Elisabeth Braw is a senior fellow at the Atlantic Council, the author of the award-winning “Goodbye Globalization” and a regular columnist for POLITICO.
According to a new report, a Chinese hacker group has been targeting European shipping companies.
Mustang Panda is hardly the cuddly outfit its name suggests — on the contrary, it’s a state-linked hacker group that has a long history of targeting Western governments and nonprofits, including diaspora groups and religious organizations in Vietnam, Mongolia and countries across Europe.
It’s clear why China wants to know what foreign governments and NGOs are up to. But spying on shipping companies?
However, that, too, makes sense. How Western shipping lines strategize now that they’re consistently targeted by the Houthis — while Chinese vessels are not — is of great interest to Beijing.
In May, several cyber threat firms sounded the alarm: Shipping companies in Norway, Greece and the Netherlands had been targeted by Mustang Panda. Using infected USB sticks on vessels owned or operated by these European companies, the cyber group — which also goes by other names, including Bronze President — had gained access to the ships’ computers and networks.
“We haven’t seen this in the past,” Robert Lipovsky, principal threat intelligence researcher at the Slovak cyber intelligence firm ESET, told NBC News. “It shows a clear interest in this sector. This was not a single occurrence. These were several distinct attacks at different, unrelated organizations.”
Back in January, you’ll recall, it had become clear that vessels linked to Western countries were in serious trouble in the Red Sea. The Houthis had expanded their attacks, which had initially only targeted vessels that the militia considered to be linked to Israel. Then, when the U.S. and Britain began conducting missile strikes against Houthi-held territory, the group expanded its attacks to also target ships they considered to have U.S. and British ties (though the militia is never very precise with its due diligence).
Indeed, by January, lots of other Western-linked vessels had been struck too, including a Norwegian one. So, one after the other, Western shipping lines announced they were rerouting some or all of their vessels away from the Red Sea and to the much longer Cape of Good Hope route. Chinese and Russian vessels, meanwhile, were spared by the Houthis— except for the occasional mistargeted missile.
This rerouting was necessary, but it’s also a logistically complex undertaking. Not only does such an extended alternative route mean some 10 to12 more days of travel; it also means getting crews and cargo to alternative ports, and those ports lack capacity to deal with such a sudden influx of traffic. Several are severely overstretched.
Overall, the Houthi campaign has been good for Chinese shipping lines and awful for Western ones. Indeed, global customers may well conclude that in a geopolitically fraught world, it’s safer to rely on Chinese ships than Western ones because the West has no proxies to launch missile campaigns against Chinese merchant vessels.
Amid all this, how Western shipping lines are coping, and how they’re trying to minimize harm and disruption to their operations, is of great interest to the Chinese state. Mustang Panda, for its part, isn’t just any government-linked cyber-intrusion outfit. It’s been known to spy on foreign governments, companies, NGOs and diaspora groups — it’s even hacked Indonesia’s intelligence agency and the African Union’s headquarters.
I’ve read the advisory provided by one of the other cyber-threat firms that raised the alarm about Mustang Panda. In the advisory, the firm describes how the outfit has been tricking ship officers into clicking on a file that looks like a folder but is, in fact, an infected document. The firm advises ship crews to regularly scan USB sticks using different software and to only use USB sticks that have been approved.
But the presence of these infected sticks also raises an obvious question: How did they get onto these Norwegian, Greek and Dutch vessels in the first place? Did someone bring them there, and if so, who? Random outsiders don’t have access to ship bridges. Or did Mustang Panda infect USBs already in use?
The origins of these USB sticks will have to be investigated, but the first point of order — for all Western shipping lines — is to recognize that they’re not just accidental targets but intended ones.
Just a few years ago, global shipping was still accepted as neutral, and with good reason: Every nation on the planet benefits from ships being able to ferry goods around the world. Indeed, there’s no sector more international and transnational than shipping, and that’s why the world’s nations have spent decades building a system that allows vessels to traverse the world’s oceans unharmed.
Unfortunately, China’s intrusion now means Western shipping lines must make sure their crews aren’t just masters of the ocean, prepared for unexpected attacks from increasingly well-armed militias like the Houthis: the crews also need to understand the world of state-linked espionage.
As hostile states and their proxies (as the Houthis are) decide shipping lines are now fair game, spare a thought for the seafarers and logisticians making sure we get our goods under increasingly challenging conditions.