was successfully added to your cart.

Cart

Maritime Cyber Security & Threats February 2020 Week Four

By February 29, 2020Intelligence Insights
The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

Vessel Impersonation Report Feb Wk4

First SeenSubject Line UsedMalware DetectionsSending EmailTargets
Feb 20, 2020ARRIVAL NOTICE MV. TAHO EUROPTrojan:Win32/Vigorf.Achensongha@comaco.cnTarget not disclosed
Feb 21, 2020RE : MV OCEAN PRIDE V083 - PORT AGENT NOMINATIONTrojan:Win32/Wacatac.C!ml"FAR EAST LINES LIMITED" 3daf32@548e5046e2.com>Target not disclosed
Feb 21, 2020M.V. \xe2\x80\x9c Ever Success\xe2\x80\x9d docking repair on mid of MarTrojan:Win32/Lokibot.ART!eml"Stavros Labrinakos" stavlabr@otenet.gr>taxgate.gr
Feb 21, 2020NOMINATION//MV SHINSUNG BRIGHT V20004 KWG-NSA DISH STEEL PRODUCT 5700MT\r\n (POSCO)Trojan:Win32/Wacatac.C!mlchina.op@ever-grand.cne1.co.kr
Feb 23, 2020Ocean Network Express (Europe) Ltd:BL/OLYAEYSZPBP1110-75370021Trojan:Win32/Wacatac.D!ml“7ZWc7J287ZmY6rK96riw7Iig “hibiotech@hanmail.netnaver.com
Feb 24, 2020BUNKER ESTIMATE - M/V GOLDEN STARTrojan:Win32/Tiggre!ctvOPERATIONS@LABCOSULICH.COMTarget not disclosed
Feb 24, 2020Fwd: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH\r\n LIGHT CRUDE OIL.Trojan:Win32/Sonbokli.A!cl“Grabiel Alexander Ordinola Gonzales” grabiel.ordinola@holascharff.comholascharff.com
Feb 25, 2020OCEAN BREEZE CHARTERING ORDER LIST P.O #345267Trojan:Win32/Wacatac.C!ml"Mamunul Hoque" 7450@8db45efed8e6.net Target not disclosed
Feb 25, 2020MV LUCKY SOURCE V.2003 - EPDA OF DISCHARGE STL PRODUCTS AT HK PORTTrojan:Win32/Wacatac.D!ml"ops@lmshipping.com.cn" 473@dc18f816c36c32.cn Target not disclosed
Feb 25, 2020RE: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAHTrojan:Win32/Sonbokli.A!cl"FPSHIPPING(SINGAPORE)PTE.LTD." shinnie@fpshipping.com.sg holascharff.com
Feb 26, 2020FW: MV PACIFIC SELINA- Dry-docking Repair SpecificationTrojan:Win32/VBObfuse.SO!emlCHINA SHIPPING BULK CO., LTD 1f02726728@a5eeea0a73a.com Target not disclosed
Feb 26, 2020Re: Nord Treasure - Calling Port Elizabeth // Items for Quotation//Trojan:Win32/Sonbokli.A!clMaster.NordTreasures@telaurus.net>telaurus.net

In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we see a large percentage of these malicious emails attempting to deliver Wacatac, both C and D variants showing up. Vessel names seen include “MV. TAHO EUROP”, and “M/T TORM HARDRADA” among others.
An email was observed attempting to impersonate “MV Golden Star” using a subject line of “BUNKER ESTIMATE – M/V GOLDEN STAR”. According to maritimetraffic.com, this name is very common and used by multiple different carriers.
Analysis reveals that the malicious email was sent from a typo squatted domain. The sender domain is “Labcosulich[.]com” which is an apparent typosquat on the legitimate domain owned by an Italian marine/energy services company Lab Cosulich Consultants – “labcosulichconsultants[.]com”
The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/Tiggre!ctv malware. The message body consists of a bunkering order for the vessel, and the different costs associated with said order. However, opening the attachment titled “MV-GOLDEN STAR.xlsx” could activate the malware. Trojan:Win32/Tiggre!ctv is Windows malware which commonly infects victims to use their computing resources for crypto mining.

In another example, we see an email attempting to impersonate the vessel “M/T TORM HARDRADA” using the subject line “RE: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH”.
The vessel name belongs to a Singaporean crude oil tanker destined for Veracruz, Mexico. Analysis of the email shows it was sent to a Peruvian freight company called Scharff. The email is sent from a Google mail server, but the sender identifies themselves as part of FP Shipping which is a Singaporean freight company..
An attachment titled “MT TORM HARDRADA.xlsx” is identified by Microsoft antivirus engine as Trojan:Win32/Sonbokli.A!cl. This malware uses Powershell to connect to command and control servers to download additional malware on the victim device.

Lastly, a malicious email was sent from an “Ever Grand Logistics Limited”, specifically Hunter Yang. The email was sent and received from the same email; however the reply-to email is a Gmail account – “johnybmt@gmail[.]com”. This email has been used to target multiple other maritime targets as far back as July 2019. The subject line “NOMINATION//MV SHINSUNG BRIGHT V20004 KWG-NSA DISH STEEL PRODUCT 5700MT\r\n (POSCO)” suggests the message contains information about the vessel. However, the email actually contains Trojan:Win32/Wacatac.C!ml malware disguised as “MV SHINSUNG BRIGHT V20004.rar”. The message comes across as very polite, but it is clear from the sentence structure that the email sender is not a native English speaker.

Our Experts Say

Dryad Assessment

Typically, the use of language is a good indicator of a spoofed message. Errors in grammar and punctuation can indicate a non-native English speaker originated a message. This is especially indicative when the attacker is trying to impersonate a sender who is expected to fluently speak and write the language. Overall, the use of language in this message is good, but on close inspection there are punctuation errors, capitalization errors, and slight phrasing issues throughout.

These analyses illustrate how opening any infected email, could cause a recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Email Senders

Top 5 Maliciouse Maritime Email Senders

SenderMalware Sent
galya@yacht-engineering.comTrojan-Dropper.Java.Agent.av, HEUR:Backdoor.Java.QRat.gen, HEUR:Exploit.MSOffice.Generic
ctflorea@electroputere.roTrojan-Dropper.Java.Agent.av,
HEUR:Backdoor.Java.QRat.gen, Trojan:Win32/Wacatac.C!ml
operations@labcosulich.comTrojan:Win32/Wacatac.C!ml,
Trojan:Win32/Lokibot.ART!MTB,
Trojan:Win32/Tiggre!ctv
chensongha@comaco.cnTrojan:Win32/Vigorf.A
shinnie@fpshipping.com.sgTrojan:Win32/Occamy.C

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Leave a Reply