The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Dec 26, 2019||MT MAERSK TORSHAVN // ONLINE PORT CLEARANCE CERTIFICATE||Trojan:Win32/Sonbokli.Aemail@example.com||Target not reported|
This week Red Sky Alliance observed vessel impersonation traffic attempting to deliver the Trojan:Win32/Sonbokli.A!cl malware.
In the above collection for MT MAERSK TORSHAVN we see a malicious actor using the vessel name to try and spoof companies in the maritime supply chain.
MT MAERSK TORSHAVN is a Generic Tanker Vessel under the Singapore flag. Analysis reveals that a malicious email was sent to an unreported target domain. The message contains the subject line “MT MAERSK TORSHAVN // ONLINE PORT CLEARANCE CERTIFICATE” and an attachment identified by Microsoft as the Trojan:Win32/Sonbokli.A!cl malware.
An unsuspecting employee receiving this email would see nothing out of the ordinary in the Subject Line, which may cause them to open the email. The body of the email prompts the recipient to open the attachment named “PORT_CLEARANCE_CERTIFICATE_MT_MAERSK.xlsx” which would trigger malware delivery. Opening any infected email, could cause a recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities, shore companies, and/or other organizations in the maritime supply chain with additional malware.
In the contents of the email using the subject line “MT MAERSK TORSHAVN // ONLINE PORT CLEARANCE CERTIFICATE” we see the author enticing the recipient to open an attachment. The attachment attempts to impersonate a legitimate, Port Clearance Certificate (PCC) form which is required by the Singapore Maritime and Port Authority for vessels departing Singapore. However, doing so could trigger the attached malware to be installed. Knowledge and impersonation of specific port procedures for the flagged vessel’s country of origin adds to the message’s credibility.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.