was successfully added to your cart.

Cart

Maritime Cyber Security & Threats March 2020 Week Three

The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

     
First SeenSubject Line UsedMalware DetectionsSending EmailTargets
Mar 16, 2020TNT Express delivery Consignment NotificationTrojan:Win32/Injector.MU!MTBdiamond@tnt.cominfo@baltic-sea-forum.org
Mar 16, 2020RE: Mv Pacific Harmony - CTM - Sattahip - 16.03.2020Trojan:Win32/Wacatac.C!mlcaf9@d8c6ac1ed81.comca7079c0a2b0@2010546c.biz
Mar 17, 2020MV Jackie B / PDA / Discharging about 32,600 Mts of Corn/MaizeTrojan:Win32/Occamy.Cjackleb@empirebulkers.comhideo.suzuki@furuno.co.jp
Mar 17, 2020Fw: Re: Machine Spare Enquiry From China Marine Bunker(Petro\r\n China)Co., LtdTrojan:Win32/Wacatac.C!mljhdo001@aerix.co.krMr Gong Yenadmin@genogan.cf
Mar 17, 2020RE : RE : URGENT
SHIPPING DOC BL,SI,INV
462345 // MAERSK KLEVEN V.949E // CLGQOE191781 //
Trojan:Win32/Predator.BD!MTBnooreply@maersk.comunrecognized@sys.redcondor.com
Mar 17, 2020VSL: MV FORTUNE TRADERExploit:O97M/CVE-2017-11882!MTBOriental Logistics Group Limited cindy@persadanusantara.co.idTarget not disclosed
Mar 18, 2020Arrival Notice For BL - 713010031110 / Vessel - TAICHUNG / Voyage -\r\n 046CTrojan:Win32/Sonbokli.A!cl"Capt. Liu Yun kung" operation@sdtr-marine.comTarget not disclosed
Mar 18, 2020MT PV Oil Jupiter / 3-17-2020 - Freight remittanceTrojan:Win32/FormBook.AQ!MTBNova Marine Carriers SA e84@74044268e6be286457.comTarget not disclosed
Mar 18, 2020Re: M.V. Genco Claudius call Dongwu/Mei zhouwan guotou pier disch coal - port information enquireTrojan:Win32/Wacatac.D!ml"Capt. E. Tei" ops@richlandbulk.comoperations@labcosulich.com
Mar 18, 2020Fwd: order confirmationTrojan:Win32/Occamy.Cfax_glina@fccco.romarkus.koehl@baltic-sea-forum.org,
Mar 18, 2020GLOBAL LOGISTICS LCL IMPORT SAILING CONSOL - MARCH 2020Trojan:Win32/Wacatac.C!mlWesley MAYERS 99b0e8da@508b515979db74e7.come2e4@bd9ea7e13cf1b75354.uk

In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  This week we observed a large percentage of these malicious emails attempting to deliver Windows Wacatac and Occamy Office malware. Some of the new Vessel names used this week include “MT PV Oil Jupiter” which and “MV FORTUNE TRADER” among others.

An email was observed attempting to impersonate “MV Fortune Trader” using a subject line of “VSL: MV FORTUNE TRADER.”  The sender claims to be part of Oriental Logistics Group Limited which a shipping entity based out of Taipei, Taiwan.

Analysis reveals that the malicious email was sent from a legitimate domain owned by an Indonesian mechanical & electrical engineering company, PT. Inti Persada Nusantara.  Although the targets are undisclosed, analysis of the email headers indicate that the victims are based in Japan.   It is unclear if these attackers have taken control of a legitimate email or if the email sender is spoofed in this case.

The message contains an attached .xlsx file (Excel spreadsheet) identified by Microsoft AntiVirus engine as the Exploit:O97M/CVE-2017-11882!MTB malware.[1] The message body asks the victim to open the attached file to view attached “requisitions” for the vessel listed above.  However, opening the attachment document titled “MV FORTUNE TRADER.xlsx” could activate the malware.

In another example, we see an email attempting to impersonate the shipping giant “Maersk” using the subject line “RE : RE : URGENTSHIPPING DOC BL,SI,INV462345 // MAERSK KLEVENV.949E // CLGQOE191781 //.” As with the majority of subject lines, this one entices the user to open the email by using the phrase “urgent shipping doc.”  The sender also adds “Re:Re:” which is a common tactic to make it appear as if the victim has already discussed this subject with the sender and it’s part of an email chain.

A subtle indication that the sending email is malicious is the extra “o” in the sender email “nooreply@maersk.com” which would easily be overlooked by someone assuming the sender is legitimate.  Attackers commonly use this method to spoof and imitate legitimate mail senders.  Many users would not stop to think that a “No Reply” email address probably would not generate an email chain since there would be no response from the “No Reply” sender.

An attachment titled, “Shipping Doc_Maersk Kleven V.949E_pdf.xz” is identified by Microsoft AV engine as Trojan:Win32/Predator.BD!MTB.  This malware is a trojan-type infection that infects Windows computers and performs a number of malicious actions.  The filename includes “PDF” to indicate that it’s a viewable document, but the .xz file extension indicates this is actually a zip file, containing the detected malware.

[1] https://www.virustotal.com/gui/file/c8f431316b0c77d39436e31b3943821b14308c8a7acb3a331735b1494e36c066/detection

Our Experts Say

Dryad Assessment

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Email Sending Domains

Sending DomainDomain Hosted byTimes seen
phshipping.com.sgSuperHosting.BG Ltd.4
webmail.ofitec-gamar.com1&1 Ionos Se3
ms1.lina.gov.twData Communication Business Group2
adrenalinatours.comCARINET1
magma.avnam.netNSS S.A.1

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Leave a Reply