was successfully added to your cart.

Cart

Maritime Cyber Security & Threats April 2020 Week Two

The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

First SeenSubject Line UsedMalware DetectionsSending EmailTargets
Apr 11, 2020VESSEL LINE UP - TARAKANTrojan:Script/Wacatac.C!mlimports@sulfo.comcatchall@elettronicagf.it
Apr 14, 2020CARGO ARRIVAL NOTICE : Billing document 51525772Trojan:Script/Wacatac.C!mlsjo@ebestsec.co.krinfo@kraeber.de
Apr 14, 2020RFQ for Offshore Drilling Equipments, AHU, FCU, Pipe, Valve, Pump,Trojan:Win32/Wacatac.C!mlBrabhakaran. Venters 9ed08@90b.qa9ed08@4c10144cda967677.uk
Apr 14, 2020Re: REQUEST FOR QUOTATION //MT OCEAN STAR// ISO 8217 2005Exploit:O97M/CVE-2017-11882!MSRTRAN QUANG HUY operations@vtosa.comTarget Not Disclosed
Apr 15, 2020Container loading pictures+ Complete Shipping docsTrojan:Script/Oneeva.A!mlExport sales export@caspidelivery.comalanlian@bigdutchman.com
Apr 15, 2020FW: BL DETAILS FOR MAERSK LINEJS/Phish.DUB!trSales sales@world-global.comoperativo@venicegreenterminal.com
Apr 15, 2020Payment Slip***For Balance Vessel (Amount 501,000 USD)Exploit:O97M/CVE-2017-11882!rfnSelina Goh (MS) dend@lysys.comTarget Not Disclosed
Apr 15, 2020PO#01391-04// EXP SHIPMENT// CARGOHTML:Phishing-BLL [Phish]Daniel admin@guongdenled.comCheang Fook Kiong FookKiong.Cheang@andritz.com
Apr 15, 2020MV ABERDEEN - Agency NominationExploit:O97M/CVE-2017-8570.BB!MTB"Vertom Operations Dept" ba19a09a68@bd1b1c.nl25df9@a694174ef.com
Apr 15, 2020You have Reminder for Invoice No.#56279 - from Ocean worldMSExcel/Agent.5FD9!trSimeon Burns ba74cdddde5@d6a.comcaf9@9a74ac8c1cf28b17723.nl
Apr 16, 2020Re: Re: Royal Marine Quotation// MV PHUONG DONG 06// ISO 8217 2005Trojan:Script/Wacatac.C!ml"Shanghai Royal Marine Tech Co.Ltd" hmi.marker@hari-mau.comTarget Not Disclosed

In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a large percentage of these malicious emails attempting to deliver Windows trojan malware.   Some of the new Vessel names used this week include “MT Ocean Star” and we see “MV Phuong Dong 06” among others.

This week analysts observed a phishing email using the subject line of “PO#01391-04// EXP SHIPMENT// CARGO.”  Many of the most common phishing emails attackers use contain the phrase “PO” or “Purchase Order.”  These emails often reach financial departments which have access to sensitive company information.

Analysis shows that the email came from the “admin” at Guong Den LED.  This is a Vietnamese company manufacturing LED Mirror and Cosmetic tables (such as those used by makeup artists).  The sender only provides their first name which is not suspicious by itself but warrants closer inspection.

The target of the email appears to be an employee at Andritz.  Andritz is an international technology group providing plants, systems, equipment, and services for various industries.[1]  The group is headquartered in Austria and supplies the maritime industry with a list of products ranging including submersible motors, tidal current turbines, and exhaust gas cleaning systems.

The email contains a malicious .htm file attachment.  When opened, the file shows a login window for “MicroSoft Excel.” The malware even auto fills the username with the victim email address.  When the user enters their correct credentials, the malware captures the input and sends it to the attacker.   Although the login looks suspicious, the fact that it only accepts the correct username/password input indicates that it’s linked to a legitimate MS Office login portal.

In a separate malicious email, with subject line “VESSEL LINE UP – TARAKAN” analysts see the attackers referencing an Indonesian port – Tarakan. The malicious email is being sent from an address belonging to Sulfo Rwanda, the second largest manufacturing company in Rwanda.

The email is targeting Elettronica GF out of Italy.  This company is an electronic engineering company that focuses on embedded systems.  Their products are used in anything from security instrumentation to medical, and automation systems.  Installing a trojan on a host on this network would likely provide valuable and possibly propriety engineering data.

The malicious email consists of a message describing the loading/bunkering plans for the vessel. Attached is a malicious .xlsx file, with the same title as the subject line, which contains Trojan:Script/Wacatac.C!ml malware according to the Microsoft AV engine.[2]  In this case, the malware exploits a Microsoft Office memory corruption vulnerability described in CVE-2017-11882.

[1] https://www.andritz.com/group-en/about-us

[2]https://www.virustotal.com/gui/file/b32f8f47ad68cee6c22730ff96a4bd5282613a5f4aa02168c797eb6d4d1386d7/detection

Our Experts Say

Dryad Assessment

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Subject Lines

Subject Line usedEmail Sender using Subject LineTimes seen
RFQ for Offshore Drilling Equipments, AHU,FCU, Pipe, Valve, Pump,\r\n Fittings and Heat Recovery UnitBrabhakaran. Venters 9ed08@90b.qa, Frithjof Langelotz caf9@7c497f5af2.com7
FW: Credit Note For Cancelled PO#0000674358 [MARCH 2020]Anglo-Eastern Tanker Management Limited wongden@angloeastern.com5
VESSEL LINE UP - TARAKANJayus//Operation Tarakan imports@sulfo.com4
Re: Re: Royal Marine Quotation// MV PHUONG DONG 06// ISO 8217 2005\"Shanghai Royal Marine Tech Co.Ltd\" hmi.marker@hari-mau.com4
RE: MT.OCEAN STAR VOY 16 LETTER / AGENT NOMINATIONKyklades Maritime Corporation info@kykmar.com3

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Leave a Reply