MSC Mediterranean Shipping Company Breach Incident Score: Analysis & Impact (GNVMSC1765979891)

In this Rankiteo incident briefing, we review the MSC Mediterranean Shipping Company breach identified under incident ID GNVMSC1765979891.

The analysis begins with a detailed overview of MSC Mediterranean Shipping Company's information like the linkedin page: https://www.linkedin.com/company/msc-mediterranean-shipping-co--s-a-, the number of followers: 1438797, the industry type: Transportation, Logistics, Supply Chain and Storage and the number of employees: 35066 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 793 and after the incident was 779 with a difference of -14 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on MSC Mediterranean Shipping Company and their customers.

MSC-Mediterranean Shipping Company SA (Grandi Navi Veloci unit) recently reported "Russian Military Hackers Suspected in MSC Ferry Cyber Intrusion", a noteworthy cybersecurity incident.

European investigators are probing whether Russian military hackers breached computer systems on a vessel owned by MSC-Mediterranean Shipping Company SA.

The disruption is felt across the environment, affecting Office computer network.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Removal of Raspberry Pi devices, forensic analysis, and began remediation that includes Network segregation, enhanced monitoring, while recovery efforts such as Ferry resumed operations after investigation continue, and stakeholders are being briefed through Limited public disclosure (spokesperson confirmed intrusion attempt).

The case underscores how Ongoing, teams are taking away lessons such as Importance of physical security for onboard networks, network segmentation, and monitoring for unauthorized devices, and recommending next steps like Enhance physical security measures for restricted-access areas on vessels, Improve detection of unauthorized hardware (e.g., Raspberry Pi devices) and Strengthen network segmentation between office and operational systems.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Hardware Additions (T1200) with high confidence (95%), with evidence including raspberry Pi device connected to shipboard system, and second device paired with cellular modem for remote access and Supply Chain Compromise: Compromise Hardware (T1195.003) with moderate to high confidence (80%), supported by evidence indicating concealed miniature computer (Raspberry Pi) discovered in restricted area. Under the Persistence tactic, the analysis identified Account Manipulation (T1098) with moderate to high confidence (70%), supported by evidence indicating attack aimed to impersonate legitimate users on office computer network and External Remote Services (T1133) with moderate to high confidence (85%), supported by evidence indicating cellular modem paired with Raspberry Pi for remote access. Under the Credential Access tactic, the analysis identified Brute Force (T1110) with moderate confidence (60%), supported by evidence indicating attempt to impersonate legitimate users (implies credential compromise). Under the Lateral Movement tactic, the analysis identified Exploitation of Remote Services (T1210) with moderate to high confidence (70%), supported by evidence indicating targeted office network to potentially move to operational systems. Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (75%), supported by evidence indicating suspected long-term surveillance motive for espionage. Under the Command and Control tactic, the analysis identified Ingress Tool Transfer (T1105) with moderate to high confidence (80%), supported by evidence indicating cellular modem on Raspberry Pi suggests remote command/control. Under the Defense Evasion tactic, the analysis identified Hide Artifacts: Hidden Files and Directories (T1564.001) with moderate to high confidence (85%), supported by evidence indicating concealed Raspberry Pi device in restricted area and Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating attempt to impersonate legitimate users on office network. Under the Reconnaissance tactic, the analysis identified Active Scanning (T1595) with moderate confidence (60%), supported by evidence indicating previous discovery of Raspberry Pi in November suggests reconnaissance. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.