The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Dec 2, 2019||MV Thor Magnhild - Request quotation for deck and engine store||W32/Trojan_AitInject.AQ!tr||sales ||indra.es|
|Dec 4, 2019||Dec 4, 2019 MT Celsius Macau V4240 201905 - Onsan, Mejillones Agency Appointment Backdoor:MSIL/Bladabindi.MMS!MTB "Max Chan" ||Backdoor:MSIL/Bladabindi.MMS!MTB||"Max Chan" ||womarpools.com|
|Dec 4, 2019||MV OCEAN HERO : CTM DELIVERY||Trojan:Win32/Sonbokli.A!cl||"Hanaro Marine Suppliers, S.A." ||ikmc.net|
|Dec 6, 2019||MV IRIS TRIUMPH- CALLING||Trojan:Win32/Wacatac.B!ml||CAPTAIN ROGER" ||Dec 6, 2019 MV IRIS TRIUMPH- CALLING
Trojan:Win32/Wacatac.B!ml "CAPTAIN ROGER"
|Dec 10, 2019||MV ROSCO LEMON||Trojan:Win32/Sonbokli.A!cl||BAOSOURCE SHIPPING ||arget not reported|
|Dec 10, 2019||MT TBN - EPDA FOR HUANGPU||Trojan:Win32/Wacatac.B!ml||"Pitt Yun Cui" ||sg.wilmar-intl.com|
In the above collections for MV Rosco Lemon, MV Iris Triumph and others, we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.
An unsuspecting employee receiving this email would see nothing out of the ordinary in the Subject Line, which may cause them to open the email. The body of the email message advises: “According to the attached Final DA of MV ROSCO LEMON, there is balance in our favor of USD 66,185.28” and enticing the recipient to open the attached document. Opening the document would trigger malware delivery. Opening any infected email, could cause a recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / chemical industries with additional malware.MV Rosco Lemon is a Bulk Cargo Carrier under the Hong Kong flag. Analysis reveals that a malicious email was sent to an unreported domain with a subject line of: “MV ROSCO LEMON” and an attachment identified as malware. The malware that was attempted to be sent is Trojan:Win32/Sonbokli.A!cl .
In another example, we see a subject line of: “MV IRIS TRIUMPH- CALLING” The MV Iris Triumph is another general cargo vessel under the Hong Kong flag, currently en route to an unknown Japanese port. This would likely appear to be a legitimate email and entice the recipient to open the attached document and thus download malware like the listed Trojan:Win32/Wacatac.B!ml malware detected by Microsoft.
In the contents of the email using the subject line “MV IRIS TRIUMPH- CALLING” we see the author of the malicious email enticing the recipient to open an attachment. However, doing so could trigger the attached malware to be installed. The language used in the email attempts to add to its legitimacy using an authentic looking form in the email content and a call to action for the recipient to “Please see attached”.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.