200-300  million  for  Q3  2017.17  More  specifically,  navigation  systems  such  as  the  Electronic  Chart
            Display (ECDIS) are very vulnerable and have also been hit with different attacks being reported in Asia.
            According to the maritime technical lead at cyber security firm NCC Group, "Ecdis systems pretty much
            never have anti-virus".18




            Pyongyang Hackers are Smart

            Both of the military vessels involved in collisions, the USS Fitzgerald and the USS John S. McCain, are
            guided missile destroyers equipped with the Aegis Ballistic Missile Defense System (BMDS), which is a
            system allowing the interception of an ICBM (Intercontinental Ballistic Missile), the ones that are currently
            being tested by North Korea and usually equipped with one or multiple nuclear warheads. An ICBM has
            four phases: boost, post-boost/ascent, midcourse and terminal (reentry in the atmosphere). The Aegis
            BMDS aims at destroying an ICBM during the post-boost/ascent phase (before the missile leaves earth’s
            atmosphere).

            The Lazarus hacking group, famous for the Sony breach in 2014 and allegedly linked to North Korea,
            targets individuals associated with U.S. defense contractors with the same tools and tactics of the Sony
            breach. This time, the phishing emails display fake job listings and companies’ internal policies.19 Some
            jobs listed were for the US (Terminal High Altitude Area Defense) THAAD system, which is a BMDS and
            intercept an ICBM in its terminal phase (after the missile re-enters in the atmosphere).

            Therefore, if the four U.S. Navy collisions in Asian waters are due to a cyberattack, the explanation could
            be that the North Korean government is attempting to infiltrate the U.S. military system to be able to
            collect information on the full spectrum of BMDS and, at best, disrupt the defense systems against its
            ICBM. On the diplomatic side, it could be a strong message sent to the US and its Asian allies assuring
            them that Pyongyang has serious capabilities and that it would be better to negotiate with it than escalate
            tensions.

            This strategy is part of a general trend in APT (Advanced Persistent Threats), long-term targeted specific
            cyberattacks  mixing  a  combination  of  social  engineering,  cyberweapons,  and  vectors  to  get  inside
            networks, instead of hacking directly the big fish such as the Department of Defense or a big player in
            weapons (Aegis, Boeing, Lockheed Martin, etc.), hackers will target a third party working for these targets.
            Indeed,  their  cybersecurity  posture  will  be  lower  than  a  critical  administration  or  company  with
            technologies  and  processes  in  places  regarding  cyberdefense,  and  with  aware  employees  towards
            phishing campaigns.




            17  MIMOSO Michael. “MAERSK Shipping Reports $300M Loss Stemming from NotPetya Attack”, Threatpost, Aug 16, 2017
            https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/
            18  BARANIUK Chris. “How hackers are targeting the shipping industry”, BBC, Aug 18, 2017
            http://www.bbc.com/news/technology-40685821

            19  BARTH Bradley. “Lazarus Group tied to new phishing campaign targeting defense industry workers”, SC Media, Aug 14, 2017
            https://www.scmagazine.com/lazarus-group-tied-to-new-phishing-campaign-targeting-defense-industry-workers/article/681701/



            Cyber Defense eMagazine –July 2020 Edition                                                                                                                                                                                                                         89
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.