LockBit has successfully attacked Eastern Shipbuilding Group in the US. The news came days after law enforcement in the UK and US claimed to have seized LockBit’s infrastructure. The attack is being described as “a dire situation that could have far-reaching implications for national security” by ThreatHunter.AI.

James McMurry, CEO of ThreatHunter (Image Credit: James McMurry)
James McMurry, CEO of ThreatHunter

ThreatHunter CEO James “Jim” McMurry and David Maynor, published details of the attack. A screen shot shows that LockBit has given Eastern Shipbuilding until 20:37 UTC on Friday 1st March to pay a ransom. Given the deadline, it is likely that this attack was triggered after the UK and US claimed control of LockBit.

The attack compounds existing problems for Eastern Shipbuilding Group who did not respond to a request for comment. As the article points out, the company is currently rebuilding its shipyard after it was hit by a hurricane that caused significant damage. Now it has a major ransomware problem that will cost it more money. With delay in getting back on schedule and create more problems for the US Coast Guard.

Another cybersecurity attack on US military shipbuilders

In December, Austal USA was hit by ransomware according to cybercrime gang Hunters International. It and Eastern Shipbuilding Group are the two main bidders for a number of US Navy and US Coast Guard vessels. It means that both companies have access to a lot of classified material that has serious implications for US national security.

There will be serious concerns as to what data has been exfiltrated from both companies. Attention will be paid to the levels of encryption and protection of the data and whether encryptions keys were compromised. Even if they weren’t, there will have to be an assessment as to what the future risks are to the encrypted data.

Of equal concern is that both companies are certified Department of Defense (DoD) contractors. That means they are both required to use the Cybersecurity Maturity Model Certification (CMMC). Being a signatory to the program, should mean that the cybersecurity controls that organisations have in place will prevent an attack. In both cases it has not.

It is likely that there will now be a detail review of CMMC, how it is implemented, audited and verified. All US DoD contractors will now be preparing for additional controls and workloads.

Program delays impact US Naval effectiveness

McMurry highlights the role of Eastern Shipbuilding Group in building vessels for the United States Coast Guard’s (USCG) Offshore Patrol Cutter (OPC) fleet. It has been the winner of a number of key contracts for the OPC fleet.

In October 2016 it signed a $110.3 million contract to build the first Offshore Patrol Cutter. With an option to purchase eight additional cutters. The first of these was delivered in 2022. If all the vessels are built, this is a deal worth up to $10.5 billion.

He says, “the OPC program, critical to the USCG’s mission of securing America’s maritime interests, is at risk. Eastern’s pivotal role in building these cutters means any delay or compromise not only sets back the timeline for renewing the Coast Guard’s aging fleet but also potentially leaves gaps in the nation’s defense posture.”

The problem for the USCG is that Austal was already heavily involved in a large number of programs including the OPC. The question now, is where else can the USCG turn to get its shipbuilding program back on track? Just as importantly, even if it finds other shipyards who are CMMC certified, can it trust they are secure?

One winner from this could be Bollinger Shipyards. It has just delivered the last of the USCG Sentinel Fast Response Cutter (FRC) Patrol Boats that are based in Bahrain. It currently has a contract to deliver 11 Heritage-class OPCs. But does it have the capacity to take over from Eastern Shipbuilding without any impact on other programs? If so, it will secure the shipyard for decades to come.

Enterprise Times: What does this mean?

Military suppliers are a prime target for foreign cybercrime groups, many of whom are funded by military intelligence communities. Even where they are not, the information they have exfiltrated is likely to be bought by those same communities.

There are multiple challenges. For Eastern, it needs to prove it hasn’t lost data and prove it can be trusted. That will take time and money which, with everything else, will stretch its resources.

For the USCG and wider defence community, McMurry says, “this crisis highlights the need for a robust and adaptive approach to cybersecurity, one that goes beyond compliance to embrace continuous vigilance, threat intelligence sharing, and rapid response capabilities.”

What remains to be seen, however, is what impact this will have on the OPC program.


Please enter your comment!
Please enter your name here