13 min read

Maritime Cyber Security & Threats December Week 3


Featured Image

Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

Cyber Featured Image TwitterWith our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Sign up for Cyber Threat Notifications

Malicious Email collection 5 - 12 Dec 2020

 First Seen

Subject Line Used

Malware Detections

Sending Email

Targets

Dec 12, 2020

INQUIRY -   RIO DE JANEIRO PORT - ETA: 19/12

HTML/Agent.AQX!tr

Mohammed Yousef Abdul <ABC@dlm.ru>

hanmail.net

Dec 13, 2020

INQUIRY -   RIO DE JANEIRO PORT - ETA: 19/12

HTML/Agent.AQX!tr

Mohammed Yousef Abdul <ABC@dlm.ru>

kebs.org

Dec 13, 2020

INQUIRY -   RIO DE JANEIRO PORT - ETA: 19/12

HTML/Agent.AQX!tr

Mohammed Yousef Abdul <ABC@dlm.ru>

ceva-dsp.com

Dec 14, 2020

VSL: M/V Hyundai Voyager, ORDER: TKA-121420

HEUR:Exploit.MSOffice.Generic

"South Inter Shipping Services Ltd.," <edysudiarminto@pbas-qaqc.com>

Targets Not Disclosed

Dec 15, 2020

INQUIRY -   RIO DE JANEIRO PORT - ETA: 19/12

HTML/Agent.AQX!tr

Mohammed Yousef Abdul <contactos@siegensa.com>

daewonls.com

Dec 15, 2020

PDA for Vsl discharging Sulphur

Trojan:Win32/Wacatac.B!ml

"Bulk Operations" <f7235a61f@4b37bd.com>

4b37bd.com

Dec 15, 2020

MV GREAT JIN QUOTATION GJN20/ST-D026

Trojan:Win32/Wacatac.B!ml

"SIMP" <cb559@41bb4.com>

a68c35.mil

Dec 15, 2020

LCL // EXWORK // BANSARD // LE HAVRE - JAKARTA

Exploit:O97M/CVE-2017-11882.PH!MTB

cosco <mady@cosco.com>

Targets Not Disclosed

Dec 15, 2020

MV Madeira / request of PDA for discharging iron ore at Ganyu

Backdoor:Win32/Rescoms

"MEHRARAD Energy"<fe021087b0@ae2efb19.ir>

a694174ef.com

Dec 15, 2020

Port Agency Appointment for MV CAPTAIN SEA

HEUR:Exploit.MSOffice.Generic

"Hangzhou Y

H Forwarding Agency Co., Ltd" <samard@glowbaloutlets.com.lb>

Targets Not Disclosed

Dec 15, 2020

INQUIRY -   RIO DE JANEIRO PORT - ETA: 19/12

HTML/Agent.AQX!tr

Mohammed Yousef Abdul <ntcn@yugrusiagro.ru>

prhoffman.com

Dec 16, 2020

ADVANCE FREIGHT USD INV#1191189

Trojan:Win32/Woreflint.A!cl

Catherine Minio <44c6@9146f21ad783.com>

Targets Not Disclosed

Dec 18, 2020

KAGUYA / 20NTL0161 MV KAGUYA V-49 / SAILING INSTRUCTIONS AND AGENCY\r\n APPOINTMENT

MSIL/Kryptik.YYY!tr

EISHI SATO <energy1@nsuship.co.jp>

nsuship.co.jp

Dec 18, 2020

VSL: ELEGANT, REQUEST FOR QUOTATION

Trojan-Spy.Keylogger.AgentTesla

Sung Un Jung san <jun@kotobuki-kaiun.co.jp>

kotobuki-kaiun.co.jp

Dec 18, 2020

//Resending// MV Madeira / request of PDA for discharging iron ore at

Troj/Remcos-DI

"MEHRARAD Energy"<fe021087b0@ae2efb19.ir>

a694174ef.com

Dec 18, 2020

Re: MV Mur201109-001 Enclosed are OA _AWB Docs.

Program:Win32/Wacapew.C!ml

Jitender <bop2@pprollingmills.com>

Targets Not Disclosed

 


Figure 3 – Marine Traffic Results for MV Great Jin

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Great Jin” and “MV Hyundai Voyager” among others.

