BreachExchange mailing list archives
How COSCO responded to a cyberattack on its systems
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 31 Jul 2018 20:50:06 -0500
https://www.supplychaindive.com/news/COSCO-cyberattack-response-timeline/529008/ The attack shut down the carrier's customer service phone lines and emails in the Americas, forcing a contingency plan on one of the world's largest shipping lines. Tuesday July 24 News breaks of cyberattack on US operations COSCO acknowledges a network issue @ 1 p.m. (COSCO) “We regret to inform you that our local network and systems in US are breakdown, and some email boxes are not available now,” the carrier wrote in a customer advisory. Systems in other regions of the world, vessel operations and terminal operations remained “as normal,” however. COSCO asked customers to submit booking requests through its website’s e-commerce function or use one of about 40 temporary email addresses to communicate with representatives. First reports of COSCO’s outage @ 1:14 p.m. (JOC.com) News breaks: COSCO Shipping’s U.S. operations were struck by a cyberattack, “compromising the ability of the carrier to communicate with its vessels, customers, vendors, and marine terminals,” JOC.com’s Bill Mongelluzo wrote. “We have got work-arounds in place,” Howard Finkel, senior vice president of trade at COSCO, told the publication. COSCO suggests attack is limited to U.S. @ 3:29 p.m. (Press Telegram) Fears of a worst-case scenario subside as the Long Beach Press Telegram writes the terminal remains operational, although COSCO’s U.S. website and toll-free number were shut down. The first mention of a “ransomware” attack emerges. “A spokesman for the Shanghai-based company, which acknowledged the ransomware attack Tuesday, said the company’s operations outside the United States were not affected,” writes Mark Edward Nero for the Press Telegram. Wednesday, July 25 Details emerge, revealing an Americas-wide problem COSCO publishes a customer advisory @ 4:56 a.m. (COSCO) Less than a day after the first notice, COSCO recognized the problem originated “within our America regions,” and could extend further. “For safety precautions, we have shut down the connections with other regions for further investigations,” the customer advisory reads. “We are glad to inform you that we have taken effective measures. Except for above regions affected by the network problem, the business operation within all other regions will be recovered very soon.” Media reports of attack accelerate, but details remain sparse - COSCO US hit by cyberattack (Splash 24/7) - 10:55 AM | Cosco Reports Cyberattack at its U.S. Operations (Maritime Executive) - 11 AM | Ransomware attack hits COSCO in US (Supply Chain Dive) - 3:55 PM | China’s Cosco Shipping Hit by Cyberattack in U.S. (The Wall Street Journal) - COSCO responds to media claims on Twitter “Despite some recent media reports, neither our Long Beach terminal at Pier J nor our COSCO Shipping UK offices have been affected by the network breakdown.” – @COSCOSHPGLines at 11:15 a.m. “Pacific Container Terminal (PCT) is operating smoothly and has not been affected by the network breakdown. Our Long Beach customer service center (COSAG), however, has been adversely affected.” – @COSCOSHPGLines at 11:28 a.m. Thursday, July 26 All hands on deck to reach customers, control impact COSCO: Impact of cyberattack has been contained to Americas @ 6:45 a.m. (COSCO) In an update to its customer advisory, COSCO said it had taken “proactive measures to isolate internal networks” and carried out inspections on a global scale. “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered” at 4:00 a.m. on July 25, the carrier wrote. Problems in the Americas were still being investigated, and fixed, however. “During this network failure period, there could be delays in service response in the Americas,” said COSCO. Carrier accelerates social media outreach to route service requests As part of its contingency plan, COSCO takes advantage of social media to reply directly to Facebook comments and tweets regarding its service issues. COSCO posts first FAQ, detailing broad extent of problem (FAQ) The detailed document reveals the “Americas” problem extends beyond the U.S. to Canada, Panama, Argentina, Brazil, Peru, Chile and Uruguay, with varying degrees of disfunction. It also reveals it cannot take hazardous or specialist cargo in Panama and Peru, and details specific emails to address various business functions per region. Friday, July 27 Shippers receive more details, targeted guidelines Network applications begin to recover ‘gradually,’ according to notice @ 9 a.m. (COSCO) COSCO says it recovered its Americas network applications – which include electronic data connections with customs, terminals and railways in North America – as of 12 p.m. on July 26. “Currently, global network of COSCO SHIPPING Lines is running stably and safely. The network applications in the Americas are being recovered gradually,” the carrier wrote. “We are now taking further security measures to recover local email service.” COSCO makes it a habit to update its FAQs upon each change in status. By July 30, there would be three general versions of the FAQ, and six versions of a U.S.-specific document. Los Angeles and Long Beach port customers receive special advisory @ 11 a.m. (COSCO) Shippers are asked to resend any emails sent prior to the network problem to a new set of email addresses. “These emails would be used until the network problem is solved,” the advisory reads. COSCO updates Rail Ramp Storage and Per Diem Policy @ 7:20 p.m. (COSCO) The carrier extended the timeframes on these two fee policies to accommodate delays caused by its network failure, as it showed more activity on its U.S. operations. The U.S. website remained offline, but attempts to reach it now redirected to a separate webpage with dedicated advisories. Monday, July 30 COSCO (mostly) restores service Network applications in Americas are ‘fully recovered’ @ 1:58 a.m. (COSCO) “All communication channels including telephone, email, and electronic data exchange have been restored,” a new update read. “We are working at a full stretch to process all the service requests received previously, and the service response is expected to be back on track within this week.” Except for Los Angeles / Long Beach … @ 4:15 p.m. (FAQ) The sixth version of the U.S. specific FAQ revealed COSCO would still use its Yahoo contingency email for service in the country’s largest port complex. “Our company customer service email is back to normal except LA/LGB,” the FAQ wrote. “Under the premise of ensuring network security, www.cosco-usa.com has not yet open,” it added. Details on the type of cyberattack remain scarce (Facebook Post) Although reports suggest the attack was induced by ransomware, COSCO has publicly released few details from its investigation. In a comment on the carrier’s Facebook page, Matt Webster, a purported customer asked “what was the cause and type of the incident? If ransomware then what type and is the source known?” COSCO replied: “Thank you for your comment. This type of information will not yet be released. Thanks for your understanding and patience.” Takeaways from the 5-day sprint The way COSCO handled its cyberattack may serve as a lesson, in future cases. Details remain sparse, but the record shows a 5-day sprint to activate contingency plans and keep customers aware of solutions. Some hiccups occurred, but that is to be expected with a cyberattack, Keith O’Byrne, head of solutions at supply chain cybersecurity firm Asavie, told Supply Chain Dive. "Incident response is a challenging field — if services are restored quickly, it's legitimate to ask why they were impacted in the first place,” O’Byrne wrote in an email. “Equally, there is the question as to whether malware or infection has been truly purged. InfoSec teams can face huge pressure to ‘just get it back working’.” That some services remain down points to a “better scenario — COSCO’s services are being brought back on a phased basis,” he said. “In the absence of insider information, this is a sign that a methodical approach is being followed.” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- How COSCO responded to a cyberattack on its systems Destry Winant (Aug 01)