Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Malicious Email collection 8 Feb- 4 Mar 21
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
May 24, 2021 |
AGENCY APPOINTMENT - MV Golden Daisy - 95000 10% Coal |
Trojan:Win32/AgentTesla!ml |
"OPERATIONS@DEYESION.COM" d6a0beecb@58f0b343.com |
58f0b343.com |
May 24, 2021 |
Bill Of Lading For Current Shipment |
Trojan:Win32/AgentTesla!ml |
“Maersk Line” maeersk@223.w.mxzvn.club |
help.mdaemon.com |
May 24, 2021 |
MV TAURUS HONOR// PDA INQUIRY FOR LOADING 75000MT COAL IN BULK |
Trojan:Win32/AgentTesla!ml |
"ops@cambrianbulk.com" 11@144cb9de1744.com |
144cb9de1744.com |
May 24, 2021 |
SPAM: RE: FINAL SHIPPING DOCS. |
Trojan:Win32/Wacatac.B!ml |
72e1f6f7d@405fe3cd4863.com |
a0a1ee03.com |
May 24, 2021 |
RE: New order,Invoice and shipping documents..... |
Trojan:Win32/AgentTesla!ml |
caf9@942fe19ebe3c8dd5.de |
942fe19ebe3c8dd5.de |
May 25, 2021 |
RE: PORT INFO AND EPDA INQUIRY FOR LOADING ABT 55000MT IRON ORE FINES |
Trojan:Win32/AgentTesla!ml |
"ops@wlinternational.cc" 11@b47c6dee3756a9e.cc |
b47c6dee3756a9e.cc |
May 25, 2021 |
London Spirit / 204.566,000 mt Bauxite - Laytime Calculations |
Trojan:Win32/AgentTesla!ml |
"DryCargo Cape Shanghai" 291545f53bf92@31cb6a604.com |
31cb6a604.com |
May 25, 2021 |
MV GRAECIA AETERNA - REQUEST FOR EPDA - 80,000/10 MTS SBM |
Trojan:Win32/AgentTesla!ml |
"Cofco International Freight S.A" 111ade09ce2@78569d273040d420ad.com |
78569d273040d420ad.com |
May 25, 2021 |
MV AXLE MARINE TBN LOADED WITH 33,000MT OF BARLEY IN BULK |
Trojan:Win32/AgentTesla!ml |
"Axle Marine Operations" 11@3d008ffc98.com |
3d008ffc98.com |
May 25, 2021 |
Port Agent Appointment - Re: m/t \'Han Grace\' V.206 / 10kt PX |
Trojan:Win32/AgentTesla!ml |
"Greg / Interport Shanghai" 4e9f6401@9956ea6e9.asia |
9956ea6e9.asia |
May 25, 2021 |
RE: MV PRINCESS ROYAL: RFQ Stores/Firmed Order |
Trojan:Win32/AgentTesla!ml |
"MPI - Katrina Cuadra" ba19a09a68@9cda717dd0b315.ph |
9cda717dd0b315.ph |
May 25, 2021 |
Arrived freight declaration. |
TrojanDropper:O97M/Obfuse.DEA!MTB |
augustomalentacca@crocap.it |
medibrexmarketing.com |
May 25, 2021 |
shipping Notice | 5/25/2021 8:30:31 a.m.. . |
Trojan:Win32/Phonzy.B!ml |
"DHL Shipping" Kamal@mail.notes.bank-of-china.com |
multimateriales.com |
May 25, 2021 |
RE: New order and shipping documents.....,,,, |
Trojan:Win32/Wacatac.B!ml |
9ed08@942fe19ebe3c8dd5.de |
66d4b4.org |
May 25, 2021 |
TNT Shipping Document |
Exploit:O97M/CVE-2017-11882.AL!MTB |
exportsdoc@tnt.com |
grgich.com |
May 26, 2021 |
VESSEL\'S LINE UP AT YEOSU / UPDATE/03 MARCH 2021 |
Trojan:Win32/Detplock |
"SEBA SHIPPING" seba@sebashipping.co.kr |
sebashipping.co.kr |
May 26, 2021 |
Re: BANK SLIP // EPDA // MV BAO NENG 16//Agent nomination-BANK SLIP |
Trojan:Win32/Wacatac.B!ml |
"op@tonglishippingpte.com" e84@1b84072c33545fa2e.com |
1b84072c33545fa2e.com |
May 26, 2021 |
MV ZIRCON V.21-05 CALLING AT PORT O/A 10-11/JUNE/2021 FOR LOADING MIN |
Trojan:Win32/Wacatac.B!ml |
"Eastern Dragon Shipping Co.,Ltd NQThang" 4776c35@31ec708.net |
a5acdc528.vn |
May 26, 2021 |
Urgent - mv navision tbn loading steels |
Trojan:Win32/AgentTesla!ml |
"Chartering" 4776c35@a337ff5200870.com |
a337ff5200870.com |
May 26, 2021 |