Analysts observed malicious subject line, “INQUIRY - RIO DE JANEIRO PORT - ETA: 19/12” used this week. This email leverages a few techniques to get the targeted users to open the malicious attachments. Interestingly the same subject line was used to target multiple different recipients.

These malicious emails all seem to have been sent from one group, or individual. The sender uses the single alias “Mohammed Yousef Abdul” with every email. The following email addresses were used to send malware to multiple targets using the subject line above:

  • ABC[at]dlm[.]ru
  • Contactos[at]siegensa[.]com
  • Ntcn[at]yugrusiagro[.]ru

Multiple unique recipients were targeted by these malicious emails. The targeted industries point to attackers looking to either steal intellectual property, or to infiltrate vendors and suppliers as part of a future supply chain attack. Employees at the following companies were targeted by this actor:

  • Kenya Bureau of Standards (KEBS)
    • Kenya’s government agency responsible for the provision of Standards, Metrology, and Conformity Assessment services.
  • CEVA
    • Headquartered in the United States, this company claims to be the leading licensor of wireless connectivity and smart sensing technologies.
  • Daewon Logipia Co. Ltd.
    • Korean company which claims its is one of the leading international project logistics management and freight forwarding companies.
  • PR Hoffman
    • Headquartered in the United States, this company is identified as a an “ industry leader in wafer lapping and polishing machines and consumables.”

The message body is the same for all of the emails observed. It begins with a generic “Good day” greeting which is common among malicious emails. The message asks the recipient to open the attached file without specifying what it is which another common tactic used by attackers. Notably, the attackers signature does not specify the company they work for. Also, the domain listed in the signature (whaletimemaritime[.]com) does not appear in any of the sending email addresses showing a mismatch between the sending email and email signature. This is another indicator that the email is illegitimate.

The email contains a malicious HTML (web page) file which is identified as phishing malware. Just as the subject line and message body are the same throughout all of the malicious emails, the attachment appears to be the same as well. The attached html file, titled “INQUIRY-DEC-2384.html,” would be downloaded by the target. Once the target opens the downloaded file, they will see a prompt to input their password

to “view the spreadsheet file.” Attackers even auto-filled the username field for the targets so that they only had to input their password to view the file. When the target inputs their password, they are led to the next page which is not actually a spreadsheet with data, but a screenshot of one (.png file). The attackers are likely capturing these credentials and storing them to sell or use later. The fact that the spreadsheet screenshot is visible in Google Drive indicates attackers are seeking Google Drive or Microsoft Office credentials. The fact that any password unlocks the screenshot indicates that attackers are not verifying the validity of these credentials during the phishing attack lowering the sophistication of the attack.

In a separate maritime cyber incident this week, Norwegian cruise company Hurtigruten experienced a ransomware attack which took some of its services offline. The company announced that the attack affected the “entire worldwide digital infrastructure.” This company is one of the many which is already struggling significantly due to the impacts of the Coronavirus Pandemic. They claim they were targeted by ransomware but have not identified the specific variant which was used.

Red Sky Alliance malicious email data shows that the company has been targeted recently with an email containing a malicious attachment. In early December 2020, an email was sent to chief.officer[at]fr[.]hurtigruten[.]com. The sending email address impersonates an employee from Mediterranean Shipping Company (MSC), which was recently the victim of a major cyber attack and is also one of the largest shipping companies in the world. Analysis of the email header indicates that the sending email was spoofed and attackers have not taken over a legitimate MSC email account.

The message body starts off with a generic “Dear Valued Customer” greeting and is signed by MSC’s “Credit and Collections Dept.” Attached to the email is malicious .xlsm containing TrojanDownloader:O97M/Dridex.DR!MTB malware. This is a variant of the infamous Dridex banking trojan. This malware is used by attackers to steal banking and financial credentials associated with a target. However, this malware can be used to download other malicious modules and malware such as ransomware.

According to information from the Cybersecurity & Infrastructure Security Agency (CISA), this malware is attributed to Evil Corp, or TA505. This is one of the groups listed on the US Treasury’s OFAC Specially Designated Nationals and Blocked Persons List (SDN List). The following statement was published in October 2020 by the Dept. of Treasury:

Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s SDN List, other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).[1]

Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network.

[1] https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf


Book a no-obligation Cyber Consultation

These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.


The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign up for Cyber Threat Notifications