The case for pre-emptive defence
Vessel Impersonation Report
Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Tactical Cyber Intelligence Reporting
| First Seen | Subject Line Used | Malware Detections | Sending Email | Targets |
|---|---|---|---|---|
| Jan 27, 2020 | Jan 27, 2020 Re: MV YAN DUN JIAO 1 (V.1904) - CALLING PORT//DRAFT SOF Trojan:Win32/Wacatac.C!ml "Wilhelmsen Ship" <[email protected]> Target nor disclosed | Trojan:Win32/Wacatac.C!ml | "Wilhelmsen Ship" [email protected] | Target nor disclosed |
| Jan 27, 2020 | MV GENIUS STAR X // S20027 // HONGKONG (BUNKERING) // AGENT APPOINTMENT | Trojan:Win32/Wacatac.C!ml | "[email protected]" [email protected] | sol-shipping.com.cn |
| Jan 28, 2020 | REQUEST FOR EPDA FOR SEA LONGITUDE CALLING LUBUK GAUNG FOR LOADING ABOUT 15,\n 000MT RBD PALM OLEIN | Trojan:Win32/Wacatac.C!ml | "Sandro Ginting DM" [email protected] | tck-shipping.co.id |
| Jan 23, 2020 | M/V Bello - Pda Discharge Agency Appointment | Trojan:Win32/Wacatac.C!ml | Moorthy MNetwork [email protected] | Target not disclosed |
| Jan 27, 2020 | RE: Re: MV HUA SHAN CALLING / FDA | Trojan:Win32/Wacatac.C!ml | Moorthy MNetwork [email protected] | Target not disclosed |
| Jan 23, 2020 | MV TASMAN SEA - AGENCY INSTRUCTION | Trojan:Win32/Wacatac.C!ml | "Omegra Singapore Operation" [email protected] | Target not disclosed |
| Jan 22, 2020 | /Inquiry PDA at Incheon(S.S. Pacific Enlighten) | Trojan:Win32/Wacatac.C!ml | " (Yurie Yamaya)" [email protected] | lngmt.jp |
| Jan 23, 2020 | Re: RE: RE: RE: RE: MV Fanreach - Pump Spares | Trojan:Win32/Wacatac.C!ml | Jan 23, 2020 Re: RE: RE: RE: RE: MV Fanreach - Pump Spares Trojan:Win32/Wacatac.C!ml = 64Ko7LGE7Jq0 = | jchem.co.kr |
| Jan 27, 2020 | MV MOUNT ADAMS / D.PORT AGENT NOMINATION | Trojan:Win32/Wacatac.C!ml | [email protected]" [email protected] | hkbn.net |
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. All malicious emails attempt to deliver a single malware, Trojan:Win32/Wacatac.C!ml. Vessel names seen this week include “S.S. PACIFIC ENLIGHTEN”, and “SEA LONGITUDE” among others.
Only 2 of the emails observed this week contained unredacted message bodies.
An email was observed attempting to impersonate “S.S. PACIFIC ENLIGHTEN”. This vessel is a liquefied natural gas (LNG) tanker vessel sailing under the Bahaman flag and currently en route to to the Australian port of Dampier.
The message contains the subject line “/Inquiry PDA at Incheon(S.S. Pacific Enlighten)” and a RAR compressed attachment identified by Microsoft as the Trojan:Win32/Wacatac.C!ml malware[1]. The message body requests a PDA for this vessel and invites the user to check the attached document for vessel details to be used in preparing the PDA. However, opening the attachment could activate the malware.Analysis reveals that a malicious email was sent from an IP address in the Republic of Korea to a recipient at the lngmt.jp domain. The target domain is owned by the Japanese LNG shipping company LNG Marine Transport Limited and hosted bvy by Japanese ISP NTT Communications Corporation.
In another example this week, we seen an email attempting to impersonate the vessel “SEA LONGITUDE”. This vessel is an oil and chemical tanker sailing under the Tuvalu flag and currently en route to the port of Mangalore, India.
Analysis reveals that a malicious email was sent to a recipient at the tck-shipping.co.id domain. The domain is owned by the Indonesian shipping company PT Tarunacipta Kencana (TCK). The tck-shipping.co.id domain appears to be no longer in use as evidenced by the web page located there displaying an “Index of” page. The company’s main page is now located at tck.co.id. The contact page lists email addresses using the newer domain (tck.co.id) but that does not mean that email addresses at the old domain (tck-shipping.co.id) are inactive.
The message uses the subject line “REQUEST FOR EPDA FOR SEA LONGITUDE CALLING LUBUK GAUNG FOR LOADING ABOUT 15,000MT RBD PALM OLEIN” revealing a level of detail in the attacker’s reconnaissance. Examination of the target’s corporate website reveals the company’s origin as shipping Palm Oil. They currently seek to be an industry leader in liquid cargo ocean shipping[2].
The message body requests loading agent services and references the attached document as a Q88 form, inviting the user to prepare an EPDA using the Q88 data. However, opening the attachment could activate the malware’s malicious payload.
[1]https://www.virustotal.com/gui/file/a99f8078388f5bb03346117ea0fc2b74f3098deef0975826ea88141de80f0686/detection
[2] http://www.tck.co.id/
Our Experts Say
Dryad Assessment
These analyses illustrate how opening any infected email, could cause a recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.
Pre-empt, don’t just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
| Sender | Maware Sent |
|---|---|
| [email protected] | [email protected] Trojan:Win32/Wacatac.C!ml, Trojan:Win32/Pwsteal.Q!bit, Trojan:Win32/Occamy.C |
| [email protected] | TrojanDownloader:O97M/Emotet.ARJ!MTB |
| Colby Swift [email protected] | TrojanDownloader:O97M/Emotet.ARJ!MTB |
| [email protected] | TrojanDownloader:O97M/Emotet.ARJ!MTB |
| \"Maersk Line\" [email protected] | Program:Win32/Uwasson.A!ml |
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
