The U.S. Coast Guard is calling on port and terminal operators to self-report if they have been exposed to the massive SolarWinds hack, which compromised the computer networks of about 18,000 public and private sector entities worldwide beginning last spring.

In March through May of 2020, a suspected Russian government-backed actor conducted a so-called “supply chain” attack on the update and patch service of a major networking software company, SolarWinds. The hacking group – likely the Russian SVR intelligence team known as APT29 or “Cozy Bear” – inserted malware into legitimate software updates that SolarWinds sent for certain versions of its Orion platform, a software suite used by hundreds of thousands of organizations for network administration. 

Customers downloaded these updates, including the malicious code, and unknowingly infected their own systems. The breach was not publicly disclosed until December 2020, when cybersecurity contractor FireEye found that its own systems had been hacked and traced the origin to a SolarWinds update. 

“The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security,” FireEye concluded. 

According to an incident response command organized by the FBI, CISA, ODNI and NSA, the attack was likely an intelligence-gathering effort rather than an attempt at disruption or destruction. Out of the thousands of systems exposed, the authorities believe that only a small number were targeted by the hackers for follow-on intrusion and exploitation. High-profile victims included the U.S. Treasury Department, NATO, the government of the United Kingdom and Microsoft.

The victims could also include port facilities regulated under the Maritime Transportation Security Act (MTSA), and the Coast Guard is calling on any potentially-affected port sector organizations to report a breach of security if they use the affected software or observe similar effects. Even if a port operator does not use SolarWinds Orion, it could be impacted by third-party networks, services, and vendors that do, the Coast Guard warned. Any MTSA facility operator is legally required to make a report if: 

– their IT staff downloaded one of the trojanized SolarWinds Orion updates; or
– they have any system with a critical security function that is showing any signs of compromise using similar tactics, techniques, and procedures.

Few compromised systems have been deliberately targeted and exploited, but the risk is real, according to the federal response command. “This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” said CISA in a statement. 

Source: The Maritime Executive