MV XIN RUN // DISCHARGE // FDA |
Trojan:Script/Phonzy.B!ml |
"op@tonglishippingpte.com" e84@1b84072c33545fa2e.com |
1b84072c33545fa2e.com |
May 26, 2021 |
MV XIN HAI JIA//7TH HIRE SOA& BANK SLIP//FM TRANSWIND |
Trojan:Win32/AgentTesla!ml |
"ops-transwindshipping" 74@84c3f1b464fda6c89.COM |
84c3f1b464fda6c89.COM |
May 26, 2021 |
subject vessel. |
Trojan:MSIL/Kryptik.UL!MTB |
"Jennis Tseng" jennis.tseng@asw-taipei.com |
asw-taipei.com |
May 26, 2021 |
Port info / Pda / liner out costs for discharge wood pulp / paper pulp |
Program:Win32/Wacapew.C!ml |
"c1c164@84c057760bd.com" c1c164@84c057760bd.com |
84c057760bd.com |
May 26, 2021 |
MV. SHI DAI 9 - TARAHAN COAL TERMINAL, |
Trojan:Script/Phonzy.B!ml |
"IDT - Shipping Agency" 7e3ca0704c@0f63b4c3e7a3eef.id |
0f63b4c3e7a3eef.id |
May 26, 2021 |
TBN // PDA quotation for discharging cement |
Trojan:MSIL/Kryptik.UL!MTB |
"Rachel Chien, Wisdom Marine" cj@zjzhshipping.com |
zjzhshipping.com |
May 26, 2021 |
CURRENT SOA // BESIKTAS MARINE |
Trojan:Win32/Wacatac.B!ml |
"Ilyas YILDIRIM" 3ea4a@34cf78a46cd043.com |
34cf78a46cd043.com |
May 26, 2021 |
MV\"TAO BRAVE\"SOA AND BANK SLIP |
Trojan:Win32/AgentTesla!ml |
"Julie Ju" 8f0b9@3c1594bc.com |
3c1594bc.com |
May 26, 2021 |
Re: MV OCEAN HERO : CTM DELIVERY |
Program:Win32/Wacapew.C!ml |
ce2458@44fde3764ed22d.com |
2c0035ec8a.com |
May 26, 2021 |
R & R Freight Logistics, LLC Rate Confirmation for order: 00193411 |
Trojan:O97M/Sonbokli.A!cl |
Brad Letourneau dispatchs@rrfreightlogistics.com |
Targets Not Disclosed |
May 26, 2021 |
Shipping information |
VBA.Heur.Morpheus.9.711E3F25.Gen |
“DHL” e5f8ab@1778a8122d.com |
57c37cbae374.com |
May 27, 2021 |
MV HENG HUA//PDA |
Trojan:Win32/Wacatac.B!ml |
"lh_shipping@vip.163.com" 4efc8ea5d41@673b1b1.com |
673b1b1.com |
May 27, 2021 |
BANK SLIP MV. ZHONG ZHE 7 |
Trojan:Win32/Wacatac.B!ml |
"hardy_liu@tsl-group.com" cd0a768ed@cd4409291.com |
cd4409291.com |
May 27, 2021 |
DHL EXPRESS SHIPPING |
Hoax.HTML.Phish.xf |
“DHL EXPRESS” admins@support.com |
crinity.com |
May 27, 2021 |
MV.GREAT COSMOS V.2002 // 20350CBM CONTAINER |
Trojan:Win32/AgentTesla!ml |
"shmwops@cmhk.com" 29b88885@9395.com |
9395.com |
May 27, 2021 |
Re: SHIPPING DOC (CI,COO,PL,BL) |
UDS:DangerousObject.Multi.Generic |
“Casia Global Logistics Co., Ltd.” rama@itservice.co.id |
europe.bd.com |
May 28, 2021 |
IMPORTANT NOTICE: Shipping documents Delivery Notification for your |
HEUR:Trojan.Script.Generic |
“EMS Express Electronic bill” nancy.li@merak-hvac.com |
mail3.unixtar.com.tw |
May 28, 2021 |
SHIPPING DOCUMENTS FOR GATE PASS |
Trojan:Win32/Woreflint.A!cl |
“Fasih” 21dca4b9@066.int |
0b922c05fbb4cad1af8a.com |
May 28, 2021 |
SHIPPING DOCUMENTS FOR GATE PASS |
Trojan:Win32/Woreflint.A!cl |
“Fasih” braniffs@who.int |
electroputere.ro |
May 28, 2021 |
Shipping Document |
Trojan:Win32/Wacatac.B!ml |
“Fasih” d662d3fe2@47029c65f877e129.com |
d5a51c2abdccf.net |
May 29, 2021 |
RE: Shipping Document Sent |
HTML/Phishing.da |
“Clarauto” 6e94de21b@8bf308a.com |
b109e36c31e589a.com |
May 29, 2021 |
RE: Shipping Document Sent |
HTML/Phish.GHW!tr |
“Clarauto” 1e06d8c7a25b3@8bf308a.com |
1239952c0dbe.com |
May 29, 2021 |
RE :Revised shipping schedule |
Trojan:Win32/Wacatac.B!ml |
