Late on a Friday afternoon in early 2015, Chris Novak got a strange call. As the director of Verizon’s investigative response team, he was accustomed to desperate corporations dialing into the group’s 24-7 hotline to stanch the bleeding caused by cybersecurity crises — credit card fraud, financial fraud, intellectual property theft. “We operate an emergency room for IT and data breach emergencies,” Novak said.
But the company on the other end of the line, a major Middle Eastern shipping concern, had a new one. In recent months, pirates — real pirates, in the South Pacific — had boarded a half dozen of this company’s ships and stolen millions of dollars worth of cargo.
That was a problem, but it wasn’t an unusual one, and hardly one for a data breach investigations team. No, what had the shipping company freaked out was that the pirates seemed to have advance knowledge of what was on its ships. In most cases, it can take hours or even days to go through the tens of thousands of shipping containers on a major cargo vessel, or to siphon off oil or gas.
These pirates, however, were in and out in 90 minutes. And when the ships’ crews emerged from the designated “safe rooms” in which they lock themselves during hijackings, they found that most of the cargo — cars and car parts — was untouched.
According to Matt Walje, a project officer at Oceans Beyond Piracy and the lead author of that group’s “The State of Maritime Piracy 2014” report, this degree of sophistication has come as a surprise in maritime security circles. The pirates had only opened and stolen from certain containers: the ones with diamond jewelry inside. That meant the pirates most likely had access to the ships’ manifests and bills of lading, documents that would provide the exact location of the most valuable and easy-to-move cargo on the ship.
The obvious, immediate suspicion was that the pirates had someone on the inside. But the company rechecked its employees' backgrounds and came up short. So it turned to Verizon’s investigative response unit, based out of Basking Ridge, New Jersey, which investigates data breaches for corporate clients. On a whiteboard in their “war room,” Novak's RISK (Research, Investigations, Solutions, and Knowledge) team wrote up a roster of everyone at the company who had access to the content management system (CMS), where all the shipping data was stored, and then systematically checked what all these employees were doing at their workstations, pulling email and other forensic evidence.
“As far back as we looked, none of these employees were doing anything out of the ordinary,” Novak told BuzzFeed News.
This sent Novak and his team back to the drawing board, literally. Around a conference table in the war room, they marked up an enormous, poster-sized mockup of the company’s computer network, looking for ways someone on the outside could gain access to its data.
“One thing became apparent,” Novak said. “This environment was internet accessible.” In other words, it was possible for a hacker to connect to the shipping company’s back end over the internet. With that in mind, the RISK team installed a proprietary network forensics device that analyzed all the traffic related to the shipping company’s CMS. They wanted to see if anyone who shouldn't be was getting access to the trove of valuable data it contained.
Over the next 28 hours, they discovered that the CMS was communicating with the outside. And what’s more, they found that on top of the CMS someone had installed a so-called web shell, malicious software that enabled users to browse, query, and download files from the CMS. Hackers had free access to information about everything the shipping company did.
CMS hacks are common in the data breach world; Novak said his team sees them all the time. But usually, they are tied to e-commerce scams, not real-world theft on a huge scale. And as Novak and his team looked through the system, they saw that some of the manifests and bills of lading that had been downloaded from outside matched up with the ships that had been hijacked.
Steady access to detailed information about cargo was bad enough. But the RISK team discovered something even worse: The shipping company’s CMS included near-real-time GPS tracking of its vessels. Whoever was stealing this data knew exactly where the ships would be, exactly what was on them, and where. It didn’t get much easier to be a pirate.
“One thing that we definitely do know: pirates in all regions are very adaptive," Walje said. In Southeast Asia, shipping routes frequently run through territorial water, making national law enforcement a concern for pirates. Anything that can shave time off of a crime — like knowing exactly which containers to hit — helps, Walje said.
Judging by the outbound traffic, Novak and his team thought the hackers were hiding behind a European proxy server. Through some contacts in law enforcement, Novak concluded that the pirates had probably hired a hacking crew to get them the shipping company’s information.
“There have been pirates in that region for a long time,” Novak said. “But the hacking element is new ... Hackers can make millions of dollars without ever getting on a ship.” After all, he said, “The ocean is a big place. If you don’t know where to look, for all you know you could be hijacking a ship full of manure.”
The RISK team had found the source of the breach and identified what was going on, but they had also found another pressing issue: The hackers had downloaded a bill of lading during the investigation. Given the previous thefts, Novak’s team predicted that the corresponding ship would be hijacked in three to four days. Suddenly, they were in a race against the clock to stop another attack. Verizon shut down the real-time GPS, and the shipping company modified the course of the ship. A week went by; the ship made it to its destination. Employees at the shipping company celebrated, and so did Novak and his team.
Temporarily shutting down the GPS was triage. The RISK team next removed the web shell, deleted compromised accounts, and added a firewall to make sure the system couldn’t be reinfected. The hijackings stopped.
But the traffic didn’t, at least not right away. Again and again, Novak saw the same European IP address ping the shipping company, trying to get in. To the investigators, the persistence was a sign that even though they had thwarted one group of pirates, crises like these would become less of a novelty in the future.
“As the data breach world has evolved,” Novak said, “old-school attacks and robberies are mixing with new-school information gathering. It just makes it easier.”