Marshall Islands at high risk of cyber attack

Analysis - Pacific Island countries are ripe for cyber-attacks. With few resources, even fewer skilled information security personnel, and low levels of internet awareness among populations, island nations are easy targets for phishing attempts, as well as malware and ransomware attacks.

"The ocean doesn't make you safe in the digital world," said the Marshall Islands Marine Resources Authority (MIMRA) director, who was the victim of a malware attack two years ago.

Concern among security-minded officials in the Marshall Islands is high, but few government ministries, businesses, or non-profits have internet security plans in place.

How vulnerable is the Marshall Islands to a cyber-attack? And how likely is a major hack of Marshall government entities to happen?

To start with, it's already happened.

Over two years ago, the MIMRA was the target of a partially successful malware attack that forced the authority to essentially shut down its computer system, scrub it to remove the malware, and then reboot its network.

The fisheries authority is arguably one of the most IT savvy in the nation, with its layered monitoring, control and surveillance program for the commercial tuna fishery that involves multiple overlaid surveillance applications managed through a state-of-the-art monitoring center.

The hack of MIMRA was a cautionary note about what looms in the Internet space, where every person, agency, or government is but one click away from every bad actor globally - with government-sponsored hacking groups and individuals conducing ransomware and malware attacks to extract money, information or documents from unsuspecting internet users.

"There is not a lot of interest in cyber security," MIMRA director Glen Joseph said, adding that government officials "are overwhelmed with other priorities."

MIMRA has taken steps, including having its staff participate in a Forum Fisheries Agency-sponsored cyber security awareness training at MIMRA late last year.

"MIMRA awareness is building, and our staff are more diligent."

The US government put a substantial grant in play two years ago in support of stepped-up cyber security.

However, that effort, which led to creation of a cyber security task force, has produced little result by the Marshall Islands government, according to several people with knowledge about the issue.

"We are like most other small island nations," said Office of National Security Director Chris deBrum. "We are late to the game of cybersecurity and need to catch up fast."

He acknowledged the Marshall Islands generally lacks capacity in this area: "We need to grow it quickly and fund the capacity building effort for the long term."

During the past year, the government has established both the Office of National Security and a Digital Unit, which have mandate to address information security for the nation.

One of their challenges in elevating internet security levels in Marshall Islands is highlighted by the fact that while a new government email system started rollout last year, rmigov.mh, the vast majority of government workers still use private email addresses - Gmail, Yahoo, or a university address - for official business.

As MIMRA's experience with a malware attack demonstrates, the country's geographic isolation does not insulate it from internet hacking.

The internet places the Marshall Islands squarely in the mix for any bad actor globally, and there are thousands lurking in the shadows of the internet.

What's been happening in the region?

Palau experienced a significant hack of its government in 2024, which hurt its Bureau of National Treasury, affecting payroll processing and other government financial systems. The cyber-attack not only compromised Palau's treasury, the breach resulted in the theft of thousands of documents from the Palau government, reported the Palau newspaper Tia Belau.

The New York Times disclosed the contents of these stolen documents.

Among them were a presentation detailing US radar installation on Palau, marked "For Official Use Only."

Additionally, crew lists of Japanese Navy ships that had visited Palau were exposed, along with hundreds of documents outlining the close relationship between Palau and Taiwan. Palau President Surangel Whipps, Jr. blamed China for the cyber intrusion, which China denied.

In January, the US government uncovered a Chinese hacking campaign that targeted Guam's critical infrastructure - the Guam Power Authority and at least two telecommunications businesses.

Guam is a hub for US military bases and considered a springboard for US forces into Asia.

Bloomberg reported that the Chinese operation is called "Volt Typhoon" and is "meant to disrupt military and civilian operations in the event of conflict over Taiwan." The Marshall Islands and Palau are both diplomatic allies of Taiwan.

The hacking of the Guam power company was sophisticated and difficult to discover.

Once US authorities assessed unusual logins in the Guam power company's system, federal agencies including the FBI, the National Security Agency, and Coast Guard deployed manpower to Guam to install monitoring systems across energy grids, ports, and telecom networks. The Guam Power Authority supplies 20 percent of the US Navy's power on Guam.

A Marshall Islands official with knowledge of security and defense issues, who spoke on condition of anonymity, said authorities in Taiwan told him that China was targeting Taiwan diplomatic allies in the Pacific.

He said the attack on and document theft from Palau's treasury was an indication of what's coming from Beijing, and the Marshall Islands and Tuvalu should expect similar efforts by China-backed hacking groups in 2025.

Last week, Samoa's Computer Emergency Response Team issued an "Advanced Persistent Threat 40 (APT40) advisory.

"APT40 is a state-sponsored cyber group that utilities advanced capabilities to conduct malicious cyber operations against government and key critical infrastructure systems," Samoa's cyber threat advisory said.

"This group has previously targeted the United States, Australia, and has most recently been observed conducting operations directed at the sensitive networks administered by Pacific Island nations."

The Samoa advisory warned that APT40 was engaged in a campaign to "specifically target networks hosted in the Blue Pacific."

It said APT40 uses sophisticated and difficult to identify malware "that allows the threat actor to maintain persistence and command and control in the network."

Samoa noted that its investigations showed APT40 hackers "pre-positioning themselves in the networks for long periods of time and remaining undetected before conducting exfiltration activity."

Currently, the Marshall Islands Ministry of Finance has no additional security for its internet/cloud-based operations.

Meanwhile, few entities in the country are paying for internet security companies to beef up their monitoring and security of internet-based programs.

As an indication of the concern over the potential disaster of hacking of key government ministries and infrastructure, several pieces of legislation related to internet and digital security and crimes have been drafted for introduction to Nitijela (parliament). Among those is a Cyber Security Act and a Cyber Crimes Act.

The draft Cyber Security Action aims at "establishing a legal framework to prioritize cybersecurity, identify and protect critical information infrastructure from cybersecurity threats and incidents, establish a framework to implement a team to effectively monitor and respond to cybersecurity incidents, and provide for other matters concerning cybersecurity both domestic and international."

Office of National Security Director deBrum believes a professionally staffed cybersecurity authority within the government is needed to address the cybersecurity challenges facing the Marshall Islands.

"This is important because cybersecurity needs to support the government horizontally across both the ministries and civil society," he said. "We are exploring how best to establish this authority."

Based on MIMRA's experience with malware and the hacking of important government agencies and critical infrastructure providers in Palau and Guam, the draft legislation and stepped up engagement in cyber security is not a minute too soon.

The bigger question is obvious: Are hackers already inside Marshall Islands government computers recording information, tracking communications and stealing documents?