? This exercise will be helpful in gauging the perpetrators' intentions and identifying the most appropriate negotiating techniques. Some hackers have developed a reputation for being “reliable” negotiators whilst others may be unpredictable and unreliable.
As matters progress, have steps been taken to test decryption keys designed to unlock the paralysed system? With regard to the threat actor, has information revealing of its identity been gathered? Critical indicators include the email addresses used to communicate, the cryptocurrency address provided, any unique identifiers, and any relevant information cross-checked with recognised sanctions lists.
It is also paramount to ensure that the IT systems that were compromised are contained and secure not only to prevent a spread of the ransomware, where possible, but to prevent a further attack by the threat actor.
Other important points to consider: have the law enforcement authorities been alerted of the criminal event and the ransom demand? Have the various reporting obligations under sanctions, anti-money laundering, terrorism and other legislation been identified and fulfilled? Have the company’s insurers (if available) been notified in accordance with the cyber insurance policy? Has the legality and lawfulness of any prospective ransom payment been established?
Prior to making a ransom payment, to avoid facing fines or any other penalties, a maritime business needs to ensure full compliance with the national and international laws and regulations that a company engaged in international trade may be subject to. To take the national laws of the UK as an example, a shipping company based in the UK would need to consider the question of whether a ransom payment would fall under the Proceeds of Crime Act 2002 (POCA). POCA applies to offences committed by individuals or companies in the UK.4
Section 328 of POCA makes it an offence for a person to enter into an arrangement they know or suspect facilitates the use of criminal property by another person. Consent for the payment may be required from SOCA (the Serious Organised Crime Agency) but this is determined on a case-by-case basis.
Under Section 15(3)(b) of the Terrorism Act 2000, a person commits an offence if they know or have "reasonable cause to suspect that it will or may be used for the purposes of terrorism." A shipowner or charterer is unlikely to know or suspect whether an anonymous perpetrator will use the ransom towards terrorist activities, and it will fall on them to satisfy themselves, through due diligence, that there is no reasonable cause to suspect that the money may be used for these purposes.
Sanctions also need to be considered so that a shipping company does not fall foul of applicable sanctions regimes.
EU sanctions apply to EU nationals and companies, and to all business done in the EU including activities on a vessel under an EU member state's jurisdiction. Under this regime, EU persons and entities are forbidden from making funds available to those listed on the European Sanctions List for Cybercriminals established in May 2019 and includes entities such as WannaCry, NotPetya and Operation Cloud Hopper. Ransom payments following cyber-attacks have been subject to increased EU scrutiny and ship owners, charterers, or agents subject to ransom payments should take care not to expose themselves to civil and criminal liability by making funds available to those featuring on the EU list of sanctioned entities.
The UK sanctions regime replaced the current EU sanctions regime at 11pm on 31 December 2020, when the Sanctions and Anti-Money Laundering Act 2018 entered fully into force. Although similar, the new UK sanctions regime is not identical. It applies to all UK persons anywhere, to persons within the UK and to anyone conducting activities in the UK with regard to those activities. A global ship manager with a presence in the UK and/or a major charterer/trader based in London would fall under this regime.
A shipowner could be committing an offence by making funds available directly or indirectly to a designated person on the Office of Financial Sanctions Implementation (OFSI) list of sanctioned individuals and entities, unless it could show that it did not know or have reasonable cause to suspect that funds would be made available, directly or indirectly, to such a designated person.
Ransom payments are not a criminal offence in the US, though care must be taken not to violate the US sanctions regime. In general, OFAC (Office of Foreign Assets Control) administers and enforces economic trade sanctions for the US government. Such sanctions specifically prohibit US persons from making payments to individuals and entities on the SDN List (Specifically Designated National and Blocked Persons List). This prohibition includes ransom payments, for the release of a ship’s crew or for illicit cyber demands or events. OFAC operates, with some exceptions, a strict liability regime - meaning that, although a party may unknowingly breach sanctions provisions, the risk of sanctions enforcement still applies. However, some mitigating circumstances may be considered.
On 1 October 2020, OFAC published its most recent advisory in response to increased malicious cyber-attacks on US connected systems during the pandemic. The advisory alerts companies of the potential sanctions risks for facilitating ransomware payments to sanctioned entities, and sets out the factors considered when determining an enforcement response to an apparent violation. As ransomware events have been increasing in recent years, this advisory should be considered in tandem with the advisory on ransomware issued on 1 October 2020 by FinCEN (The Financial Crimes Enforcement Network), a US government bureau tasked with tracking financial transactions for the purpose of combating financial crimes.
