The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Jan 27, 2020||Jan 27, 2020 Re: MV YAN DUN JIAO 1 (V.1904) - CALLING PORT//DRAFT SOF Trojan:Win32/Wacatac.C!ml "Wilhelmsen Ship" <firstname.lastname@example.org> Target nor disclosed||Trojan:Win32/Wacatac.C!ml||"Wilhelmsen Ship" email@example.com||Target nor disclosed|
|Jan 27, 2020||MV GENIUS STAR X // S20027 // HONGKONG (BUNKERING) // AGENT APPOINTMENT||Trojan:Win32/Wacatac.C!ml||"firstname.lastname@example.org" email@example.com||sol-shipping.com.cn|
|Jan 28, 2020||REQUEST FOR EPDA FOR SEA LONGITUDE CALLING LUBUK GAUNG FOR LOADING ABOUT 15,\n 000MT RBD PALM OLEIN||Trojan:Win32/Wacatac.C!ml||"Sandro Ginting DM" firstname.lastname@example.org||tck-shipping.co.id|
|Jan 23, 2020||M/V Bello - Pda Discharge Agency Appointment||Trojan:Win32/Wacatac.C!ml||Moorthy MNetwork email@example.com||Target not disclosed|
|Jan 27, 2020||RE: Re: MV HUA SHAN CALLING / FDA||Trojan:Win32/Wacatac.C!ml||Moorthy MNetwork firstname.lastname@example.org||Target not disclosed|
|Jan 23, 2020||MV TASMAN SEA - AGENCY INSTRUCTION||Trojan:Win32/Wacatac.C!ml||"Omegra Singapore Operation" email@example.com||Target not disclosed|
|Jan 22, 2020||/Inquiry PDA at Incheon(S.S. Pacific Enlighten)||Trojan:Win32/Wacatac.C!ml||"|
(Yurie Yamaya)" firstname.lastname@example.org
|Jan 23, 2020||Re: RE: RE: RE: RE: MV Fanreach - Pump Spares||Trojan:Win32/Wacatac.C!ml||Jan 23, 2020 Re: RE: RE: RE: RE: MV Fanreach - Pump Spares Trojan:Win32/Wacatac.C!ml =|
|Jan 27, 2020||MV MOUNT ADAMS / D.PORT AGENT NOMINATION||Trojan:Win32/Wacatac.Cemail@example.com" firstname.lastname@example.org||hkbn.net|
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. All malicious emails attempt to deliver a single malware, Trojan:Win32/Wacatac.C!ml. Vessel names seen this week include “S.S. PACIFIC ENLIGHTEN”, and “SEA LONGITUDE” among others.
Only 2 of the emails observed this week contained unredacted message bodies.
An email was observed attempting to impersonate “S.S. PACIFIC ENLIGHTEN”. This vessel is a liquefied natural gas (LNG) tanker vessel sailing under the Bahaman flag and currently en route to to the Australian port of Dampier.
The message contains the subject line “/Inquiry PDA at Incheon(S.S. Pacific Enlighten)” and a RAR compressed attachment identified by Microsoft as the Trojan:Win32/Wacatac.C!ml malware. The message body requests a PDA for this vessel and invites the user to check the attached document for vessel details to be used in preparing the PDA. However, opening the attachment could activate the malware.Analysis reveals that a malicious email was sent from an IP address in the Republic of Korea to a recipient at the lngmt.jp domain. The target domain is owned by the Japanese LNG shipping company LNG Marine Transport Limited and hosted bvy by Japanese ISP NTT Communications Corporation.
In another example this week, we seen an email attempting to impersonate the vessel “SEA LONGITUDE”. This vessel is an oil and chemical tanker sailing under the Tuvalu flag and currently en route to the port of Mangalore, India.
Analysis reveals that a malicious email was sent to a recipient at the tck-shipping.co.id domain. The domain is owned by the Indonesian shipping company PT Tarunacipta Kencana (TCK). The tck-shipping.co.id domain appears to be no longer in use as evidenced by the web page located there displaying an “Index of” page. The company’s main page is now located at tck.co.id. The contact page lists email addresses using the newer domain (tck.co.id) but that does not mean that email addresses at the old domain (tck-shipping.co.id) are inactive.
The message uses the subject line “REQUEST FOR EPDA FOR SEA LONGITUDE CALLING LUBUK GAUNG FOR LOADING ABOUT 15,000MT RBD PALM OLEIN” revealing a level of detail in the attacker’s reconnaissance. Examination of the target’s corporate website reveals the company’s origin as shipping Palm Oil. They currently seek to be an industry leader in liquid cargo ocean shipping.
The message body requests loading agent services and references the attached document as a Q88 form, inviting the user to prepare an EPDA using the Q88 data. However, opening the attachment could activate the malware’s malicious payload.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.