Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Having seen a significant decrease in vessel impersonation traffic at the turn of the new year, Red Sky Alliance observed an increase this week. The reason for this fluctuation in vessel impersonation traffic is unknown.
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. The names observed include: “MV OCEAN INTEGRITY”, “MSC RANIA”, “MV BRENDA”, “MV CHLOE”, and a repeat appearance of “MV ROSCO LEMON” which was mentioned in one of Red Sky Alliance’s December reports: TR-19-346-002.
This week, an email was again observed attempting to impersonate “MV ROSCO LEMON” This vessel is currently at anchorage in the East China Sea near Shanghai, China.
Analysis reveals that a malicious email was sent to an unreported target domain. The message contains the subject line “MV ROSCO LEMON DRAFT SHIPPING DOCUMENTS” and an attachment identified by Microsoft as the Trojan:Win32/Wacatac.B!ml malware . According to Fortinet, this malware exploits an IT automation product, known as AutoIT, to provide a wide range of capabilities to an attacker such as: remote access, key logging, upload and download of files, running or terminating processes, and performing denial-of-service attacks . The message body invites the user to check the attached document for details about “CI, PL, Draft HBL, Draft COO Draft Insurance for this shipment”. However, opening the attachment could activate the malware.Having seen a significant decrease in vessel impersonation traffic at the turn of the new year, Red Sky Alliance observed an increase this week. The reason for this fluctuation in vessel impersonation traffic is unknown.
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. The names observed include: “MV OCEAN INTEGRITY”, “MSC RANIA”, “MV BRENDA”, “MV CHLOE”, and a repeat appearance of “MV ROSCO LEMON” which was mentioned in one of Red Sky Alliance’s December reports: TR-19-346-002.
This week, an email was again observed attempting to impersonate “MV ROSCO LEMON” This vessel is currently at anchorage in the East China Sea near Shanghai, China.
Analysis reveals that a malicious email was sent to an unreported target domain. The message contains the subject line “MV ROSCO LEMON DRAFT SHIPPING DOCUMENTS” and an attachment identified by Microsoft as the Trojan:Win32/Wacatac.B!ml malware . According to Fortinet, this malware exploits an IT automation product, known as AutoIT, to provide a wide range of capabilities to an attacker such as: remote access, key logging, upload and download of files, running or terminating processes, and performing denial-of-service attacks . The message body invites the user to check the attached document for details about “CI, PL, Draft HBL, Draft COO Draft Insurance for this shipment”. However, opening the attachment could activate the malware.
In another example this week, we find the vessel name “MV CHLOE” being impersonated. This vessel name is interesting in that it is shared among 3 vessels of different nations: Indonesia, Marshall Islands, and Netherlands. All are general cargo ships with the former two nations’ ships classified as bulk carriers. The message body also attempts to impersonate Raffles Ship Management Services Pte Ltd., a Singaporean group of companies. No connection between any of the vessels named CHLOE and the Raffles organization was found in open sources. It is unknown which, if any, specific vessel the attacker was attempting to impersonate in the subject line.
Analysis of the email message with the subject line “MV CHLOE- DEC19 CTM ARRANGEMENT AT GUANGZHOU CHINA” reveals it was sent to the domain wilmar-intl.com, a Singaporean agribusiness group. The domain is hosted by No.31,Jin-rong Street Shenzhen, China. An attachment, named “CTM.xlsx”, was identified by Microsoft as “Exploit:O97M/CVE-2017-11882!MTB”, a malware strain reported on last week. The email requests Cash to Master services in the amount of $51,740.00 USD and references the infected attachment. This email also contains a confidentiality notice and cautions the user to limit the information’s distribution. This is not usually found in vessel impersonation phishing messages and adds to the message’s legitimacy. An unsuspecting user who opened this message could trigger the attached malware.
These analyses illustrate how opening any infected email, could cause a recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.
Pre-empt, don’t just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
Source: Dryad Global