The FinCEN Advisory provided potential financial red flag indicators of ransomware-related illicit activity. Some of these red flags include: (1) malicious cyber activity evident in system log files, network traffic, or file information, (2) when opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident, (3) a customer’s Convertible Virtual Currency (“CVC”) address appears on open sources, or commercial or government analyses have linked those addresses to ransomware strains, payments or related activity, (4) a transaction occurs between an organization from a high risk sector and digital forensics and incident response (“DFIR”) companies and cyber insurance companies (“CICs”), and (5) a customer initiates multiple rapid trades between multiple CVCs, with no apparent related purpose.
A non-US person may also be exposed to the US sanctions regime through facilitation of a ransom payment or a ransomware payment or event, meaning if a non-US person causes a US person to violate the sanctions regime, for example by involving a US employee with an SDN-related dealing or wire a USD payment (which usually clear through US banks), that non-US person could be liable for a sanctions violation. A shipping business considering a ransom payment should thus review its US connections: does the business use US Dollars? Are US citizens on its management team? Are any offices/branches located in the US?
In addition to the primary sanctions discussed above, secondary sanctions also apply to non-US persons even without a US nexus. These sanctions focus on economic sectors of the sanctioned country - for example, the shipping sector or the oil and gas sector. In June 2020, the US State Department sanctioned the Iranian shipping line IRISL; anyone doing business with IRISL risks sanctions which could include restrictions accessing the US financial system or the US market. A shipowner should closely verify prospective charterers are not sanctioned to avoid the risk of secondary sanctions, in connection with ransom payments or otherwise.
For up to date sanctions developments, please visit our Sanctions Hub.
A shipping company caught in a cyber-attack may find itself in the unenviable position of either facing the consequences of violating the law and/or sanctions regulations should they pay the ransom or suffering the consequences of not complying with the perpetrator's demands. This may result in systems continuing to be inaccessible, their destruction and/or the public dissemination of sensitive information involving clients, employees, commercial partners, with the collateral risk of litigation from the aggrieved parties. The risk is high. More than $50 million worth of cryptocurrency that victims paid out to ransomware addresses in 2020 have been identified as carrying sanctions risk, nearly all of which was composed of payments to two ransomware strains, Doppelpaymer and WastedLocker5.
Nevertheless, shipping companies should be aware of the severe penalties that could ensue from breaching sanctions regulations in order to protect their commercial interests. The fall out could be significant as illustrated by the following examples of enforcement actions taken by the US Department of the Treasury.
On 15 March 2021, OFAC announced a settlement of USD 216,464 with UniControl, Inc.6 for its role in exporting 21 shipments of its goods (boiler controls and other instrumentation) from the United States to two European companies with knowledge or reason to know that the goods were intended specifically for supply, transshipment, or reexportation to Iran. UniControl failed to take appropriate steps in response to multiple warning signs it encountered when engaging in business with its European trade partners.
On 18 February 2021, OFAC entered into settlement with BitPay, Inc7 for the sum of USD 507,375 based upon its alleged processing of USD 129,000 worth of digital payment transactions “on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions”
These examples highlight the importance of conducting robust due diligence to avoid sanctions violations prior to any decision being made regarding ransom payments.
Ransomware is becoming increasingly sophisticated. Attacks are likely to continue rising in the maritime sector aided by greater vulnerability following the move toward remote working triggered by the pandemic. The legal and regulatory landscape will continue to evolve as will the list of international sanctions. However, those engaged in the maritime industry must remain vigilant. We cannot discount the possibility that ransomware attacks could be undertaken in parallel with other malicious activities such as hacks of port logistics systems for the purpose of stealing valuable cargo for transportation to a destination of choice. Hackers could deploy measures in tandem to interfere with a vessel or port equipment leading to physical damage, i.e. remotely shutting off pumps or cooling systems. At the more extreme end of the scale, the development of autonomous vessels opens up the possibility of remote access to a vessel's controls that could see it hijacked, involved in a collision or even used as a weapon. It will be essential for maritime industry players to keep abreast of developments and potential new risks. If you would like to discuss in more detail any of the points raised in this update, please feel free to reach out to any of the contacts listed below or to your usual contact at Clyde & Co.
Click here to read the first article in this series.
4 S.327-329 - https://www.legislation.gov.uk/ukpga/2002/29/section/327