Cybercrime against the shipping industry – Part 2: Ransomware

Cyber hackers were continuing to hone in on the shipping industry, which they considered to a vulnerable and highly lucrative target, Clyde & Co’s Rosehana Amin, Senior Associate; Rory Duncan, Senior Associate; Daniel Jones, Partner and John Keough, Partner have written in the second part of legal firm Clyde & Co’s study of cybercrime within the global shipping sector.

The writers said that there had been a 400% increase in attempted cyber hacks on maritime companies between February and June 2020, while ransomware attackers were reported to have made at least $350m in cryptocurrency in 2020.

Although malware had been found aboard ship’s IT systems, Clyde said that the majority of cyber-attacks had been perpetrated on shore-based systems, business offices and data centres from which ships, clients and personnel were managed and the logistics of transport organized.

Ransomware can both encrypt an IT system, making it non-operational, and be accompanied by a threat to publish sensitive information publicly or to the highest bidder on the dark web.

Clyde said that the cruise line sector, which held large amounts of customer data, was particularly vulnerable. Norway-based Hurtigruten was recently hit by a ransomware attack and would have had to consider this threat and the possibility that the potential release of customer details could also raise serious data protection issues.

Clyde said that a ransomware attack could have both financial and reputational consequences.

The financial impact for a shipping business could be severe. There were losses associated with the disruption of the maritime operations and the prospective ransom payment itself, added to which there were the increasingly expensive costs of responding to the incident and the business interruption resulting from the attack.

Finally there was the expense of handling potential complaints from clients/customers, the costs of engaging and responding to regulators or government authorities, and any ensuing third party litigation from individuals whose personal information was impacted in the incident, as well as the cost of any possible regulatory fines.

Maersk estimated the cost of the 2017 NotPetya attack to be somewhere between $250m and $300m.

On the reputational side, any damage was likely to translate into a loss of current and potential business opportunities. It could lead to a long-term loss of customers, who would prefer not to deal with a business that has shown itself to be vulnerable to cyber-attacks.

On the legal side, prior to making a ransom payment, to avoid facing fines or any other penalties, a maritime business needed to ensure full compliance with the national and international laws and regulations that a company engaged in international trade might be subject to. In the UK a domestically-based shipping company would need to consider the question of whether a ransom payment would fall under the Proceeds of Crime Act 2002 (POCA). This applies to offences committed by individuals or companies in the UK, and Section 328 of POCA makes it an offence for a person to enter into an arrangement they know or suspect facilitates the use of criminal property by another person. Consent for the payment may be required from the Serious Organized Crime Agency, which is determined on a case-by-case basis.

The Terrorism Act 2000 states that a person commits an offence if they know or have “reasonable cause to suspect that it will or may be used for the purposes of terrorism.” Clyde noted that “a shipowner or charterer is unlikely to know or suspect whether an anonymous perpetrator will use the ransom towards terrorist activities, and it will fall on them to satisfy themselves, through due diligence, that there is no reasonable cause to suspect that the money may be used for these purposes”.

Sanctions also needed to be considered. EU sanctions apply to EU nationals and companies, and to all business done in the EU, including activities on a vessel under an EU member state’s jurisdiction.

Under this regime, EU persons and entities are forbidden from making funds available to those listed on the European Sanctions List for Cybercriminals established in May 2019. This includes entities such as WannaCry, NotPetya and Operation Cloud Hopper.

Clyde noted that ransom payments following cyber-attacks were being subject to increased EU scrutiny. It said that ship owners, charterers, or agents subject to ransom payments should take care not to expose themselves to civil and criminal liability by making funds available to those featuring on the EU list of sanctioned entities.

The UK sanctions regime replaced the current EU sanctions regime at 11pm UK time on December 31st 2020, when the Sanctions and Anti-Money Laundering Act 2018 entered fully into force. Although similar to the previous EU regime, Clyde noted that the new UK sanctions regime was not identical. It applies to all UK persons anywhere, to persons within the UK and to anyone conducting activities in the UK with regard to those activities. A global ship manager with a presence in the UK and/or a major charterer/trader based in London would fall under this regime.

A shipowner could be committing an offence by making funds available directly or indirectly to a designated person on the Office of Financial Sanctions Implementation (OFSI) list of sanctioned individuals and entities, unless it could show that it did not know or have reasonable cause to suspect that funds would be made available, directly or indirectly, to such a designated person.

Ransom payments are not a criminal offence in the US, though Clyde noted that care had to be taken not to violate the US sanctions regime. In general, Office of Foreign Assets Control (OFAC) administered and enforced economic trade sanctions for the US government. Such sanctions specifically prohibited US persons from making payments to individuals and entities on the Specifically Designated National and Blocked Persons (SDN) List. This prohibition included ransom payments, for the release of a ship’s crew or for illicit cyber demands or events.

With some exceptions OFAC operates a strict liability regime. Clyde said this meant that, although a party might breach sanctions provisions unknowingly, the risk of sanctions enforcement still applied. However, some mitigating circumstances may be considered.

On October 1st 2020 OFAC published its most recent advisory in response to increased malicious cyber-attacks on US connected systems during the pandemic. That advisory alerted companies of the potential sanctions risks for facilitating ransomware payments to sanctioned entities, and set out the factors considered when determining an enforcement response to an apparent violation.

A non-US person could also be exposed to the US sanctions regime through facilitation of a ransom payment or a ransomware payment or event, meaning if a non-US person causes a US person to violate the sanctions regime, for example by involving a US employee with an SDN-related dealing or wire a USD payment (which usually clear through US banks), that non-US person could be liable for a sanctions violation.

Clyde said that a shipping business considering a ransom payment should thus review its US connections.

In addition to the primary sanctions, Clyde noted that secondary sanctions also applied to non-US persons, even those without a US nexus.

“A shipowner should closely verify prospective charterers are not sanctioned to avoid the risk of secondary sanctions, in connection with ransom payments or otherwise”, said Clyde.

Clyde observed that a shipping company caught in a cyber-attack might find itself in the unenviable position of either:

  1. facing the consequences of violating the law and/or sanctions regulations should they pay the ransom or
  2. suffering the consequences of not complying with the perpetrator’s demands.

This could result in systems continuing to be inaccessible, their destruction and/or the public dissemination of sensitive information involving clients, employees, commercial partners, with the collateral risk of litigation from the aggrieved parties. Clyde warned that the risk is high. More than $50m worth of cryptocurrency that victims paid out to ransomware addresses in 2020 had been identified as carrying sanctions risk, nearly all of which was composed of payments to the two ransomware strains Doppelpaymer and WastedLocker.

Clyde said that “shipping companies should be aware of the severe penalties that could ensue from breaching sanctions regulations in order to protect their commercial interests. The fall out could be significant …”

Clyde concluded that ransomware was becoming increasingly sophisticated. Attacks were likely to continue rising in the maritime sector, helped by greater vulnerability following the move toward remote working because of the Covid-19 pandemic.

Clyde said that the legal and regulatory landscape would continue to evolve, as would the list of international sanctions.

Clyde warned that “we cannot discount the possibility that ransomware attacks could be undertaken in parallel with other malicious activities such as hacks of port logistics systems for the purpose of stealing valuable cargo for transportation to a destination of choice”.

It said that hackers could deploy measures in tandem to interfere with a vessel or port equipment leading to physical damage, i.e. remotely shutting off pumps or cooling systems.

At the more extreme end of the scale, the development of autonomous vessels opened up the risk of remote access to a vessel’s controls that could see it hijacked, involved in a collision or even used as a weapon.