The case for pre-emptive defence
Vessel Impersonation Report
Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Apr 27, 2020||WG: RE : URGENT!!! SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E||HEUR:Exploit.MSOffice.Generic||"Babel Markus (Gechter GmbH)" [email protected]||Dresel Sven [email protected]|
|Apr 28, 2020||RE: VESSEL NOMINATION : MV SAND TOPIC OR SUB FOR 55,000 MT (+/-10%)\r\n OF AUSTRALIAN WHEAT TO KOH SICHANG, THAILAND , SHIP PERIOD : 15 MAY-15 JUNE\r\n 2020||Trojan:Win32/Tiggre!rfn||[email protected]||Target Not Disclosed|
|Apr 28, 2020||Re:Re:re Shipping Maersk AWB||Trojan:Win32/Wacatac.C!ml||[email protected]||[email protected]|
|Apr 28, 2020||M/V Amir Joy PDA-REQUESTb||Trojan:HTML/Phish||Nguyen Linh [email protected]||[email protected]|
|Apr 28, 2020||PROFORMA REQUEST / MV SEA CHAMPION / Voy: 14508 /||Trojan:Script/Oneeva.A!ml||"Dadaylilar Shipping Group" [email protected]||[email protected]|
|Apr 28, 2020||RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 //||HEUR:Exploit.MSOffice.Generic||"A.P. Moller - Maersk" [email protected]||Target Not Disclosed|
|Apr 29, 2020||MV EVER IMPERIAL V-29 / Agency Appointment at Newcastle||Trojan:Win32/Wacatac.C!ml||Sasaki Shu [email protected]||[email protected]|
|May 1, 2020||Shipment // CH2 Invoice - PI- #5342430 -SEA Cargo||Trojan:Win32/Wacatac.C!ml||DHL=C2=A0Express||Target Not Disclosed|
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a large percentage of these malicious emails attempting to deliver Windows trojan malware. Some of the new vessel names used this week include “MV EVER IMPERIAL” and “MV SEA CHAMPION” among others. Notably, we observed “Maersk Kleven” again in our malicious emails index.
Analysts observed another malicious email containing the subject line used last week, “WG: RE : URGENT!!! SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E.” However, this week the email sender and recipients are different. Last week, the emails were being sent from “A.P. Moller – Maersk.(Shanghai, Head Office),” whereas “Babel Markus (Gechter GmbH)” is the sender in this case. Gechter is identified as a German “(Machine) press specialist.”
The email was sent from one employee (Markus) to another employee at the company (Sven). Malicious emails sent within the company tend to be more successful as they are less likely to get caught in mail filters. Many variants of malware use contact lists to propagate across company networks.
It appears that the email originating from last week’s Shanghai Maersk sender targeted Markus Babel, a Sales Manager at Gechter GmbH. The email data was then forwarded from Markus’ email address, in .dat format, to Sven Dresel. It is unclear if this was done intentionally as a security notification or if this is part of the malware infection process. There was no message body observed in the forwarded version of the email which is suspicious.
In a separate malicious email, with subject line “M/V Amir Joy PDA REQUESTb” analysts observed attackers impersonating the “procurement” division of a company. As with many malicious emails, the salutation is generic – “Dear sirs,.”
The email attachments, when opened, immediately trigger an alert from a Windows AV engine. The malware is identified as a phishing attempt “Trojan:HTML/Phish.” When each file is opened (“vsl partl Amir1.doc” & “Vssl Picture.xlsm”), it activates a Microsoft sign-in prompt. Notably, the Excel file is .xlsm indicating that macros are enabled.
The email in this case targets a recipient at naver[.]com. Naver is a South Korean online news/search portal. Once the employee enters their credentials into the MS prompt, they would be captured and sent back to the attacker. The attacker can then commit supply chain attacks and target other employees at the company.
The message body of the email mentions the Motor Vessel Amir Joy and the discharge of 18,000 MT of potatoes. As with many malicious emails, there are grammatic and spelling issues. Also noticeable is the lack of professional signature from “Ms. Alma Jones.” Many professionals sign their vessel documentation emails with their contact information and/or a company logo. It is unclear which “office” Alma Jones is coordinating, as the sending domain does not appear to be registered to any legitimate company, let alone one in the maritime industry.
Our Experts Say
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Pre-empt, don’t just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Weekly Maritime Watchlist
Top 5 Malicious Maritime Subject Lines
|Subject Line used||Email Sender using Subject Line||Times seen|
|WG: RE : URGENT!!! SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E||"Babel Markus (Gechter GmbH)" [email protected]||5|
|RE: VESSEL NOMINATION : MV SAND TOPIC OR SUB FOR 55,000 MT (+/-10%)||[email protected]||5|
|RE: MT.OCEAN STAR VOY 16 LETTER / AGENT NOMINATION||[email protected]||5|
|RE: BALANCE SETTLED.REF344266||"JX Ocean Co., Ltd." [email protected]||5|
|M.V. MCC SHENZHEN - Request Quotation for Bonded Store||‘mv-octavia” [email protected]||4|
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.