Greek Firms Scan Computer Systems as Iran War Raises Cyberattack Risks, Sources Say

Greek shipowners and other companies are scanning their computer systems for evidence of cyberattacks after advice from the National Cybersecurity Authority, two sources said on Wednesday following incidents that have been linked to the Iran war.

The authority last week sent an advisory, seen by Reuters, to security officers of shipping companies, banks and firms in the transport, telecommunications, health and energy sectors, a source at the authority said, adding that the move was pre-emptive.

An Iranian-linked hacking group claimed responsibility on March 11 for a cyberattack on U.S.-based medical device and services provider Stryker, according to messages posted to the group’s Telegram channel.

Albania has also confirmed a cyberattack on the digital infrastructure of its parliament last week that local media said was by the Iran-linked, self-styled “Homeland Justice” group.

Greek Advisory Urges Scans

The Greek advisory, marked “high-priority,” urged firms to perform the scans and inform security officers of a confirmed incident that affected a “large international organization” abroad. It did not name it.

It listed indicators of possible compromise, including IP addresses, tools and malware, such as the VShell Remote Access Trojan. Anyone finding evidence of attack should immediately review their systems and block those IPs, it said.

Two separate sources said at least two shipping companies have received the warning. Electronic interference with commercial ship navigation systems has surged in recent days around the Strait of Hormuz and the wider Gulf.

All the sources asked not to be named because they were not authorized to speak to the media.

The first two said Greece had yet to find evidence of a significant attack, although one of them said “some sort of activity” had been tracked.

The Greek advisory said an investigation into the confirmed incident had pointed to an unidentified, sophisticated threat actor using two layers of infrastructure to scan activity, attempt unauthorized access, host malware or run command-and-control mechanisms and avoid being traced.

The second source said that some of the IP addresses listed in the Greek advisory originated from Iran.

(Additional reporting by Fatos Bytyci in Pristina; Editing by Barbara Lewis)