The case for pre-emptive defence
Vessel Impersonation Report
Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Tactical Cyber Intelligence Reporting
| First Seen | Subject Line Used | Malware Detections | Sending Email | Targets |
| Mar 16, 2020 | TNT Express delivery Consignment Notification | Trojan:Win32/Injector.MU!MTB | [email protected] | [email protected] |
| Mar 16, 2020 | RE: Mv Pacific Harmony - CTM - Sattahip - 16.03.2020 | Trojan:Win32/Wacatac.C!ml | [email protected] | [email protected] |
| Mar 17, 2020 | MV Jackie B / PDA / Discharging about 32,600 Mts of Corn/Maize | Trojan:Win32/Occamy.C | [email protected] | [email protected] |
| Mar 17, 2020 | Fw: Re: Machine Spare Enquiry From China Marine Bunker(Petro\r\n China)Co., Ltd | Trojan:Win32/Wacatac.C!ml | [email protected] | Mr Gong [email protected] |
| Mar 17, 2020 | RE : RE : URGENT SHIPPING DOC BL,SI,INV 462345 // MAERSK KLEVEN V.949E // CLGQOE191781 // | Trojan:Win32/Predator.BD!MTB | [email protected] | [email protected] |
| Mar 17, 2020 | VSL: MV FORTUNE TRADER | Exploit:O97M/CVE-2017-11882!MTB | Oriental Logistics Group Limited [email protected] | Target not disclosed |
| Mar 18, 2020 | Arrival Notice For BL - 713010031110 / Vessel - TAICHUNG / Voyage -\r\n 046C | Trojan:Win32/Sonbokli.A!cl | "Capt. Liu Yun kung" [email protected] | Target not disclosed |
| Mar 18, 2020 | MT PV Oil Jupiter / 3-17-2020 - Freight remittance | Trojan:Win32/FormBook.AQ!MTB | Nova Marine Carriers SA [email protected] | Target not disclosed |
| Mar 18, 2020 | Re: M.V. Genco Claudius call Dongwu/Mei zhouwan guotou pier disch coal - port information enquire | Trojan:Win32/Wacatac.D!ml | "Capt. E. Tei" [email protected] | [email protected] |
| Mar 18, 2020 | Fwd: order confirmation | Trojan:Win32/Occamy.C | [email protected] | [email protected], |
| Mar 18, 2020 | GLOBAL LOGISTICS LCL IMPORT SAILING CONSOL - MARCH 2020 | Trojan:Win32/Wacatac.C!ml | Wesley MAYERS [email protected] | [email protected] |
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a large percentage of these malicious emails attempting to deliver Windows Wacatac and Occamy Office malware. Some of the new Vessel names used this week include “MT PV Oil Jupiter” which and “MV FORTUNE TRADER” among others.
An email was observed attempting to impersonate “MV Fortune Trader” using a subject line of “VSL: MV FORTUNE TRADER.” The sender claims to be part of Oriental Logistics Group Limited which a shipping entity based out of Taipei, Taiwan.
Analysis reveals that the malicious email was sent from a legitimate domain owned by an Indonesian mechanical & electrical engineering company, PT. Inti Persada Nusantara. Although the targets are undisclosed, analysis of the email headers indicate that the victims are based in Japan. It is unclear if these attackers have taken control of a legitimate email or if the email sender is spoofed in this case.
The message contains an attached .xlsx file (Excel spreadsheet) identified by Microsoft AntiVirus engine as the Exploit:O97M/CVE-2017-11882!MTB malware.[1] The message body asks the victim to open the attached file to view attached “requisitions” for the vessel listed above. However, opening the attachment document titled “MV FORTUNE TRADER.xlsx” could activate the malware.
In another example, we see an email attempting to impersonate the shipping giant “Maersk” using the subject line “RE : RE : URGENTSHIPPING DOC BL,SI,INV462345 // MAERSK KLEVENV.949E // CLGQOE191781 //.” As with the majority of subject lines, this one entices the user to open the email by using the phrase “urgent shipping doc.” The sender also adds “Re:Re:” which is a common tactic to make it appear as if the victim has already discussed this subject with the sender and it’s part of an email chain.
A subtle indication that the sending email is malicious is the extra “o” in the sender email “[email protected]” which would easily be overlooked by someone assuming the sender is legitimate. Attackers commonly use this method to spoof and imitate legitimate mail senders. Many users would not stop to think that a “No Reply” email address probably would not generate an email chain since there would be no response from the “No Reply” sender.
An attachment titled, “Shipping Doc_Maersk Kleven V.949E_pdf.xz” is identified by Microsoft AV engine as Trojan:Win32/Predator.BD!MTB. This malware is a trojan-type infection that infects Windows computers and performs a number of malicious actions. The filename includes “PDF” to indicate that it’s a viewable document, but the .xz file extension indicates this is actually a zip file, containing the detected malware.
[1] https://www.virustotal.com/gui/file/c8f431316b0c77d39436e31b3943821b14308c8a7acb3a331735b1494e36c066/detection
Our Experts Say
Dryad Assessment
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Pre-empt, don’t just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Sending Domains
| Sending Domain | Domain Hosted by | Times seen |
|---|---|---|
| phshipping.com.sg | SuperHosting.BG Ltd. | 4 |
| webmail.ofitec-gamar.com | 1&1 Ionos Se | 3 |
| ms1.lina.gov.tw | Data Communication Business Group | 2 |
| adrenalinatours.com | CARINET | 1 |
| magma.avnam.net | NSS S.A. | 1 |
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
