Did security gaps at Antwerp port enable drug smuggling operations?

TL;DR

• Why hack shipping? For profit. Criminals have been proven to have hacked port systems to bypass security and facilitate drug smuggling.
• Evidence of hacking? Rarely reported, but cases like MSC and Glencore’s cobalt theft and the incidents at the Port of Antwerp below provide real examples.
• Organised crime tactics: Hackers are hired by organized crime to misdirect containers; compromise of the EncroChat messaging platform has revealed
• Low-skill hacks: Outdated, simple tactics often used by hackers; also involve bribed insiders, coercion and threats of violence against port workers.
• Security challenges: Ports need interoperable systems, making consistent security tough, especially for smaller operators.
• Recommendations: Enforce patching, MFA, USB blocking, network segmentation, and robust defences to counter these threats.

Why hack shipping?

I’m often asked why anyone would attempt to hack shipping. Simple: money. Cybercriminals exploit vulnerabilities in port systems and shipping networks for high-stakes rewards, often bypassing traditional security measures. It has happened before and continues to be a significant threat to the industry.

Does it actually happen?

Getting hard evidence of hacking is difficult though. Incidents are rarely reported, possibly kept quiet for the sake of organisational reputations?

The first I found was a legal case between MSC and Glencore concerning the theft of between three and 47 containers of cobalt. It’s written up here.

I spent time looking for other cases in the public domain, but drew a blank.

Organised crime interest

Then a while ago I had a call from the journalists behind the Panama Papers investigation. They had been looking at some ongoing law enforcement investigations in to organised crime activity at the ports of Antwerp, Hamburg, and Rotterdam. There was evidence of drug smuggling and hackers being hired to misdirect containers, and the police.

The journalists had read our piece from 2018 and wanted to know more about the communication and messaging protocols used by the shipping industry.

Over a series of calls, we reviewed court papers and transcripts of decrypted EncroChat conversations between the smugglers and the hackers they hired. The investigation was published late last year and makes for fascinating reading.

How we think it went down

Initially, we were interested in a Russian bay planning application called Solvo.TOS. Knowledge of the bay plan (that shows which container is stacked where on the vessel) may have been necessary to determine which container to place drugs in. Solvo will link with EDIFACT, the system that describes the contents of containers and where they are routed to and from. We’ve written plenty about this.

The investigators had seen evidence of the criminals understanding that certain container loads would be suitable for concealing drugs. Knowing how to decode EDIFACT would be useful in knowing which containers would be suitable.

In one instance, the hacker identified a flower selling business. It appears that drugs were loaded into the container of flowers at the originating port and the details were passed to criminals at the destination port so that the drugs could be retrieved.

Early attempts at container theft involved interception of PIN release codes. Efforts were put in place by some ports to mitigate this.

Given the sums of money to be made through shipping drugs, different tactics have been used by criminals. Bribery and threats of violence have been used against port workers and others.

I was intrigued by some of the language used by the hacker, David de Valk, in the EncroChat discussions. It just didn’t come across as the words of a skilled pen tester or hacker. ‘…run SSH to bypass the firewall…’ for example simply isn’t how anyone I know would describe their activities. That seems to me more like a poorly written movie script from the 1990s!

Low skills and old exploits

Whilst the bigger players in the industry have the resources to keep their systems secure and up to date, other smaller operators may struggle. I know of significant shipping lines with only one or two people in their shore IT departments.

Interoperability is the challenge

One of the challenges of securing port systems is the need for interoperability with all players in the maritime industry. This makes adding layers of security hard, as every port, ship operator, shipping agent and more will need to be able to interface with each other.

Advice

The skills required to compromise these systems were low, highlighting the need for better cyber hygiene in the industry. Basic measures like regular patching could have made these attacks significantly harder to execute.

To strengthen security, port operators should:

• Block unauthorized USB access and implement Multi-Factor Authentication (MFA).
• Use conditional access controls to limit access to sensitive systems.

Employ strong network segmentation and role-based access controls to restrict low-privilege user access. Ultimately, the best defence lies in investing in strong, resilient networks. In this case, the break in EncroChat communications helped investigators piece together the operation.

However, as criminals adopt more secure communication methods, authorities may face increased challenges in tracking these networks. Robust validation and ongoing cybersecurity vigilance will be essential in staying ahead of future threats.