Breach Notification , Critical Infrastructure Security , Cybercrime as-a-service

CISA Director: Attackers Targeted Port of Houston

Jen Easterly Offered Details of Investigation That Led to Joint Security Alert
CISA Director: Attackers Targeted Port of Houston
Port of Houston (Photo: Christopher Ebdon via Flickr/CC)

During testimony before a U.S. Senate committee hearing Thursday, Cybersecurity and Infrastructure Security Agency Director Jen Easterly told lawmakers that a recent joint alert issued by her agency, the FBI and the Coast Guard Cyber Command stemmed from an attempted attack against the Port of Houston in August.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

When answering questions from Ohio Republican Sen. Rob Portman, who is the ranking member of the Senate Homeland Security and Governmental Affairs Committee, Easterly testified that the joint alert from the three agencies issued on Sept. 16 stemmed from a cyber incident at the port.

That alert concerned a vulnerability in Zoho Corp.'s single sign-on and password management tool that a nation-state group appeared to be trying to exploit. The attackers appear to have wanted to target the operators of U.S. critical infrastructure as well as defensive contractors, transportation and logistics firms and academic institutions (see: US Warns Nation-State Groups May Exploit Flaw in Zoho Tool).

During her testimony Thursday, Easterly noted that the information was first relayed from the Port of Houston to the Coast Guard and finally to the FBI and CISA.

"We worked with the U.S. Coast Guard on a vulnerability at the Port of Houston and found out about this. We worked with our FBI partners and our Coast Guard partners to better understand that vulnerability, and we were then able to get that information out to see, whether, in fact, we saw the same vulnerability across the federal cyber ecosystem," said Easterly who added that this type of threat information sharing was the first test of CISA's Joint Cyber Defense Collaborative announced in August.

In a statement, the Port of Houston noted that the facility "successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act, and no operational data or systems were impacted as a result."

The Port of Houston is one of the largest ports in the U.S. and includes 200 private and eight public terminals along a 25-mile complex near the Gulf of Mexico. Over the years, the port has contributed about $330 billion worth of economic activity to Texas alone, according to the port's website.

Nation-State Actor?

Portman pressed Easterly about what she knew about the advanced persistent threat actor group attempting to exploit the Zoho vulnerability at the Port of Houston. She noted that CISA was working on attribution, but had not formally attributed the incident to a particular threat group or a nation-state.

"We are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable," Easterly said during the hearing, which mainly focused on improving cybersecurity within the nation's critical infrastructure (see: Senators Debate Cyber Rules for US Critical Infrastructure).

The joint alert only notes that a nation-state group may try to exploit the vulnerability, but does not offer any additional details.

CISA Director Jen Easterly testifying before the Senate Homeland Security Committee on Thursday

While it appears that the attackers managed to gain an initial foothold into the Port of Houston's network and did manage to steal login credentials, the incident was discovered and stopped before any of the facility's operations were affected, according to CNN, which obtained an initial assessment report by the Coast Guard.

A spokesperson for CISA declined to comment on Easterly's testimony and the U.S. Coast Guard could not be immediately reached for comment on Friday.

Facilities such as the Port of Houston are likely targets of these types of cyberthreats and have done a poor job over the years of increasing their security defenses to deal with attacks, says Mike Hamilton, the former vice chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, who also served as the CISO of Seattle.

"Historically, the U.S. Coast Guard has required ports to submit a 'facility security plan' every two years. It is only recently that the FSP has had to include cybersecurity, in the form of a self-assessment against the National Institute of Standards and Technology cybersecurity framework," says Hamilton, who is now the CISO of security firm Critical Insight.

Hamilton adds that incidents such as the attempted attack against the Port of Houston are likely to make the Coast Guard rethink its cybersecurity assessments of these facilities. "The Coast Guard is going to become much more regulatory, potentially with audits by third parties replacing self-assessments - which are always aspirational," he says.

In January, the Trump administration released a National Maritime Cybersecurity Plan designed to help improve security by eliminating conflicting standards and identifying cyber risks, especially as these transportation operators rely more on IT systems as part of their infrastructure (see: Maritime Cybersecurity Plan Unveiled).


The Sept. 16 joint alert concerned a vulnerability, tracked as CVE-2021-40539, which is found in Zoho's ManageEngine ADSelfService Plus - a self-service password management and single sign-on tool. The flaw has a CVSS score of 9.8 out of 10, making the vulnerability "critical."

On Sept. 6, Zoho released ADSelfService Plus build 6114, which contains a fix for CVE-2021-40539, and the joint alert from CISA, the FBI and the Coast Guard urges user of the company's tool to apply the patch as soon as possible.

If successfully exploited, an attacker can use the vulnerability to plant malicious web shells within a network and then compromise credentials, move laterally through the network and exfiltrate data, including from registry hives and Active Directory files, the alert notes.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.