"CIRCLE MARINE LTD" 9ed08@68e289562166c865a.com |
79f8dc.com |
May 31, 2021 |
Documents Of Shipping Via Dhl Parcel |
Trojan:Win32/Woreflint.A!cl |
"Delivery Service------DHL International GmbH" caf9@887.com |
5c76dea57923.com |
May 31, 2021 |
FW: Your Unclaimed Shipping Doc / BL Scanned Copy |
HTML/Phishing.ca |
“Maersk Line” dvpnvp@dvpn.gov.by |
hkcec.com |
May 31, 2021 |
Request for Freight Quote for 50K Fertilizers |
Exploit:O97M/CVE-2017-11882.SI!MTB |
“SK trading international” yech_choi@sk.com |
Target Not Disclosed |
May 31, 2021 |
MV TANBINH 136 - AGENCY APPOINTMENT |
Trojan:MSIL/AgentTesla!MTB |
"Linh Tanbinhship" d2e5a31494d@b29e372a39d02b1.com |
b29e372a39d02b1.com |
May 31, 2021 |
MV GENCO MAGIC - Bunkering - Local agency appointment |
Trojan:Win32/AgentTesla!ml |
"nextmaritime - Agency" 54c0cf60@fc0af9679e77.com |
fc0af9679e77.com |
May 31, 2021 |
PDA ENQUIRY & PORT INFO / LOADING 75,000 MT CLINKER IN BULK |
Trojan:MSIL/AgentTesla!MTB |
"SSOE DubaiOperations" 5985692339b1f099@c9d93e4332.com |
c9d93e4332.com |
May 31, 2021 |
// mv CROWN GARNET // Inquiry // 3105-05 (A134) |
Trojan:Win32/AgentTesla!ml |
"Ekaterina Drewing" d691b9454@520aa.de |
520aa.de |
May 31, 2021 |
MV XIN HAI 68/ V.2004/FINAL PDA AND SOA/ HOA PHUONG SHPG JSC. |
Trojan:Win32/Wacatac.B!ml |
"Mr. Leo / HOAPHUONG SHPG JSC" ebab21a@c14.vn |
c14.vn |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime related subject lines. Some of the new vessel names used this week include “MV Tanbinh” and “MV Crown Garnet” among others.
Figure 3 – Marine Traffic Results for MV Leopold LD
Threat actors impersonated Maersk in at least two malicious emails this week. The first attacker used Maersk as an alias, however, the sending email address linked to the malicious email is dvpnvp[at]dvpn[.]gov[.]by. This sending email address belongs to the Department of Veterinary and Food Control of the Republic of Belarus. Threat actors often impersonate official government agencies to make their malicious emails appear more legitimate.
The target of the malicious email seems to be aware of the maliciousness of the email and responded by asking if the email was a scam. Red Sky Alliance have no way to verify if the target opened the malicious attachment at any point, even after identifying it as a possible scam. The target notified a member of the company’s information management team.
Attached to the malicious email is an html file titled “Maersk Shipping Document.html.” Antivirus engines have identified this file as JS/Phish.AB38!tr phishing malware. If the target were to open the malicious .html attachment they would be brought to a Maersk login screen with their email address pre-filled in the username field. Users should always be aware of logging into web pages with pre-filled credential fields.
Even if a user inputs the incorrect password and clicks the “Continue” button, they are led to a page displaying a warning that the connection is insecure. Once a user clicks “Continue,” they are brought to hxxps://ptmadras[.]com/oso.php which produces a 404 error at this time. Analysts are confident that the threat actors are attempting to steal the password entered by the target.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to: