27 min read
Maritime Cyber Security & Threats 12-18 April
By: Dryad Global on April 20, 2021 at 9:18 AM
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Malicious Email collection 8 Feb- 4 Mar 21
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Apr 12, 2021 |
[DHL shipping document /duty inv payment. |
Hoax.HTML.Phish.xi |
“DHL Express” wyc7003@otc.co.kr |
daelim.co.kr |
Apr 12, 2021 |
Re: SHIPPING DOCUMENT- Balance Payment Notification |
Exploit:O97M/CVE-2017-0199.LAH!MTB |
“KathyLinda Wang” c7d4b@f9c41d2657b855dd8.com |
9b036c245980fbdae.sg |
Apr 12, 2021 |
RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK |
Trojan:Win32/Wacatac.B!ml |
“Jason Bourne” admin@jetmails.link |
Targets Not Disclosed |
Apr 12, 2021 |
VSL MV New Courage |
Trojan:MSIL/AgentTesla.DK!MTB |
“Leo Li” operations@goldenwave.com |
electroputere.ro |
Apr 13, 2021 |
MV XIN GUANG HUA / AGENCY APPOINTMENT |
Exploit:Win32/CVE-2017-11882!ml |
“Ryan Daniels” |
f27662b3d.sg |
Apr 13, 2021 |
MV United Breeze |
Exploit:Win32/CVE-2017-11882!ml |
“Jack Thompson” 7513c1c7b8bd@f0fd1be491.jp |
77389d269.com |
Apr 13, 2021 |
FW: REVISED SHIPPING DOCUMENT |
UDS:Trojan-PSW.MSIL.Agensla.gen |
“Dmitri Antonov” caf9@7c87.de |
c9de614891d32741.au |
Apr 13, 2021 |
ARRIVAL NOTICE / FREIGHT INVOICE |
HTML/Phishing.AQ!tr |
“Logistics manager” 93ceb1c3@b7a4d7756.ga |
b702698d6f08.com |
Apr 13, 2021 |
ARRIVAL NOTICE / FREIGHT INVOICE |
HTML/Phishing.AQ!tr |
“Logistics manager” 93ceb1c3@b7a4d7756.ga |
f1277c82.com |
Apr 13, 2021 |
ARRIVAL NOTICE / FREIGHT INVOICE |
HTML/Phishing.AQ!tr |
“Logistics manager” 93ceb1c3@b7a4d7756.ga |
93964e15ac1716.net |
Apr 13, 2021 |
ARRIVAL NOTICE / FREIGHT INVOICE |
HTML/Phishing.AQ!tr |
“Logistics manager” 93ceb1c3@b7a4d7756.ga |
4ef783b19.lt |
Apr 13, 2021 |
ARRIVAL NOTICE / FREIGHT INVOICE |
HTML/Phishing.AQ!tr |
“Logistics manager” 93ceb1c3@b7a4d7756.ga |
37bdf4b.pl |
Apr 13, 2021 |
ARRIVAL NOTICE / FREIGHT INVOICE |
HTML/Phishing.AQ!tr |
“Logistics manager” 93ceb1c3@b7a4d7756.ga |
5d0634746e1.com |
Apr 13, 2021 |
Shipping Documents |
Trojan:Win32/DelfInject.PNJ!MTB |
“Linda Davis” dcca1c@734e9c4f13d83c5c8.net |
ee0538cf.com |
Apr 13, 2021 |
Shipping Documents |
Trojan:Win32/DelfInject.PNJ!MTB |
“Linda Davis” ldavis@southernstainless.net |
electroputere.ro |
Apr 14, 2021 |
SHIPPING NOTIFICATION FOR ACKNOWLEDGEMENT |
Trojan:Win32/Wacatac.B!ml |
"madha" 0c798@33375530663927.com |
5331662f8.com |
Apr 14, 2021 |
FRT DN// MV\"YANGTZE OASIS\" FOR EQUIPMENTS EX SHANGHAI NO.9 & TAICANG TO\r\n SINGAPORE & PORT KLANG |
Trojan:MSIL/Stealer.MS!MTB |
"yanshipping@126.com" 6f19179802@7d7.com |
7d7.com |
Apr 14, 2021 |
MV XIN GUANG HUA / AGENCY APPOINTMENT |
Trojan:Win32/Wacatac.B!ml |
“Ryan Daniels” 456d0deba6@2d294b.com |
2d294b.com |
Apr 14, 2021 |
MV \"GEORGIANA\"/Tongli - CP dd 17/2/2021 - 1st hire SOA |
Program:Win32/Wacapew.C!ml |
“Doris Kuo” e05456a@cc2e877.tw |
cc2e877.tw |
Apr 14, 2021 |
Re: MV ALMIRA -- TO CALL FOR DISCHARG 100K 10% COAL |
Trojan:Script/Phonzy.B!ml |
“Op” e84@cfbd956ecb0db5.com |
cfbd956ecb0db5.com |
Apr 14, 2021 |
mv \"GOLDEN ICE\" - NOR TENDERED AT PORT KAMSAR OUTER ANCHORAGE AREA/ |
Trojan:Win32/Wacatac.B!ml |
"Golden Ice" beb583f57b@408707dc58.net |
Targets Not Disclosed |
Apr 14, 2021 |
PDA request for MV \"Stellar Pacific\" at 1 PORT |
UDS:Trojan-PSW.MSIL.Agensla.gen |
d8b31b9ec9.com |
d8b31b9ec9.com |
Apr 14, 2021 |
MV. SHENG LE C// DISCH CARGO @ MOROWALI & KENDARI PORT// INDO |
