The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending email||Targets|
|Nov 8, 2019||MV LE MIN VOY1793 CALLING FOR DISCHARGING||Trojan:Script/Oneeva.A!ml - Microsoft||Mr.YANG Hao Lin||25df9
|Nov 8, 2019||MV HAESUNG TBN EPDA REQUEST||HEUR:Trojan-Downloader.VBS.Agent.gen - Kaspersky||ARLYN |
|Nov 9, 2019||AGENT NOMINATION - MV. COLUMBA / SEA NET - LDG 50,000MT 12% MOLOO OF LIME STONE IN BULK||HEUR:TrojanDownloader.VBS.Agent.gen - Kaspersky||SEA NET SHIPPING CO., LTD. <firstname.lastname@example.org>||caf9
In the above collections for MV Le Min, MV Haesung and MV Columba we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.
MV Le Min is a general cargo ship operating under the flag of China. Analysis reveals that a malicious email was sent to at least one domain that appears to be obfuscated. The malware that was attempted to be sent is Trojan:Script/Oneeva.A!m. The subject line of the malicious email is: “MV LE MIN VOY1793 CALLING FOR DISCHARGING”.
In another example, we see a subject line of: “MV HAESUNG TBN EPDA REQUEST” The intended target of this malicious email is a domain which also appears to be obfuscated. The MV Haesung is a real gas carrier ship sailing under the flag of Korea, currently docked near Seoul, South Korea. At first glance by any recipient of this email, a gas carrier vessel is appearing to request shipping documents. To any employee of a shipping or logistics company that may be expecting the arrival of the MV Haesung, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed HEUR:Trojan-Downloader.VBS.Agent.gen malware detected by Kaspersky.
Our Experts Say
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.