• Tuesday, July 24

  News breaks of cyberattack on US operations

  COSCO acknowledges a network issue @ 1 p.m. (COSCO)

  “We regret to inform you that our local network and systems in US are breakdown, and some email boxes are not available now,” the carrier wrote in a customer advisory.

  Systems in other regions of the world, vessel operations and terminal operations remained “as normal,” however. COSCO asked customers to submit booking requests through its website’s e-commerce function or use one of about 40 temporary email addresses to communicate with representatives.

  COSCO suggests attack is limited to U.S. @ 3:29 p.m. (Press Telegram)

  Fears of a worst-case scenario subside as the Long Beach Press Telegram writes the terminal remains operational, although COSCO’s U.S. website and toll-free number were shut down.
  
  The first mention of a “ransomware” attack emerges. “A spokesman for the Shanghai-based company, which acknowledged the ransomware attack Tuesday, said the company’s operations outside the United States were not affected,” writes Mark Edward Nero for the Press Telegram.

• Wednesday, July 25

  Details emerge, revealing an Americas-wide problem

  COSCO publishes a customer advisory @ 4:56 a.m. (COSCO)

  Less than a day after the first notice, COSCO recognized the problem originated “within our America regions,” and could extend further.
  
  “For safety precautions, we have shut down the connections with other regions for further investigations,” the customer advisory reads. “We are glad to inform you that we have taken effective measures. Except for above regions affected by the network problem, the business operation within all other regions will be recovered very soon.”

  Media reports of attack accelerate, but details remain sparse

  • COSCO US hit by cyberattack (Splash 24/7)
  • 10:55 AM | Cosco Reports Cyberattack at its U.S. Operations (Maritime Executive)
  • 11 AM | Ransomware attack hits COSCO in US (Supply Chain Dive)
  • 3:55 PM | China’s Cosco Shipping Hit by Cyberattack in U.S. (The Wall Street Journal)
  • COSCO responds to media claims on Twitter
    • “Despite some recent media reports, neither our Long Beach terminal at Pier J nor our COSCO Shipping UK offices have been affected by the network breakdown.” – @COSCOSHPGLines at 11:15 a.m.
    • “Pacific Container Terminal (PCT) is operating smoothly and has not been affected by the network breakdown. Our Long Beach customer service center (COSAG), however, has been adversely affected.” – @COSCOSHPGLines at 11:28 a.m.

• Thursday, July 26

  All hands on deck to reach customers, control impact

  COSCO: Impact of cyberattack has been contained to Americas  @ 6:45 a.m. (COSCO)

  In an update to its customer advisory, COSCO said it had taken “proactive measures to isolate internal networks” and carried out inspections on a global scale.
  
  “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered” at 4:00 a.m. on July 25, the carrier wrote.
  
  Problems in the Americas were still being investigated, and fixed, however. “During this network failure period, there could be delays in service response in the Americas,” said COSCO.

  Carrier accelerates social media outreach to route service requests

  As part of its contingency plan, COSCO takes advantage of social media to reply directly to Facebook comments and tweets regarding its service issues.

  Hi James, each region was isolated from the global Shanghai server after the breakdown in the Americas. After confirmation "all was secure" yesterday afternoon, each region reconnected and are resuming phase by phase.

  — COSCO SHIPPING Lines (@COSCOSHPGLines) July 26, 2018

  COSCO posts first FAQ, detailing broad extent of problem (FAQ)

  The detailed document reveals the “Americas” problem extends beyond the U.S. to Canada, Panama, Argentina, Brazil, Peru, Chile and Uruguay, with varying degrees of disfunction.

  It also reveals it cannot take hazardous or specialist cargo in Panama and Peru, and details specific emails to address various business functions per region.

• Friday, July 27

  Shippers receive more details, targeted guidelines

  Network applications begin to recover ‘gradually,’ according to notice @ 9 a.m. (COSCO)

  COSCO says it recovered its Americas network applications – which include electronic data connections with customs, terminals and railways in North America – as of 12 p.m. on July 26.
  
  “Currently, global network of COSCO SHIPPING Lines is running stably and safely. The network applications in the Americas are being recovered gradually,” the carrier wrote.  “We are now taking further security measures to recover local email service.”

  COSCO makes it a habit to update its FAQs upon each change in status.

  By July 30, there would be three general versions of the FAQ, and six versions of a U.S.-specific document.

  Los Angeles and Long Beach port customers receive special advisory @ 11 a.m. (COSCO)

  Shippers are asked to resend any emails sent prior to the network problem to a new set of email addresses. “These emails would be used until the network problem is solved,” the advisory reads.

  COSCO updates Rail Ramp Storage and Per Diem Policy @ 7:20 p.m. (COSCO)

  The carrier extended the timeframes on these two fee policies to accommodate delays caused by its network failure, as it showed more activity on its U.S. operations.
  
  The U.S. website remained offline, but attempts to reach it now redirected to a separate webpage with dedicated advisories.

• Monday, July 30

  COSCO (mostly) restores service

  Network applications in Americas are ‘fully recovered’ @ 1:58 a.m. (COSCO)

  “All communication channels including telephone, email, and electronic data exchange have been restored,” a new update read. “We are working at a full stretch to process all the service requests received previously, and the service response is expected to be back on track within this week.”

  Except for Los Angeles / Long Beach … @ 4:15 p.m. (FAQ)

  The sixth version of the U.S. specific FAQ revealed COSCO would still use its Yahoo contingency email for service in the country’s largest port complex.
  
  “Our company customer service email is back to normal except LA/LGB,” the FAQ wrote. “Under the premise of ensuring network security, www.cosco-usa.com has not yet open,” it added.

  Details on the type of cyberattack remain scarce (Facebook Post)

  Although reports suggest the attack was induced by ransomware, COSCO has publicly released few details from its investigation.
  
  In a comment on the carrier’s Facebook page, Matt Webster, a purported customer asked “what was the cause and type of the incident? If ransomware then what type and is the source known?”
  
  COSCO replied: “Thank you for your comment. This type of information will not yet be released. Thanks for your understanding and patience.”

Takeaways from the 5-day sprint

The way COSCO handled its cyberattack may serve as a lesson, in future cases. Details remain sparse, but the record shows a 5-day sprint to activate contingency plans and keep customers aware of solutions.

Some hiccups occurred, but that is to be expected with a cyberattack, Keith O’Byrne, head of solutions at supply chain cybersecurity firm Asavie, told Supply Chain Dive.

"Incident response is a challenging field — if services are restored quickly, it's legitimate to ask why they were impacted in the first place,” O’Byrne wrote in an email. “Equally, there is the question as to whether malware or infection has been truly purged. InfoSec teams can face huge pressure to ‘just get it back working’.”

That some services remain down points to a “better scenario — COSCO’s services are being brought back on a phased basis,” he said. “In the absence of insider information, this is a sign that a methodical approach is being followed.”