The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending email||Targets|
|October 27th 2019||Delivered: Re: M/T Eleanna||TrojanDownloader:O97M/Emotet.OU!MTB - |
|\"[email protected]\" ||relay2.station12.com
|October 27th 2019||Request PDA - MV Tasmanic Winter - V 075 / Discharging||Trojan:Script/Oneeva.A!ml - Microsoft||\"COSCO SHIPPING BULK CO\" <[email protected]>||a5eeea0a73a.com
In the above collections for MT Eleanna and MV Tasmanic Winter we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.
MT Eleanna is an oil and chemical tanker operating under the Panama flag. Analysis reveals that a malicious email was sent to multiple domains registering to telecommunications and web hosting companies. The malware that was attempted to be sent to these companies is a TrojanDownloader which is a popular banking trojan. The subject line of the malicious email is: “Delivered: Re: M/T Eleanna”.
An unsuspecting employee at one of these web hosting companies would see an email with this Subject Line and see the word “Delivery” possibly tempting them to open the email to see the details of an apparent delivery. One of the domains observed to be targeted is amosconnect.com which is the website for the AmosConnect Software by Stratos Global. The AmosConnect software is an e-mail service that uses satellite connections for communication and as such sees much use in the maritime industry onboard vessels. If this malware is delivered, with any of these exploits, the company, or potentially the AmosConnect email service could then become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.
In the second example, we see a subject line of: “Request PDA – MV Tasmanic Winter – V075/ Discharging”. The intended targets of this malicious email were two domains that appear to be obfuscated. The MV Tasmanic Winter is an American flagged general cargo ship currently sailing in the English Channel just north of France. At first glance by any recipient of this email, an American cargo ship is requesting shipping documents. To any employee of a shipping company expecting the arrival of the MV Tasmanic Winter, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed Trojan:Script/Oneeva.A!ml malware detected by Microsoft’s Antivirus.
Our Experts Say
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.