In early 2024, Mustang Panda, a state-sponsored threat actor, executed a targeted cyber campaign against European cargo shipping firms in Norway, Greece, and the Netherlands using Korplug malware loaders. The attack vector involved malicious USB drives with deceptive filenames, exploiting human error to infiltrate systems. While some malware samples were detected and blocked by security measures, others evaded detection through altered signatures and DLL hijacking techniques, allowing persistent access.The compromise disrupted operational integrity, with potential risks including unauthorized data access, supply chain interference, and financial fraud though the article does not confirm large-scale data exfiltration or ransom demands. The attack also revealed tactical overlaps with CeranaKeeper, another APT group using distinct tools like TONESHELL, suggesting shared infrastructure but independent operations. The incident underscores vulnerabilities in maritime logistics, where third-party USB devices and legacy system dependencies create exploitable gaps. No public reports confirm customer data breaches, ransomware deployment, or critical infrastructure damage, but the intrusion poses reputational harm, regulatory scrutiny, and potential financial losses from remediation and downtime.
TPRM report: https://www.rankiteo.com/company/supercargo-shipping-&-forwarding-ltd
"id": "sup501092125",
"linkid": "supercargo-shipping-&-forwarding-ltd",
"type": "Cyber Attack",
"date": "6/2024",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'logistics/transportation',
'location': ['Norway', 'Greece', 'Netherlands'],
'type': 'cargo shipping company'}],
'attack_vector': ['USB-based malware (Korplug loaders)', 'DLL hijacking'],
'date_detected': 'early 2024',
'description': 'Mustang Panda, a threat actor, targeted cargo shipping '
'companies in Europe in early 2024 using Korplug loaders. '
'These loaders, dropped from USB drives with suspicious '
'filenames, compromised systems in Norway, Greece, and the '
'Netherlands. Some malware samples were blocked, but others '
'had altered signatures and utilized DLL hijacking. The group '
'also shares similarities with CeranaKeeper, which uses '
'different tools like the TONESHELL backdoor. Both may have '
'overlapping resources but operate independently.',
'impact': {'systems_affected': ['systems in Norway',
'systems in Greece',
'systems in the Netherlands']},
'initial_access_broker': {'backdoors_established': ['Korplug loaders',
'TONESHELL backdoor '
'(CeranaKeeper)'],
'entry_point': 'USB drives with suspicious '
'filenames',
'high_value_targets': ['cargo shipping companies']},
'investigation_status': 'ongoing (as of early 2024)',
'motivation': ['cyberespionage', 'intelligence gathering'],
'post_incident_analysis': {'root_causes': ['USB-based malware deployment',
'DLL hijacking']},
'recommendations': ['monitor USB-based threats',
'detect DLL hijacking attempts',
'investigate potential overlaps between Mustang Panda and '
'CeranaKeeper'],
'response': {'containment_measures': ['blocking of some malware samples']},
'threat_actor': ['Mustang Panda', 'CeranaKeeper (potential overlap)'],
'title': 'Mustang Panda Cyber Attack on European Cargo Shipping Companies '
'(2024)',
'type': ['cyberespionage', 'malware attack']}