Blog: Maritime Cyber Security

Container theft, the legal system and poor maritime security

Ken Munro 21 Sep 2018

One of the most interesting legal cases I’ve read recently involves a theft of two containers of cobalt metal briquettes from a terminal at the port of Antwerp.

Original judgment: https://www.casemine.com/judgement/uk/5a8ff72360d03e7f57ea85a9

Appeal: http://www.bailii.org/ew/cases/EWCA/Civ/2017/365.html

What drew me to this case was the amount of useful data that had entered the public domain concerning a crime involving containerised transport. Details of poor security practice had been disclosed in to the public domain as a result of the legal case.

I believe the shipping industry can learn a great deal about basic security controls from this.

Container release

In many ports, containers are released to hauliers from a port on supply of a PIN code. The truck driver provides the PIN and will receive the appropriate container. This is known as an electronic release system or ‘ERS’ and was first implemented at Antwerp in 2011.

This PIN is communicated to the haulier in different ways depending on the port.  This could involve email or a mobile application.

It didn’t take long for criminals to realise that this single factor of authentication would be easy to exploit and use to steal containers: the crime took place in 2012.

However, one also needs to know which container to target in order to maximise return on the theft: high value, easily tradable, untraceable commodities would be ideal.

One route to identify container contents would be to tap the EDIFACT messaging system, perhaps at a shipping agent. Agents also manage the process of issuing release codes from the port authority. An ideal candidate for the hacker to attack.

Improved release process

The judgements refer to an improved release process implemented after the original loss. Section 15 of the document discusses that containers will only be released to drivers from a specific transport company. ID would also be requested from the driver.

  • Clearly that isn’t going to cause too much difficulty to a seasoned criminal intent on stealing high value container contents!

Surely a better method would be to validate the driver via the transport company?

The hack

Forensic investigations carried out as part of criminal proceedings are referenced in the appeal documents.

Whilst there is dispute whether the investigation ever occurred (clause 72), it suggests that PWC were engaged and discovered evidence of back doors or similar on the MSC agents (Steinweg) network. This may have led to container release codes being intercepted by hackers.

Clause 72:

On 5 January 2017 Mr Duval was copied in on an email message from Glencore’s solicitors – Gateley Plc – referring to an article in Bloomberg which suggested computer hacking at the offices of MSC Belgium. The article reported that technicians had found a bunch of surveillance devices on an MSC network and that MSC had hired a private investigator who had called PWC’s digital forensics team which learned that computer hackers were intercepting network traffic to steal pin codes. Gateley on behalf of Glencore sought disclosure from MSC of documents in their control in respect of the matters referred to in the article. Mr Duval emailed later saying that he was instructed by MSC that there was not and never had been a PWC report.

It appears from clause 73 that two attempts were made via malicious PDF attachments to email, sent to a general mail account at Steinweg.

Clause 73:

The material obtained from the criminal file included two statements which, Mr Duval suggested, revealed that the hacking had not been at MSC but at Steinweg. The first statement from Ms Sarah Ooms to the police dated 20 June 2012, two days before MSC Belgium sent the codes to Steinweg, stated that on 14 June 2012 her computer was hacked and that a second attempt was made on 19 June 2012 on both her computer and that of Charles Reynolds-Payne, Steinweg’s commercial manager.

Clause 74 suggests that these were not in fact PDF attachments, but malicious files that would install rogue software. This is classic email-borne phishing activity.

Whilst information in clause 74 indicates that no-one installed the rogue file, I find that hard to believe.

Clause 74:

What the hacking consisted of was that an email of 14 June 2012 appeared to come from CSAV, another shipping line which makes use of the MSC Home Terminal, and was sent to what was a general email address for Steinweg so that everyone in the office received it. Attached to the email was a PDF file to which a CSAV bill of lading was attached. In the bill, Ms Ooms was mentioned in the box specifying Steinweg as the Notify Party as the person for whose attention any notification should be given. On opening the document she received an indication that she should execute an Acrobat Reader update from a specified website. She did not do so. Nor did she believe that any of her colleagues did so either. She contacted a man at CSAV in the Netherlands who said that he had not sent the email.

Several individuals at different organisations involved in the PIN release system received similar emails, forged to appear to come from each other.

This shows knowledge of the release system and operational processes. Clearly, the hackers either knew the process from insider information or had worked it out from open source intelligence gathering.

Whether or not this was the source of the back door is not clear, as there is also evidence of physical compromise of the agents offices:

Physical compromise

Clause 78 indicates that a physical implant was placed at the agents office. An unauthorised NAS was found on the network, an ‘appliance which permits unlawful remote’ access. Aside from the amusing misunderstanding of the function of a NAS, the agents IT department claimed that their firewall had blocked its access to the internet. I find it very hard to believe that a hacker prepared to take the risk of planting a physical back door would have any difficulty circumventing that firewall!

Clause 78:

The second statement was from Mr Graziano Asnot, the Steinweg systems manager, and was dated 15 July 2014. He stated that an NAS appliance was found in the office next to the office of Steinweg’s financial director. This is apparently an appliance which permits unlawful remote electronic eavesdropping and snooping. A check was made of log data which revealed that an active appliance had tried to make outside contact. This had been blocked by the fire wall so that, Mr Asnot suspected, no data had got out through the company network. There was no information as to when the appliance was placed and MSC submits that there was, therefore, no reason to think that it had not been in place for a long period and indeed as far back as June 2012, the time of the theft. On that evidence there is, in fact, no way of telling.

The agent IT systems manager stated that the firewall logs were checked. A skilled hacker would have little difficulty modifying the logs if any errors had been made with configuration of the firewall.

Planting of physical back doors indicates a well resourced criminal group that had detailed knowledge of port and agent systems.

Inconsistencies in the evidence

“confirmation from the IT department that employees were not allowed to perform updates save onto laptops.”

The email attachment was not an update. It was malware! That employees were not allowed to install updates probably didn’t have much bearing on the success of the malware.

“understood from the police that it was thought that in some way the thieves were able to hack one or other of the parties involved in order to gain the containers but that, so far as he was aware, the police inquiries into the incident had not yet reached a conclusion.”

I believe this comment is from the initial trial in 2014. Two years after the incident and police authorities had still not concluded an investigation!

Wider issue at the Port of Antwerp?

Steinweg apparently had another case of cobalt briquettes being stolen in November 2011, through a similar method.

However ‘cyber-crime had been an issue in the port of AntwerpWow!

Conclusion and learnings

Criminals clearly realised that the single-factor PIN release system at the port of Antwerp was vulnerable to compromise.

Through relatively simple phishing and then placement of physical back doors at shipping agent(s), the PIN release codes were compromised.

High value, untraceable commodities were stolen in containers over a significant period of time.

Given the returns from the crimes, I would not be surprised to discover that inside information had been extracted from employees by the criminals.

Even after the thefts were discovered, sufficiently robust controls were not immediately put in place to prevent future theft.

This incident is from 2012. It shows to me that, where security controls are weak, criminals will quickly take advantage.

Yet, even today, shipping lines, agents and ports do not put sufficient effort in to securing their systems from attack. The returns for criminals are significant, load theft will continue apace.