The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending email||Targets|
|Nov 16, 2019||MV DA TONG YUN VOY 40 WILL CALL/Request of PDA||Exploit:O97M/CVE-2017-8570.APK!MTB - Microsoft||Ops Vandamarine||[email protected]
|Nov 18, 2019||MT PROVIDENCE - Dry Docking & Repairs - Request for Quotation from TEREM- SHIPYARD||Trojan:Win32/Wacatac.B!ml - Microsoft||[email protected]
|Nov 18, 2019||Re: MV UBC TARRAGONA - CREW CHANGE REF NO: C19-2251-012||Trojan:Win32/Dynamer!rfn - Microsoft||lsabella Papavasiliou||[email protected]
|Nov 19, 2019||REQUEST QUOTATION - MT ORIENTAL GLORY||HEUR:Exploit.RTF.CVE-2017-11882.gen - Kaspersky||Nova Marine Carriers SA ||Targets not reported|
|Nov 19, 2019||MV TBN // PDA REQUEST||Troj/DownLnk-AK - Sophos AV||Chun An International Logistics Co Ltd ||Targets not reported|
In the above collections for MV Da Tong, MT Providence, MV UBC Tarragona and others, we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.
MV Da Tong is a general cargo ship operating under the flag of Panama. Analysis reveals that a malicious email was sent to the domain Gicom.nl which registers to the GICOM Composting Systems & Metaalbewerking company. This is a Metal Processing company located in the Netherlands. The malware that was attempted to be sent is Exploit:O97M/CVE-2017-8570.APK!MTB1. The subject line of the malicious email is: “MV DA TONG YUN VOY 40 WILL CALL/Request of PDA”.
An unsuspecting employee at the GICOM metal processing company would see an email with this Subject Line, possibly tempting them to open the email to see the details of an apparent PDA request. If this malware is delivered, with any of these exploits, any recipient could become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.
In the next example, we see a subject line of: “MT PROVIDENCE – Dry Docking & Repairs – Request for Quotation from TEREM- SHIPYARD” The intended target of this malicious email is a domain which also appears to be obfuscated. The MT Providence is a real oil and chemical tanker ship sailing under the flag of Greece, currently sailing, in the Sea of Marmara north of Turkey. At first glance by any recipient of this email, a gas carrier vessel is appearing to request shipping documents. To any employee of a shipping or logistics company that may be expecting the arrival of the MT Providence, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed Trojan:Win32/Wacatac.B!ml malware detected by Microsoft.
Our Experts Say
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.