GNV Breach Incident Score: Analysis & Impact (GNVMSC1765979891)

In this Rankiteo incident briefing, we review the GNV breach identified under incident ID GNVMSC1765979891.

The analysis begins with a detailed overview of GNV's information like the linkedin page: https://www.linkedin.com/company/gnvferries, the number of followers: 48292, the industry type: Maritime Transportation and the number of employees: 1720 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 767 and after the incident was 743 with a difference of -24 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on GNV and their customers.

MSC-Mediterranean Shipping Company SA (Grandi Navi Veloci unit) recently reported "Russian Military Hackers Suspected in MSC Ferry Cyber Intrusion", a noteworthy cybersecurity incident.

European investigators are probing whether Russian military hackers breached computer systems on a vessel owned by MSC-Mediterranean Shipping Company SA.

The disruption is felt across the environment, affecting Office computer network.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Removal of Raspberry Pi devices, forensic analysis, and began remediation that includes Network segregation, enhanced monitoring, while recovery efforts such as Ferry resumed operations after investigation continue, and stakeholders are being briefed through Limited public disclosure (spokesperson confirmed intrusion attempt).

The case underscores how Ongoing, teams are taking away lessons such as Importance of physical security for onboard networks, network segmentation, and monitoring for unauthorized devices, and recommending next steps like Enhance physical security measures for restricted-access areas on vessels, Improve detection of unauthorized hardware (e.g., Raspberry Pi devices) and Strengthen network segmentation between office and operational systems.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Hardware Additions (T1200) with high confidence (95%), with evidence including raspberry Pi device connected to shipboard system, and second device paired with cellular modem for remote access and Supply Chain Compromise: Compromise Hardware (T1195.002) with moderate to high confidence (80%), supported by evidence indicating concealed miniature computer (Raspberry Pi) discovered in restricted area. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.001) with moderate to high confidence (70%), supported by evidence indicating attack aimed to impersonate legitimate users on office computer network and Server Software Component: Web Shell (T1505.003) with moderate confidence (60%), supported by evidence indicating cellular modem paired with Raspberry Pi suggests remote access capability. Under the Lateral Movement tactic, the analysis identified Exploitation of Remote Services (T1210) with moderate to high confidence (70%), supported by evidence indicating attempt to penetrate operational systems from office network. Under the Defense Evasion tactic, the analysis identified Hide Artifacts: Hidden Files and Directories (T1564.001) with moderate to high confidence (85%), supported by evidence indicating concealed Raspberry Pi device discovered in restricted area and Valid Accounts: Local Accounts (T1078.003) with moderate to high confidence (70%), supported by evidence indicating impersonation of legitimate users on office computer network. Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (70%), supported by evidence indicating office computer network targeted for surveillance or long-term infiltration. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating cellular modem paired with Raspberry Pi for remote access. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (70%), supported by evidence indicating motivation includes espionage and long-term surveillance. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.