Exploit:Win32/CVE-2017-11882.MXR!MTB |
“Amir Hossain” |
963212c1fc.com |
Apr 14, 2021 |
Shipping Documents |
Exploit:O97M/CVE-2017-11882.RU!MTB |
"email admin" c769c2bd1@db0c5fb24c5ee.com |
db0c5fb24c5ee.com |
Apr 14, 2021 |
MV UNITED BREEZE v-43 - Agency appointment (for touch bunkering) |
Trojan:Script/Wacatac.B!ml |
“SUN AWANO DORVAL, LTD” b5e67@a2b06885a.jp |
dfb80f1afb.net |
Apr 14, 2021 |
MV GLOBE CLEOPATRA- AGENCY APPOINTMENT |
Trojan:Script/Wacatac.B!ml |
"Operations" 9bf71442f4@d8b31b9ec9.com |
4974bb1cfcefcf9a.com |
Apr 14, 2021 |
MV ALICE STAR - AGENCY APPOINTMENT FOR DISCHARGING |
Trojan:Script/Wacatac.B!ml |
“H.C Shipping and Chartering Ltd” 21232@b5f2bdc9c1.com |
a694174ef.com |
Apr 14, 2021 |
GLOBAL MERCURY V05 A/C SUNFIELD // Port Call For Discharging |
Exploit:Win32/CVE-2017-11882.MXR!MTB |
“GMS/F.Narita” b191935e@baa148d393.jp |
230ffc87.com |
Apr 14, 2021 |
MV GENCO RESOLUTE |
Exploit:Win32/CVE-2017-11882.MXR!MTB |
“LIANYUNGANG WINLUCKY SHIPPING AGENCY CO.,LTD” fb3b49@bf5f566bbbb0.cn |
a694174ef.com |
Apr 14, 2021 |
MV KSL SEVILLE V/DISPORT/AGENCY APPOINTMENT |
Exploit:Win32/CVE-2017-11882.MXR!MTB |
“BLACN - RTM.CHINAOPS” |
382e0.org |
Apr 14, 2021 |
RE:MV.SIRICHAI REEFER V.0221 - 1st Freight Invoice.. |
TrojanDownloader:O97M/Donoff.MXN!MTB |
“Khajohn Intavichian” ii.khajohn@kgroupinternational.com |
tandler.de |
Apr 14, 2021 |
po#5467#FROM Art-Sea Industrial Company Limited |
PWS:MSIL/DarkStealer!MTB |
“Mr. Lau Pan Hoi” |
ca7ae375cb5e4.sg |
Apr 15, 2021 |
RE:MV.SIRICHAI REEFER V.0221 - 1st Freight Invoice.. |
TrojanDownloader:O97M/Donoff.RE!MTB |
“Khajohn Intavichian” e4739abaf7@0460f8c0220d8facc90.com |
bad0365c09e.com |
Apr 15, 2021 |
Freight Invoice Remittance CP 22 Mar. 2021 /V17016 FRT INV |
Trojan:Win32/Tnega!ml |
"Chia" 9061e7@6de25bc3d6ffca28996a4ba.sg |
6de25bc3d6ffca28996a4ba.sg |
Apr 15, 2021 |
MV VITTORIA - CTM |
Trojan:Win32/Tnega!ml |
"Evi - UK KLINE" e6614e4622@f7a39e6c.com |
f7a39e6c.com |
Apr 15, 2021 |
GLOBAL MERCURY V05 A/C SUNFIELD // Port Call For Discharging |
Exploit:Win32/CVE-2017-11882.MXR!MTB |
“GMS/F.Narita” f.narita@gmsline.co.jp |
sinotrans.com |
Apr 15, 2021 |
mv \"GOLDEN ICE\" - NOR TENDERED AT PORT KAMSAR OUTER ANCHORAGE AREA/ |
Trojan:MSIL/Stealer.RV!MTB |
"Golden Ice" beb583f57b@408707dc58.net |
Targets Not Disclosed |
Apr 15, 2021 |
mv \"GOLDEN ICE\" - NOR TENDERED AT PORT KAMSAR OUTER ANCHORAGE AREA/ 15.March.2021 |
Trojan:MSIL/Stealer.MS!MTB |
“Golden Ice” golden.ice@thomeships.ne |
Targets Not Disclosed |
Apr 15, 2021 |
Shipping confirmation DHL Express order>>> |
Program:Win32/Wacapew.C!ml |
“DHL EXPRESS” rosa.garay@dhl.com |
Targets Not Disclosed |
Apr 15, 2021 |
RE:MV.SIRICHAI REEFER V.0221 - 1st Freight Invoice.. |
Trojan:Win32/Wacatac.B!ml |
“Khajohn Intavichian” ii.khajohn@kgroupinternational.com |
wheysound.com.tw |
Apr 15, 2021 |
VESSEL\'S LINE UP / UPDATE/27TH JAN 2021 |
Trojan:Win32/Lokibot.V!MTB |
"SEBA SHIPPING" seba@sebashipping.co.kr |
sebashipping.co.kr |
Apr 15, 2021 |
Shipping document |
Trojan:HTML/Phish.MTL!MTB |
"Express Shipment" alamoudisaudia@hotmail.com |
conifex.com |
Apr 15, 2021 |
PDA CILACAP |
Trojan:Win32/Vigorf.A |
"Krishnan" krishnans@uslfze.ae |
uslfze.ae |
Apr 16, 2021 |
Rfq for Freight Forwarder from Shenzhen, China Seaport |
TrojanDownloader:O97M/Donoff!MSR |
0220758972ff@8a78ba2a46.com |
