Fraud Management & Cybercrime , Ransomware

Shipping Giant Cosco Hit by Ransomware Attack

Networks in Eight North and South America Countries Offline
Shipping Giant Cosco Hit by Ransomware Attack
Photo: Frans Berkelaar (via Flickr/CC)

(Update: In a July 30 statement, Cosco says its "network applications in the Americas have been totally recovered."

See Also: Code Red: How KnowBe4 Exposed a North Korean IT Infiltration

A "local network breakdown" - reportedly caused by a ransomware infection - led Chinese shipping giant Cosco to shut down all networks for its offices in the United States and seven other countries while it scrubbed and restored systems.

"For safety precautions, we have shut down the connections with other regions for further investigations," state-owned Cosco, aka China Ocean Shipping Company, said in a customer alert published Wednesday. "So far, all the vessels of our company are operating as normal, and our main business operation systems are performing stably."

Cosco has offices in 27 North American and South American countries, but not all of them are affected. "The network failures affected areas include the United States, Canada, Panama, Argentina, Brazil, Peru, Chile and Uruguay," the company says in a Thursday FAQ.

Outbreak Not Global

In a Thursday update, Cosco said the ransomware outbreak was limited to parts of North and South America, and that remediation efforts were continuing.

Cosco's mascot. (Source: Facebook)

"We are trying [our] best to investigate and fix the network problem in the Americas, and it is expected that the network applications will be gradually back to normal soon," it says. "We have started contingency plans, such as transfer of operations and conducting operation via remote access, to ensure continuous service in the Americas. During the network failure period, there could be delays in service response in the Americas, and we are expecting your kind understanding."

The company appears to have responded quickly to the ransomware outbreak. When it was detected, Cosco said it proactively opted "to isolate internal networks to carry out technical inspections on global scale." By Wednesday, the company said that its information security experts had verified that aside from its Americas operations, "networks in all other regions are secure."

"The business [recovery] operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery," the company said, apologizing for the "inconvenience."

In a Friday update, Cosco notes: "The network applications in the Americas are being recovered gradually."

Reports Cite Ransomware Infection

Multiple maritime news outlets, including Lloyd's List, said that internal Cosco emails reported that the company's network interruption was due to a ransomware outbreak.

Cosco didn't respond to a request for comment, including a query about what type of ransomware might have been responsible, how many systems were affected or if it's received a ransom note.

Affected Cosco offices, including those in the U.S., have been left unable to use corporate email or phone systems.

"Due to the local network breakdown within our Americas region, local email and network telephone is not working properly at the moment. For safety precautions, we have shut down connections with other regions for further investigations," the company said in a Facebook post on Wednesday.

Cosco's U.S. operations have been using social media channels and Yahoo webmail addresses to communicate with customers.

Port of Long Beach Sees No Disruptions

Port of Long Beach in California

The ransomware outbreak comes shortly after Cosco took over Orient Overseas Container Lines - one of its Asian rivals - which also gave it control over a large container facility at the Port of Long Beach, The Wall Street Journal reports.

Port of Long Beach is the country's second-busiest container port, after the Port of Los Angeles.

"Ships, trains and trucks are coming in and out as usual," Port of Long Beach spokesman Lee Peterson told shipping publication TradeWinds on Wednesday.

"As of this point, because perhaps Cosco has a separate terminal operating system, the attack has not affected operations at the terminal, he said.

To satisfy national security concerns over its Chinese state ownership, Cosco has promised to put its large container terminal into a trust, The Wall Street Journal reports.

Follows NotPetya Outbreak

Last year, the world's biggest shipping firm, Maersk, fell victim to NotPetya ransomware in late June, forcing it to reroute ships and leaving it unable to dock or unload cargo ships in dozens of ports.

The Danish shipping giant estimated that it would suffer up to $300 million in losses due to the ransomware outbreak.

In recent months, security experts say many criminals have shifted from crypto-locking malware attacks to using malware that is designed to infect systems and mine for cryptocurrency. But while these "cryptojacking" attacks are on the rise, many criminal gangs continue to run ransomware campaigns (see Cryptojacking Displaces Ransomware as Top Malware Threat).

James Lyne, global research adviser at Sophos, says that since January, three strains of ransomware have been especially prevalent: Data Keeper, Satan and Gandcrab (see Ransomware: No Longer Sexy, But Still Devastating).

Researchers say that SamSam ransomware, which has been used this year in targeted attacks against a number of organizations, also remains a potent threat (see SamSam Ransomware Offers Volume Decryption Discount).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.