13 min read

Maritime Cyber Security & Threats Sep 2020 Week One


Featured Image

Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector.

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

Cyber Featured Image TwitterWith our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Sign up for Cyber Threat Notifications

Malicious Email collection 29 Aug-5 Sep 2020

 First Seen

Subject Line Used

Malware Detections

Sending Email

Targets

Aug 29, 2020

RE: Request flight booking for MV. SEA FUTURE off signers at INCHEON, KOREA

TrojanDownloader:O97M/Emotet!rfn

"Ms. San San" <accounts2@princehr.com>

withuskor.com

Aug 29, 2020

Mix container 2 purchase orders

Exploit:O97M/CVE-2017-11882.YR!MTB

kelly.mfc.china@mikado-foods.de

argomarine.co.kr

Sep 01, 2020

Undeliverable: RE: Arrival Notice For BL - 120910126192 / Vessel - MV\r\n Crystal BAY / Voyage - 19014S

Trojan:Win32/Wacatac.C!ml

<postmaster@vs-i.com>

skshipping.com

Sep 01, 2020

Re: MV YAN DUN JIAO 1 (V.1904)

Trojan:Win32/Ymacco.AAB6

"PHILHUA SHIPPING AGENCY (RIZHAO)" <rizhao@philhua.com>

philhua.com

Sep 01, 2020

P19009 - KARACHAGANAK PETROLEUM OPERATING - EPC FOR KARACHAGANAK EXPANSION PROJECT KEP1 - RFQ-00-1 Offshore Drilling Equipment\'s,Refineries & petrochemical plants,AHU,FCU, Pipe, Valve, Pump, Fittings and Heat Recovery Unit4

Trojan:Win32/Wacatac.C!ml

Ahmad Al Fahoum (CCEL) <afahom@ccel.ae>

kangrim.com

Sep 01, 2020

Re: Port Inquiry for discharge 30000mt

Trojan:Win32/Wacatac.C!ml

"Yuswan-OPS TEAM" <yuswanl@pertamajaya.com>

pertamajaya.com

Sep 01, 2020

RE: Fw: Pulp basah dan kotor di MV Intan Daya

Trojan-Downloader.VBA.Emotet

"Jasmadi Jasmadi" <7348cba539@37b925b96.br>

b4bd8b7c1f5a.com

Sep 02, 2020

Fwd: Documents for the first container

Trojan:Win32/Wacatac.C!ml

Cargo <pauld@imss.co.za>

naver.com

Sep 02, 2020

RE: Preliminary Survey Report Cargo Condition discharge Wire Rod and Steel Bar MV. MIIKE. V.084 at Jakarta.

TrojanDownloader:O97M/Emotet.RKC!MTB

"Sugiyanto Tomo" <232e342da3cce04@093ddefc9c4.gt>

b4bd8b7c1f5a.com

Sep 03, 2020

RE: TANGLIN AGENCY - PO P522207 OCEAN FRONT

VBA/Agent.AUZ!tr.dldr

"Cheryl" <1ac45@f82ab8686.com>

b4e8f423.com

Sep 03, 2020

SPAM: Re: Cargo Arrival Notice - Job No: LI-200315060007-8 / HBL:\r\n 320610003918

Trojan:MSIL/AgentTesla.AX!MTB

ADNAN AKHTAR <9aa8c9aa3@b9d47afc168.com>

a0a1ee03.com

Sep 03, 2020

RE: (352293) CMB CHIKAKO / PORT-IT ANTIVIRUS ONBOARD OUT OF DATE #2

TROJ_GEN.F0D1C00BG20

Port-IT Support Desk <strio@port-it.nl>

imecs.co.jp

Sep 03, 2020

=?utf-8?Q?RE:_ADV_Mustervorlage_f=C3=BCr_IT_Sup?=\n    =?utf-8?Q?port?=

HEUR:Trojan.MSOffice.SAgent.gen

"'Thomas Cierzniak \(thomas.cierzniak@als-fra.de\)'" <lanh.pham@vascorp.com.vn>

buscon.de

Sep 04, 2020

RE: Re: MV. OCEAN LEADER - REQEUST SUPPLY AT BINTULU

TrojanDownloader:O97M/Emotet.RKC!MTB

"oceanleader@sea-one.com" <trafico.logistics@emqro.com.mx>

kwship.com

Sep 05, 2020

Re: Scan Report MV. Federal Bristol Disch SMOP at. Padang, Indonesia

TrojanDownloader:O97M/Emotet.RKC!MTB

"Rizal Afrianto" <c7ce14@04acff12871882f7.jp>

b4bd8b7c1f5a.com

Sep 05, 2020

MV OCEAN LEADER / DEPARTURE REPORT AT BINTULU PORT

TrojanDownloader:O97M/Emotet.RKC!MTB

"oceanleader@sea-one.com" <asad.khan@a-plus.tv>

kwship.com

I


Top 5 Malicious Senders

Sender

Malware Sent

trafico.logistics@emqro.com.mx

TrojanDownloader:O97M/Emotet.RKC!MTB

leong.kuan.sang@harbour.com.my

TrojanDownloader:O97M/Emotet.RKC!MTB

asad.khan@a-plus.tv

TrojanDownloader:O97M/Emotet.RKC!MTB

oceanleader@sea-one.com

TrojanDownloader:O97M/Emotet.RKC!MTB

claudiaalick@schutztomail.com

Trojan:Script/Wacatac.C!ml

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Intan Daya” and the “MV Glory Forwarder” among others.

Analysts observed a possible supply chain attack using the malicious subject line “Fwd: Documents for the first container” being used this week. The email appears to reference a shipment that the recipient should already be expecting. This is a common tactic used by bad actors.

The message body is noticeably short and even includes an icon indicating that the email was identified as “Virus-free” by Avast. It is possible that Avast identified the file as safe. Avast AV engine does not detect the email or attachment as malicious. However, attackers may have implanted this into the email to provide a false sense of security for the target.

The email is sent from an email address belonging to Dromex. Dromex is South Africa’s leading PPE wholesaler, so an email regarding a container shipment of PPE would further entice a target to open the malicious attachment. The sender email “pauld@imss.co.za” does not show up in open source, however the Chief Financial Officer’s name is Paul D, so it is more likely the attackers are impersonating this employee.

There is no real signature listed in the email, however, the attackers use “regards” and “cu stima” (Romanian for “Yours truly”) indicating they may be Romanian speakers. Sometimes attackers use the native language of the target, but the target in this case is Korean, so there is no clear reason as to why they are using a Romanian valediction, unless this email is being used as a spam template to target other Romanian recipients.

Although the greeting addresses “All,” the email was sent to a single individual whose email address is listed publicly in open source. The target is a manager working at a Korean auto parts company. The company is one of the leading wholesale dealers of spare auto parts for Korean vehicle manufacturers such as Kia, Hyundai, and Daewoo.

The malicious email attachment uses the file name-

“FisrtContainder_documents+certificates+export+AYHTKO00900XXCVBNN.xxe.” The filename further indicates the attackers do not use English as a native language. McAfee AV engine detects the attached file as Fareit-FZB!2CE3FDF606C7 malware. This malware has the ability to steal and exfiltrate sensitive information and download other malware for further intrusion. Attackers often target major vendors for large companies to gain leverage into the larger company’s network.

Analysts observed two malicious email subject lines both using “MV OCEAN LEADER” as part of their malicious subject lines. The first subject line is “RE: Re: MV. OCEAN LEADER - REQEUST SUPPLY AT BINTULU” and the second is “MV OCEAN LEADER / DEPARTURE REPORT AT BINTULU PORT.” There does not appear to be any clear specific connection between the MV Ocean Leader and Bintulu Port (Malaysia).

The sender alias used in both email is “oceanleader@sea-one.com” however, one email was sent from “asad.khan[at]a-plus[.]tv” and one was sent from “trafico.logistics@emqro.com.mx.” It appears the sender is trying to impersonate himself/herself as an employee of Sea One Holdings, LLC. This company is a logistics company which works in the natural gas and natural gas liquids industry. The attacker is using the alias with “…sea-one[.]com,” but the legitimate company uses the “seaone[.]com” domain. This is a quite simple example of typosquatting in use.

The target of these malicious emails is an email address owned by Kyungwon Shipping Co., Ltd. The company was founded in 2014 as a “national foreign carrier.” The targeted email address is listed publicly in open source on a recruiting webpage.


Book a no-obligation Cyber Consultation

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.


The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign up for Cyber Threat Notifications