The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Nov 26, 2019||[Warning]MV TBN - PORT INQUIRY||Backdoor:MSIL/Bladabindi!MTB||Veena Bankar ||ckm.co.jp|
|Nov 28, 2019||MV. SEA MARK - FDA / OUTSTANDING BALANCE||Trojan:Win32/Emali.B!cl||"L.P. Felperlaan Shipping|
|Target not reported|
|Dec 2, 2019||MT GLOBAL GLORY V1901 AGENT NOMINATION FOR LOAD AT Pulau Laut||Trojan:Win32/Sonbokli.A!cl||"JunzhengShipping" ||junzhenggroup.com|
|Dec 2, 2019||Re: RE: MV LEONOR - /ETA TO ITALY||TrojanDownloader:O97M/Emotet.RX!MTB||"FALCON LOGISTICS.JSC" ||b315aee.mx|
|Dec 2, 2019||CTM DELIVERY REQUEST- MT SUN GAIA AT ULSAN||Trojan:Win32/Wacatac.B!ml||Yukako Kobayashi ||sunavigation.com|
|Dec 2, 2019||MV AL HANI PDA LINER OUT CHARGES - AGENT APPOINTMENT LOADING||Trojan:Win32/Tiggre!rfn||Intermarine Shipping ||intermarine.com|
|Dec 2, 2019||mv TBN / Inquiry pda / Due to Dischrgn/Port Call||Trojan:Win32/Tiggre!rfn||"Alex, Selena Shipping" ||selena-shipping.com|
|Dec 2, 2019||MV TBN // PDA REQUEST||Backdoor:MSIL/Bladabindi!MTB||Veena Bankar ||ckm.co.jp|
|Dec 2, 2019||MT. GLOBAL IRIS V145 - DRAFT BL||Trojan:Win32/Predator.BC!MTB||OCEAN EIGHT MARINE PTE LTD ||asedossa.com|
|Dec 2, 2019||MV \"BOMAR OYSTER Loading 60000mt of MILESTONE||Java/Kryptik.ZQ!tr||"MILESTONE KOREA Co., Ltd." ||Target not reported|
|Dec 2, 2019||MV Thor Magnhild - Request quotation for deck and engine store||Trojan:Win32/Predator.BC!MTB||sales ||indra.es|
In the above collections for MV TBN, MV Sea Mark, MT Global Glory and others, we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.
MT Global Glory is an oil and chemical tanker under the Hong Kong flag. Analysis reveals that a malicious email was sent to the domain junzhenggroup.com which belongs to Junzheng Energy & Chemical Group. The malware that was attempted to be sent is Trojan:Win32/Sonbokli.A!cl . The subject line of the malicious email is: “MT GLOBAL GLORY V1901 AGENT NOMINATION FOR LOAD AT Pulau Laut”.
An unsuspecting employee at Junzheng Energy & Chemical would see an email with this Subject Line, possibly tempting them to open the email to see the details of an apparent nomination for load. If this malware is delivered, with any of these exploits, any recipient could become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / chemical industries with additional malware.
In another example, we see a subject line of: “MV AL HANI PDA LINER OUT CHARGES – AGENT APPOINTMENT LOADING” The MV Al Hani is a general cargo ship under the Togo flag, currently enroute to the port of Tripoli, Lebanon. At first glance, any recipient of this email would see a request for information regarding a potential shipping contract. This would likely appear to be a legitimate email and entice the recipient to open it and thus download malware like the listed Trojan:Win32/Tiggre!rfn malware detected by Fortinet.
In the contents of the email using the subject line “MV AL HANI PDA LINER OUT CHARGES – AGENT APPOINTMENT LOADING” we see the author of the malicious email asking the recipient to respond. However, the simple act of opening the email could trigger the attached malware to be installed. The language used in the email attempts to add to its legitimacy using shipping jargon such as “pda”, “cargo details”, “packing list”, and “vessel specs”.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.