Maritime Cyber Security & Threats Aug 2020 Week One

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

I

Top 5 Malicious Maritime Subject Lines

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Panamax Breeze” and the “MT Marine Hope” among others.

Analysts observed the malicious subject line “MV Olympic V.1812//Request For EPDA and Liner Expenses” being used this week. “MV Olympic” has been observed in numerous malicious email subject lines in the past. The vessel is popular in Washington State for its historical value as a Washington State Ferry. The exact same subject line has been used by the following senders beginning in January 2019:

• “Najima Yuki” <jpnjm[at]hmm21[.]com>
• “Millenia Maritime Inc/Supply Department [mailto:purchasing[at]millenia[.]gr]”
• “SOUTHERNPEC (S’PORE)_SHIPPING_PTE_LTD” <lau[at]southernpec[.]com[.]sg>
• "LX MARINE CO.,LTD" <lxm[at]lxmarine[.]co.kr>
• "Louis" <sumin[at]paddocksjeans[.]com>

The attacker in this most recent case is sending from "’Louis’ <sumin[at]paddocksjeans[.]com>.” The signature shows that the sender “Louis Lau” is an Operations Executive with “SOUTHERNPEC (S’PORE) SHIPPING PTE LTD” which is listed above as one of the sending alias’. In other words, the sender identifies themselves as Louis Lau multiple times, but sends the malware from different email addresses.

As you can see above, the email address listed in the signature (lauxh[at]souternpec[.]com.sg) is very similar to one of the sending email listed above (lau[at]southernpec[.]com.sg). It is likely that someone is leveraging this operations executive’s position to commit cyber-attacks. As with many of the observed malicious emails, this one contains a generic “Good Day” greeting so it can be used to target multiple recipients.

When the target opens the attachment “MV Olympic V.1812Request for EPDA and Liner_Expenses_pdf.rar” they may think that they are opening a PDF containing a “vessel description.” However, they would actually opening a RAR file and activating Spyware.AgentTesla malware, which has the ability to steal sensitive data from the victim and leaves the attacker the opportunity to install other malware for future cyber-attacks.

Analysts observed another malicious email subject line being used “回复: 回复: FOB LCL SHIPMENT EX-SHANGHAI TO CHITTAGONG; SHPR/SHANGHAI HONSUN.” The sender uses a generic greeting in this email just as we see with other spam malware campaigns. There are multiple indications that this email is malicious.

The sending email address is “d.ahrens[at]ep-online[.]de,” however the reply-to address is “reliablesalosusa[at]outlook[.]com.” While the EP-Online domain does not appear to lead to a valid website, it is possible the attacker was attempting to spoof the ElectronicParter (EP[.]de) company. Although the sender’s name in the email header is “Shi Hongjun,” the email is signed by “Monice Maria Mesa” (the Manager at Inexport Logistics LLC in US, Florida). All of these contradictions further indicate the email as malicious.

The target appears to be an employee at Rytl in Iran. Rytl is a telecoms provider in Iran. The employee’s position at the company is unclear. When the recipient opens the .html attachment disguised as “PO56#45.html,” they are actually activating a fake webpage which attempts to steal their MS Office credentials. When opened, the html file requests the sign in credentials so the user can view the spreadsheet in Excel. When the target enters their credentials, they are then exfiltrated to a server owned by the attacker.

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

• Train all levels of the marine supply chain to realize they are under constant cyber-attack.
• Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
• Provide practical guidance on how to look for a potential phishing attempt.
• Use direct communication to verify emails and supply chain email communication.
• Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.