Port of Nagoya continues its recovery from ransomware.
the cyberwire logoJul 6, 2023

The ransomware attack has been claimed by LockBit 3.0.

Port of Nagoya continues its recovery from ransomware.

The Port of Nagoya resumed some container operations Thursday as it restored normal services in the course of recovering from Tuesday's ransomware attack. Bloomberg reports that five terminals are returning to operation.

LockBit 3.0 claims responsibility.

The Japan Times quotes the Nagoya Harbor Transportation Association as saying that LockBit 3.0, the well-known Russian ransomware gang, has issued a ransom demand, thereby claiming responsibility for the disruption. Tech Monitor notes that LockBit 3.0, a ransomware-as-a-service (RaaS) gang, has been unusually active over the past week. Its other victims include Taiwanese chip maker TSCM as well as a range of organizations in the Netherlands, Spain, Canada, and the US. The amount LockBit 3.0 has demanded remains unknown.

A threat to critical infrastructure.

Roy Akerman, Co-Founder and CEO of Rezonate, draws a lesson from the attack about the current, ongoing risk to critical infrastructure. “Critical infrastructure remains a key concern as the risk of business disruptions impacts millions of people and businesses dependent on goods shipped in and out of the Nagoya port daily. The Nagoya port is a good reminder that critical infrastructure is at constant risk and nations need to protect and apply the best of breed technologies to prevent, detect and quickly respond and, as in this case, instantly recover operations.”

Duncan Greatwood, CEO of Xage Security, wrote, “The recent ransomware attack on Japan’s largest port, the Port of Nagoya, is yet another example of cyber threats targeting critical infrastructure across the globe. The port delivers essential goods like cars, food, and household appliances, all now stuck at the port. With ransomware strain LockBit 3.0 responsible for this attack and for 21% of 189 ransomware attacks detected against critical infrastructure in Q4 2022, security should be top of mind for all within the supply chain today.”

He commented on the probable locus of the attack’s effects. “While details are still emerging, it appears the attack disrupted the operation, or at least the management, of the shipping terminals themselves – the dockside systems that transfer containers between ships, trucks, and trains. This could have been a direct attack on cyber-physical systems at the dockside, IT systems that control the cyber-physical dockside environment, or a combination of both.”

And he draws some lessons for resilience from the incident. “The fact that the whole port was taken offline suggests a lack of cyber resilience. This can be addressed by adopting a more decentralized and zero-trust cyber protection approach. By protecting individual identities in both cyber-physical and IT systems, operators can avoid losing all capabilities simultaneously even when hackers successfully penetrate operational environments.” 

Cyberattacks threaten physical supply chains.

Nick Tausek, Lead Security Automation Architect at Swimlan, wrote, “This ransomware attack on the Port of Nagoya in Japan demonstrates just how easily cyberattacks can impact the global supply chain and lead to significant financial losses. In this case, the port has completely halted operations that control 10% of Japan's total trade volume and is leveraged by major Japanese organizations.” He advises close attention to best practices as an approach to reducing this particular risk. “To prevent ransomware attacks such as the one on the Port of Nagoya from further disrupting the supply chain and halting crucial shipping processes, organizations must ensure cybersecurity best practices remain top-of-mind. Security automation tools, especially those that leverage low-code principles, can accelerate security teams’ capabilities to keep pace with the evolving threat landscape, especially as threat actors continue to adopt their own automation techniques to target critical infrastructure. Using these tools lessens the burden on security operations so they can focus on critical alerts, ultimately keeping crucial businesses and their correlating operations up and running without disruption.”

The particular threat of ransomware.

Ransomware is no longer simply a threat to data. Ransomware operators now seek to exact whatever pain they can from their victims. In an infrastructure target, the attacks will directly disrupt operations. 

James McQuiggan, security awareness advocate at KnowBe4, cautions that ransomware can be expected to remain a threat over the long-term: “The ever-evolving, persistent threat of ransomware attacks emphasizes the continued need for organizations to implement a proactive and comprehensive approach to cybersecurity,” he wrote. “As organizations increase the interconnectivity of critical systems and the potential implications of disruptions, it becomes clear that relying solely on reactive measures is no longer sufficient. Businesses and governments must stay ahead of cybercriminals by investing in advanced threat detection technologies, regularly assessing vulnerabilities, and fostering a solid cybersecurity culture within their organizations.”

Carol Volk, EVP at BullWall, agrees that ransomware now amounts to a pervasive threat–”inevitable,” as she puts it. “Ransomware attacks like the recent one on the Port of Nagoya have become inevitable. The expanding digital landscape provides more entry points for hackers, while the potential financial gains make these attacks lucrative. As a result, companies must prepare their cyber defenses, including ransomware containment,” she wrote in emailed comments. “Such a system can detect and mitigate attacks early, minimizing damage and disruption. Organizations should also prioritize regular backups, strong security measures, employee training, and incident response plans. By acknowledging the inevitability of ransomware attacks and taking proactive measures, businesses can enhance their resilience and safeguard critical systems, before the attack comes for them.”

Itay Glick, VP of Products at OPSWAT, wrote with a more detailed appreciation of LockBit 3.0:

“LockBit 3.0, also known as LockBit Black, represents a new era of ransomware sophistication. The Cybersecurity and Infrastructure Security Agency (CISA) had previously warned about its modular and evasive nature, drawing similarities with other notorious ransomware variants such as Blackmatter and Blackcat. This evolving threat gains initial access to victim networks through various means, including remote desktop protocol (RDP) exploitation, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications. 

"Once inside the network, LockBit 3.0 poses a significant risk to critical operations. It has the capability to propagate and disrupt systems, leading to operational technology (OT) failures or intentional shutdowns by security teams to prevent further damage.  

"In the face of this evolving threat landscape, organizations need robust solutions to defend against ransomware attacks like LockBit 3.0. Zero-trust solutions and prevention-based technologies play a crucial role in enhancing overall resilience against these threats, and should include a full set of cyber security capabilities, starting from advanced email security to block phishing attempts, zero trust network access solutions, to securely allow remote access, and finally an endpoint security management solution that makes sure devices are in compliance with no vulnerabilities preventing lateral movement by the threat actor.”