Presuming the DNV ransomware attack was successful, it is only a matter of time before any stolen data appears on marketplaces, according to security expert.
Servers for DNV’s ShipManager software were targeted in a ransomware attack on January 7, leading to DNV shutting down the servers immediately.
“It’s unclear whether DNV was attacked due to the critical nature of its operations to the global economy or simply because there was an opportunity, but any attack against this type of Operational Technology (OT)-centric organisation is concerning,” said Joshua Cruse, Senior Cyber Threat Analyst at cybersecurity firm Shift5.
“Although this data has not appeared on major marketplaces yet, assuming the attack was successful, it’s only a matter of time.”
Cruse highlighted the forward risks associated with a security breach, especially in an OT environment, and said he will continue to search and monitor the dark web for any mentions of the DNV data.
Valuable exfiltrated data from a company like DNV likely includes data from onboard operational tech, which could make it quite simple for a bad actor to gain insight into the operational environment and potentially develop a cyber-attack on the operational systems. Given the fact that operational technology has historically relied on security through obscurity, it would be incredibly easy to leverage that information for malicious reasons, potentially bringing fleets to a halt,” said Cruse.
DNV reiterated that ShipManager software users can still use onboard systems and that the attack does not affect a vessel’s ability to operate.
“There are no indications that any other data or servers by DNV are affected. The server outage does not impact any other DNV services,” added DNV.
Dan Mayer, Threat Researcher at cybersecurity firm Stairwell, said: “Whether it’s attacking an organization like the Port of Lisbon or a software vendor like DNV that supports multiple logistics companies, both cause disruption which is a strong motivator to make ransom payments.
“This is a great example of how impactful data extortion can be. As we have seen in recent years, supply chains are not always resilient and can have global impacts on industry and individuals. The risk of harm is not just from the information locked up, but all of the economic value lost while operations are affected. It continues to show the efficacy of these attacks and how much they put the extorted party under economic pressure to pay.”
DNV said it had reported the attack to the Norwegian Police and advised customers of their responsibilities to report the incident to their local authorities. The Norwegian National Security Authority, the Norwegian Data Protection Authority (DPA) and the German Cyber Security Authority have also been made aware of the attack. The attack has affected 70 customers operating around 1,000 vessels.