Athens, Greece. Greek shipowners and other companies are scanning their computer systems for signs of cyberattacks after guidance from the National Cybersecurity Authority, sources said on Wednesday following incidents linked to the Iran war.
High-priority advisory to multiple sectors
The authority last week sent an advisory to security officers of shipping companies, banks and firms in the transport, telecommunications, health and energy sectors, according to a source at the authority, who said the move was pre-emptive.
The advisory, marked “high-priority”, urged firms to conduct scans and inform security officers of a confirmed incident affecting a “large international organisation” abroad, without naming it.
Indicators of compromise and recommended actions
The advisory listed indicators of possible compromise, including IP addresses, tools and malware such as the VShell Remote Access Trojan. It said anyone finding evidence of an attack should immediately review their systems and block the listed IP addresses.
Incidents referenced in the warning
An Iranian-linked hacking group claimed responsibility on March 11 for a cyberattack on U.S.-based medical device and services provider Stryker, based on messages posted to the group’s Telegram channel.
Albania has also confirmed a cyberattack on the digital infrastructure of its parliament last week, which local media said was carried out by the Iran-linked group calling itself “Homeland Justice”.
Shipping sector alerted amid rising interference reports
Two separate sources said at least two shipping companies have received the warning. They also said Greece had yet to find evidence of a significant attack, although one said “some sort of activity” had been tracked.
Electronic interference with commercial ship navigation systems has surged in recent days around the Strait of Hormuz and the wider Gulf.
Threat actor described as sophisticated
The advisory said an investigation into the confirmed incident indicated an unidentified, sophisticated threat actor used two layers of infrastructure to scan activity, attempt unauthorised access, host malware or run command-and-control mechanisms while avoiding detection.
All sources requested anonymity because they were not authorised to speak to the media.
How is your organisation verifying and responding to indicators of compromise mentioned in official cybersecurity advisories?