The Hackers Inside Your Supply Chain

Two recent reports highlight the growing threat of cyber-terrorism on supply chains. First, the United States Government Accountability Office (GAO) issued a report last month focused on the need for better port cybersecurity. Here are some excerpts from the report:

U.S. maritime ports handle more than $1.3 trillion in cargo annually. The operations of these ports are supported by information and communication systems, which are susceptible to cyber-related threats. Failures in these systems could degrade or interrupt operations at ports, including the flow of commerce. Federal agencies—in particular DHS— and industry stakeholders have specific roles in protecting maritime facilities and ports from physical and cyber threats. 

While the Coast Guard initiated a number of activities and coordinating strategies to improve physical security in specific ports, it has not conducted a risk assessment that fully addresses cyber-related threats, vulnerabilities, and consequences. Coast Guard officials stated that they intend to conduct such an assessment in the future, but did not provide details to show how it would address cybersecurity. Until the Coast Guard completes a thorough assessment of cyber risks in the maritime environment, the ability of stakeholders to appropriately plan and allocate resources to protect ports and other maritime facilities will be limited.

Criminals are already taking advantage of this vulnerability. Last month, for example, Dutch and Belgian authorities arrested a dozen suspects accused of smuggling drugs through the harbor of Antwerp to The Netherlands by using hackers to access the computer systems of harbor companies and container terminals. According to a report by Europol:

Using hackers, the criminals took control of the computers of two container terminals and of a harbor company. The approach was twofold:

  • Classic intrusion by sending mails with attachments containing Trojans to staff members;
  • Breaking into offices to install key logging devices to capture passwords.

Once the computers were under their control, the group could follow “their” container and upon arrival, unload it to a location and at a time of their choosing. This in return enabled the criminal group’s drivers to access the container before the normal harbor staff would.

The second report, issued by TrapX Security, is even more troubling because it hits closer to home — that is, the warehouses and IT systems of manufacturers, retailers, and logistics service providers. Simply put, hackers are embedding malware in handheld barcode scanners made in China to steal supply chain information and infiltrate enterprise systems. An article in summarizes the report findings; here are a couple of excerpts:

“The attackers were exfiltrating all [stolen information] to a database,” says Carl Wright, general manager of TrapX. “They are very focused on manifests — what’s in it, what’s the value of it.” 

The botnet then sends the scanner a second piece of malware that targets the victim’s corporate financial, customer, shipping, and manifest information. “That was able to take control of the ERP [enterprise resource planning] system,” he says. This would, among other things, allow the attacker to make a package “disappear” or “reappear,” he says. The attack targets a specific, major ERP system, says Wright, who declined to reveal the name of the product due to an investigation into the attacks.

As I’ve written many times before, when it comes to supply chain risk management, many companies are falling short. The sooner companies embed supply chain risk management within their corporate DNA, the sooner they’ll be able to adequately address this growing threat of cyber-terrorism. Mitigating the threat will also require greater collaboration between the IT and supply chain functions, not only within companies, but across all stakeholders in global supply chains. As the examples above illustrate, criminals and terrorists are already on the offensive — and their actions will only intensify in the months and years ahead.