f8005c786c91.za |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Vittoria” and “MV Genco Resolute” among others. This week, analysts observed attackers attempting to send malicious email attachments to multiple recipients from the same sender email address.
The attacker in this case sent the emails from “Khajohn Intavichian” ii.khajohn[at]kgroupinternational[.]com. The domain used (kgroupinternational) does not appear to be registered to any legitimate entity indicating the attackers may have created a fictional business domain as a disguise to send malicious emails. There appears to be a legitimate company called K-Group Logistics Co., Ltd. based in Thailand, however, there does not appear to be any legitimate link between the Thai logistics company and the domain used by the attacker in this case. Attackers often impersonate or spoof legitimate companies when sending malicious email attachments to evade detection.
There were multiple recipients across multiple countries which were targeted by these malicious emails. While one of the three targeted domains is obfuscated (and unidentified), there was one target based in Germany, and another target located in Taiwan. The German target in this case is a gear manufacturing and hardening shop. Manufacturers are often the target of attackers looking to steal sensitive proprietary data or activate ransomware to earn a profit. The wheysound[.]com[.]tw domain belongs to Huisong Technology, a Chinese “high-tech enterprise” focused on laboratory medical instruments and in vitro diagnostic reagents. Attackers targeting this company would also likely search for sensitive information to steal, even during a ransomware attack.
In all three email samples, the attacker uses the same subject line “RE:MV.SIRICHAI REEFER V.0221 - 1st Freight Invoice…” The email subject line is the same, and the message body contained within the email is also the same. The sender appears to be using at least two different email clients to send from as they send both malicious .eml (email) files and .msg (Outlook) files.
There are a total of four unique malicious files attached to the malicious email samples. The malicious file attachments used the following file names:
- “P0_0541_60_12.rar” (Archive)
- “ERL_7804100.doc” (MS Word Document)
- “IMG_107_85_02_37.doc” (MS Word Document)
- “IMG_50_78_63.xls” (MS Excel Spreadsheet)
This indicates the attacker may be manually generating these emails instead of using a malicious email template to spam and targeted numerous users. There are multiple antivirus (AV) detections triggered by the malicious attachments, but all of the malware appears to be an attempt to download trojan malware on the target system for further intrusion. Once attackers gain an initial foothold, they can move laterally or conduct further reconnaissance on the system’s network. An attacker who is able to successfully implant trojan malware on a manufacturer’s network would have a significant advantage when stealing data from the network and/or encrypting it with ransomware.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Pre-empt, don't just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
Related Posts
Maritime Cyber Security & Threats Feb -March 2021
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime..
Maritime Cyber Security & Threats 25 Apr - May 21
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime..
Maritime Cyber Security & Threats Nov 2020 Week 3
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime..