12 min read

Maritime Cyber Security & Threats 4-11 April


Featured Image

Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

Cyber Featured Image TwitterWith our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Sign up for Cyber Threat Notifications

Malicious Email collection 8 Feb- 4 Mar 21

 First Seen

Subject Line Used

Malware Detections

Sending Email

Targets

Apr 04, 2021

MV SHENG LE C//DISCH CARGO AT MOROWALI & KENDARI PORT,INDO

MSIL/Agensla.AYU!tr

“Amir Hossain”

chenpeace@skyfile.com

electroputere.ro

Apr 04, 2021

Urgent: Shipping Documents

Trojan:Win32/AgentTesla.PC!MTB

“Danissa Escobar (DHL CL)” Danissa.Escobar@dhl.com

yun-chi.com

Apr 04, 2021

SHIPPING DOCUMENTS-INVOICE PAYMENT

Trojan:Win32/AgentTesla!ml

"Anton - PT. Hankook Ceramic Indonesia"
exports12@zenhankook.id

Targets Not Disclosed

Apr 04, 2021

Arrival Notice(BL#: GDYA05982400) Vessel/Voyage: ATHOS 0016E

Trojan:Win32/AgentTesla!ml

"shipment.info@one-line.com" shipment.info@one-line.com

falconincorporation.com

Apr 04, 2021

Arrival Notice(BL#: GDYA05982400) Vessel/Voyage: ATHOS 0016E

Trojan:Win32/AgentTesla!ml

"shipment.info@one-line.com" shipment.info@one-line.com

bmwindows.vn

Apr 04, 2021

FW: TT NO 013220150027 SHIPPING DOCUMENT

Trojan:MSIL/AgentTesla.AM!MTB

“Yuntae Kim.” filmfiend@hanmail.net

cba.gob.ar

Apr 04, 2021

FW: TT NO 013220150027 SHIPPING DOCUMENT

TrojanSpy:Win32/Swotter.A!bit

“Yuntae Kim.” filmfiend@hanmail.net

cba.gob.ar

Apr 04, 2021

FW: TT NO 013220150027 SHIPPING DOCUMENT

TrojanSpy:Win32/Swotter.A!bit

“Yuntae Kim.” filmfiend@hanmail.net

cba.gob.ar

Apr 04, 2021

ANTISPAM INFO POR Attachment Compressed with Pasword »" Message delivery failure

TrojanSpy:Win32/Swotter.A!bit

"antispam@cba.gov.ar" antispam@cba.gov.ar

cba.gov.ar

Apr 04, 2021

ANTISPAM INFO POR Attachment Compressed with Pasword »" Message delivery failure

TrojanSpy:Win32/Swotter.A!bit

"antispam@cba.gov.ar" antispam@cba.gov.ar

cba.gov.ar

Apr 04, 2021

FW: TT NO 013220150027 SHIPPING DOCUMENT

JS/Phishing.DE!tr

"DHL International" hogris@rebbs.de

polymetcore.com

Apr 04, 2021

[DHL shipping document /duty inv payment.

Hoax.HTML.Phish.xi

“DHL Express” wyc7003@otc.co.kr

gsconst.co.kr

Apr 04, 2021

Re: DOCUMENT + MANIFEST VESSEL

Trojan:MSIL/Tnega.BK!MTB

"Susan Ng" jfpaw@zuix.com

zuix.com

Apr 04, 2021

MV Autai V2101 kendari

Trojan:Win32/Wacatac.B!ml

“Jack Thompson”

Operation@vynass.com

electroputere.ro

Apr 04, 2021

ANTISPAM INFO POR Attachment Compressed with Pasword »" Message delivery failure

Trojan:Win32/DelfInject.VAM!MTB

"antispam@cba.gov.ar" antispam@cba.gov.ar

cba.gov.ar

Apr 04, 2021

SEA AMBER - CTM request - March 2021

PossibleThreat.PALLAS.H

"Damaso" christopher.damaso@vships.com

vships.com

Apr 04, 2021

MT OCEAN CHEMIST / V.2004B / DUE SINGAPORE OR EXTENSION

PWS:MSIL/DarkStealer.AD!MTB

"Capt. Anurag Sharma" operation@mahanadimaritime.com

mahanadimaritime.com

Apr 04, 2021

URGENT TELEX RELEASE - RE Shipment Bill of lading 20170000112

Program:Win32/Wacapew.C!ml

"Maersk Shipping Line" 14709c9@d579338c9ac165.com

e72ac9c0fc8dfd6600e7.ph

 


In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Ocean Chemist” and “MV Autai” among others.

This week, analysts observed attackers attempting to send malware to targets working for the government of Córdoba, Argentina. Córdoba was once the home of Lockheed Martin Aircraft Argentina S. A. and is now the location of Argentina’s main aircraft manufacturer Argentine Aircraft Factory "Brigadier San Martín" S.A.

Notably the attackers target recipients at both the “cba[.]gov[.]ar” and “cba[.]gob[.]ar” domains. Both of these domains are owned by the government of Córdoba. In the past two months alone, these domains have over 2,200 CTAC hits indicating malicious email activity. CTAC visualization data shows that these attacks have significantly increased in a short time span beginning in November 2020.

It is unclear why the attackers are targeting the province with a subject line referencing shipping. While webmail filters ID the email as spam, the subject line used to target multiple recipients is “FW: TT NO 013220150027 SHIPPING DOCUMENT.” It is also noteworthy that while the emails were sent to multiple unique targets, they appear to have been sent at the same time.

The message body of the emails is exactly the same with one exception. The greeting uses the first part of the email address so if the target uses a “Joseph.Smith@cba[.]gov[.]ar” email address, the greeting in the malicious email would be “Dear Joseph.Smith,”. This indicates the attackers are likely using an automated tool to generate these malicious emails. It would also indicate the attackers are not reviewing these emails for errors before sending them.

The email signature is relatively professional in appearance, but the company listed in the signature does not have a public-facing website. The sender is also sending from a hanmail[.]net email address which is a generic Korean webmail provider (similar to Gmail, or Hotmail). Attackers often use these types of accounts because they are more disposable than a legitimate business email address.

At this time, it appears attackers are targeting the government of Córdoba for unknown reasons using malicious email subject lines related to shipping. Often times spikes such as this indicate attackers targeting the company for a specific end goal such as exfiltration stolen sensitive data or activating ransomware for a profit. Red Sky Alliance will continue to monitor this activity.

Book a no-obligation Cyber Consultation

These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.


The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign up for Cyber Threat Notifications