Hackers penetrated the computer network at a key US port but did not disrupt operations
The Port of Houston incident is one example of the interest foreign spies have in monitoring major US seaports, and it comes as US officials attempt to fortify critical infrastructure against such intrusions.
âIf the compromise had not been detected, the attacker would have had unrestricted remote access to the [IT] network âusing stolen login credentials, reads analysis of the US Coast Guard Cyber ââCommand report, which is unclassified and markedâ For official use only. âEffects that could impact operations ports.
The Port of Houston is a 25-mile-long complex through which 247 million tonnes of cargo pass each year, according to its website.
It’s unclear who was behind the breach, which appears to be part of a larger spy campaign. Asked about the incident during a Senate hearing on Thursday, US Agency for Cybersecurity and Infrastructure Security Director Jen Easterly said she believed a hacking group backed by a foreign government was responsible.
Attribution of cyber attacks “can always be complicated,” Easterly told the Senate Committee on Homeland Security and Government Affairs. “At this point, I should come back with my colleagues, but I think he’s a nation-state actor.”
“The campaign so far is limited, but we are continuing to work on it and I am happy to keep you posted,” she told lawmakers.
The Coast Guard’s analysis did not mention a foreign government or the Port of Houston, but Easterly identified the port as the targeted entity.
A Coast Guard spokesperson told CNN that “the Coast Guard cannot confirm which entities were behind this recent cyber incident.”
A spokesperson for the Port of Houston said, âThe Port of Houston Authority (Port Houston) successfully defended itself against a cybersecurity attack in August. Port Houston followed its facility security plan in accordance with the Marine Transportation Security Act (MTSA). , and no data or operating system has been affected as a result. “
“We believe the actors are state sponsored and their objective is likely to conduct espionage on behalf of a foreign government,” Sarah Jones, senior analyst at Mandiant Threat Intelligence, told CNN. “Although the nature of the targets certainly aligns with Chinese history [advanced persistent threat] activity, we did not attribute any of these attacks to Chinese spy operators. “
In the case of the Port of Houston, the unidentified hackers broke into a web server somewhere in the complex using a previously unidentified vulnerability in password management software at 2:38 p.m. UTC on August 19, according to the Coast Guard report. The intruders then implanted malicious code on the server, which allowed additional access to the computer system.
About 90 minutes after the initial breach, hackers stole all login information for a type of Microsoft software that organizations use to manage passwords and access to their networks, according to the report. Minutes later, cybersecurity personnel at the port isolated the hacked server, “cutting off unauthorized network access,” the advisory said.
Sean Plankey, a Coast Guard veteran and former senior White House cybersecurity official in the Trump administration, said the swift response to the incident was a sign the Coast Guard was becoming more proficient in cyberspace.
“Our adversaries know, probably better than most Americans, that our country’s economy goes through our ports,” Plankey told CNN.
A handful of security incidents in recent years have prompted U.S. officials to focus more on maritime cybersecurity.
The US government released a maritime cybersecurity plan in January which set the goal of “closing maritime cybersecurity gaps and vulnerabilities over the next five years.”
Scott Dickerson, who heads the Maritime Transportation System Information Sharing and Analysis Center, an industry threat sharing center, said the industry has made progress in strengthening its cyber defenses in recent years. years.
âSeveral port communities have established information exchanges, which allow local stakeholders to collaborate more effectively to improve the cyber-resilience of the local supply chain,â Dickerson told CNN.
This story was updated with additional details on Thursday.