was successfully added to your cart.

Cart

Maritime Cyber Security & Threats February 2020 Week Two

By February 14, 2020Intelligence Insights
The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

First SeenSubject Line UsedMalware DetectionsSending EmailTargets
Feb 7, 2020REQUEST FOR EPDA FOR SEA LONGITUDE CALLING LUBUK GAUNG FOR LOADINGTrojan:Win32/Dynamer!rfn"Sandro Ginting DM" sandro.ginting@tck-shipping.co.idtck-shipping.co.id
Feb 7, 2020RE: M.V FAITH =
= c/p dd 19.02.2020 =
AGENCY APPOINTMENT
Trojan:Script/Casur.A!cl, Trojan:Win32/Tiggre!rfnSMC Marine Management Pte Ltd rifai@smcmarine.com.sgyamato-grp.com
Feb 9, 2020Bunker nomination / DL Poppy / 8-10 Feb 2020 / 2kt BD / ABTD1101-16 Trojan:Win32/Esulat.A!ctv Sang Gyoon Kim gkim1@hanjin.comtandler.de
Feb 10, 2020MV.CH DORIS bunker AT HK APPOINTMENTTrojanDownloader:O97M/Obfuse!MTB
yanxin@sol-shipping.com.cn" 0b8b40@dbf27338eb0cc187.cnTarget not disclosed
Feb 10, 2020REQUEST FOR EPDA FOR SEA LONGITUDE CALLING LUBUK GAUNG FOR LOADING ABOUT 15, 000MT RBD PALM OLEIN VBS/Agent.EC19!tr.dldr"Sandro Ginting DM" sandro.ginting@tck-shipping.co.idtck-shipping.co.id
Feb 10, 2020mv Eems Dollard voy 3 - agency nomination loading portVBS/Agent.EC19!tr.dldrSender not disclosedTarget not disclosed
Feb 10, 2020MV FRO LAS PALMAS PORT AGENCY APPOINTMENTTrojan:Win32/Sonbokli.A!clLouis Dreyfus Company Asia Pte. Ltd 4ced0a26fae435e69@030.com
Target not disclosed
Feb 10, 2020MV Ivy Ocean - agency nominationExploit:O97M/CVE-2017-11882.ARJ!MTB"Admin Smoothiedeck" 21232@1c8a4d4dcb32.com
Target not disclosed
Feb 11, 2020MV MERCURIUS PORT AGENCY APPOINTMENTTrojan-Downloader.MSWord.Agent.buh"WOOSHIN MARINE CO., LTD." ws@woshinmarine.comligabue.it
Feb 10, 2020NOMINATION//MV AQUILA V20004 PHG- CSU/ZJG DISH POSCO CARGOTrojan:Win32/Sonbokli.A!cl"china" 512d7673c@7b97d2c918.cnTarget not disclosed

In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we see malicious emails attempting to deliver a variety of different malware. Vessel names seen include “M.V Faith”, and “MV Aquila” among others.

Analysis reveals that a malicious email was sent from a South Korean IP address to a recipient at the yamato-grp.com domain. The target domain is owned by the Malaysian Courier, Freight, and Logistics company, YAMATO TRANSPORT(S) PTE. LTD. hosted by Vodien Internet Solutions Pte Ltd and protected by Cloudflare. We also saw this organization targeted last week.An email was observed attempting to impersonate “M.V Faith” using a subject line of “RE: M.V FAITH = = c/p dd 19.02.2020 = AGENCY APPOINTMENT”. According to maritimetraffic.com, the vessel is a bulk cargo carrier sailing under the Liberian flag. It is currently in port at Mariveles, Phillipines.

The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/Tiggre!rfn malware[1]. The message body contains a request for the recipient to fill out and return the attached PDA form. However, opening the attachment could activate the malware. The malware uses the victim’s computer to perform crypto-currency mining.

In another example this week, we see an email attempting to impersonate the vessel “MV Aquila” using the subject line “NOMINATION//MV AQUILA V20004 PHG- CSU/ZJG DISH POSCO CARGO”.

Aquila” is an extremely popular vessel name belonging to many sailing vessels and pleasure craft. It is also currently in use by several oil/chemical tankers and cargo vessels sailing under many different flags. It is unclear which if any specific vessel is being targeted for impersonation. “POSCO”, mentioned in the subject line could be referencing a South Korean steel producer with a global customer base. Although rooted in steel production, the company also produces coal chemicals and carbon materials[2]. Because their range of products could be shipped using both cargo and oil/chemical tankers, it is difficult to determine a specific vessel from the subject line alone. Unfortunately, analysis of the email reveals that much of it has been redacted, including the Sending and receiving email address and the message body. An attachment titled “MV. Aquila V20004 PHG.rar” is identified by Microsoft as “Trojan:Win32/Sonbokli.A!cl

The site any.run, a malware sandbox service, identifies a recent sample with the same filename identified as Lokibot, a credential stealing malware[3]. Lokibot is known for the large number of applications it is able to target for credentials and information theft. Opening the attachment could trigger the malware.

[1]https://virustotal.com/en/file/93d42c10bada692d4404cfb159d47e29e7256aa79f1626c0e19201eda7f790d2/analysis/

[2] http://posco.com/homepage/docs/eng6/jsp/company/family/s91pf100060c.jsp

[3] https://any.run/report/5d8f1ed98b9b979c48b1a2a575a6b3849b4f10643e58cd92829e5c4d28027c48/56d12aaa-c6b7-4bf5-9517-d6a78d33a676

Our Experts Say

Dryad Assessment

These analyses illustrate how opening any infected email, could cause a recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Email Senders

SenderMaware Sent
sales@gsgranite.caExploit:O97M/CVE-2017-11882!MTB
rifai@smcmarine.com.sgTrojan:Script/Casur.A!cl, Trojan:Win32/Tiggre!rfn
leo.mojica@dhl.comTrojan:Win32/Predator.BC!MTB
sgkim1@hanjin.comTrojan:Win32/Esulat.A!ctv
security.db@db.comTrojan:Win32/Wacatac.C!ml

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Leave a Reply