The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending email||Targets|
|Nov 22, 2019||BUNKER ESTIMATE - MV SEA HORSE 20TH MAY.2019||Trojan:Win32/Skeeyah.A!MTB |
|YEOSU OCEAN CO.,LTD." ||woas.net
|Nov 23, 2019||MT DELIA //CTM REQUEST with ETA 31st Nov 20192||Trojan:Script/Casur.A!cl - Microsoft||\"China Construction Bank\" <email@example.com>||e49cdf609f3ac2.com|
|Nov 25, 2019||MV BAO XIANG LING-ARRIVAL NOTICE||MSOffice/CVE_2017_11882.C!exploit - Fortinet||"Hengxin Shipping Co.,Ltd." ||Target not reported
In the above collections for MV Sea Horse, MT Delia, MV Bao Xiang Ling and others, we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.
MT Delia is an oil and chemical tanker under the Panama flag. Analysis reveals that a malicious email was sent to at least one domain which appears to be obfuscated. The malware that was attempted to be sent is Trojan:Script/Casur.A!c. The subject line of the malicious email is: “MT DELIA //CTM REQUEST with ETA 31st Nov 20192”.
In another example, we see a subject line of: “MV BAO XIANG LING-ARRIVAL NOTICE” The MT Bao Xiang Ling is a bulk carrier ship under the China flag, currently moored in Tangshan, East of Beijing. At first glance by any recipient of this email, a bulk carrier vessel is notifying the reader of its apparent arrival to a port. To any employee of a port that may be expecting the arrival of the MV Bao Xiang Ling, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed MSOffice/CVE_2017_11882.C!exploit malware detected by Fortinet.
In the contents of the email using the subject line “MV BAO XIANG LING-ARRIVAL NOTICE” we see the author of the email further instructing the user to open the provided attachment within the email by using the common shipping terms “arrival notice”, “cargo details” and “cargo manifest”. The language used in the email attempts to add to its legitimacy.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.