French Shipping Firm CMA CGM Investigates 'Malware' AttackCompany Still Working to Regain Full Access to Systems
French shipping giant CMA CGM Group is investigating what it calls a "malware" attack against its systems that has been causing disruptions since at least Monday.
CMA CGM blocked internet access to some of its internal applications and platforms to keep the malware from spreading throughout its network, according to a company statement.
The shipping company notes the attack seemed centered on its "peripheral servers," but it has not provided any further details. Internal and external security teams are investigating the incident, the firm says, but it's not clear if law enforcement agencies are involved.
UPDATE/ The CMA CGM Group (excluding CEVA Logistics) is currently dealing with a cyber-attack impacting peripheral servers.— CMA CGM Group (@cmacgm) September 28, 2020
As soon as the security breach was detected, external access to applications was interrupted to prevent the malware from spreading. https://t.co/KPoceJsbly
While some internal systems have been disrupted, CMA CGM noted in a Monday update that customers can still conduct business with the company and access accounts.
"Our teams are fully mobilized and access to our information systems is gradually resuming. The CMA CGM network remains available to the group's customers for all booking and operation requests," the company said.
A company spokesperson could not be immediately reached Tuesday for additional comment.
CMA CGM is one of the world's largest container transportation and shipping companies. The firm has 755 offices, 750 warehouses and over 110,000 employees worldwide, according to its website.
Several news media reports indicated that the company appears to have been a victim of ransomware.
Lloyd's List, a publication that covers the global shipping industry, reports that the company's offices in China may have been hit first with a ransomware variant called RagnarLocker. The publication showed screenshots of a ransomware note reportedly sent to CMA CGM's offices in China.
RagnarLocker, which is also known as Ragnarok, has been active since December 2019. It's known to target Microsoft Windows devices by using stolen credentials to target vulnerable Remote Desktop Protocol connections. The attacks also use malicious versions of Cobalt Strike (see: RagnarLocker Deploys a Virtual Machine to Hide Ransomware).
In April, the gang behind RagnarLocker attempted to extort 1,580 bitcoins - worth about $11 million at the time - from Energias de Portugal, a major Portuguese electric utilities company based in Lisbon (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta' ).
Dan Piazza, a technical product manager with Stealthbits Technologies, notes that, if CMA CGM was hit by ransomware, it would mean that all four of the world's largest shipping companies have now been attacked with crypto-locking malware. The most well known of these incidents happened in 2017, when Danish shipping firm Maersk sustained an attack linked to the NotPetya global malware outbreak (see: Maersk Previews NotPetya Impact: Up to $300 Million).
"This shows the sector is a hot target for cybercriminals - and that no organization or industry is immune," Piazza says.
Supply Chains Disrupted
Cyberattacks on the shipping industry can cause widespread disruptions to the global supply chain.
That's why shipping firms should implement frequent file and data backups, as well as detailed disaster recovery plans, to help mitigate risks posed by ransomware, says Sarayu Nayyar, CEO of security firm Gurucul.
"There's no industrial or commercial 'backwater' when it comes to ransomware - everyone's a target," Nayyar says. "User education and good authentication practices do reduce the chance of infection and are essential, while frequent backups and a good disaster recovery plan that can help mitigate the infection once it happens are equally essential."
Hank Schless, senior manager at security firm Lookout, points out: "Criminals will always take advantage of weak spots in a security system. This highlights the importance of having full security visibility into each extension of your network.
"Every one of these extensions of your network is a potential entry point for a threat actor. You need to treat every potential entry point with the same level of priority in your security posture - especially in the time of remote work. Phones and tablets have just as much access to internal data as traditional devices like laptops and desktops."