Maritime Cyber Security & Threats December 2020 Week 4

Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Malicious Email collection 5 - 12 Dec 2020

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Torrent” and “MV New Wind” - among others.

Analysts observed malicious subject line, “RE: Vessel: SEA HERMES / PO No.: 20-0193-1 - ME AUXILIARY BLOWER\r\n MOTOR” used this week. This email leverages a few techniques to get the targeted users to open the malicious attachments. The company which was targeted by this malicious email has been seen in previous Maritime Reporting (TR-20-153-006).

In May 2020, Fuji Trading, a world leader in marine supplies and engineering, was targeted by a malicious email referencing “fittings for a rescue boat repair.” This malicious email contained a document which attempted to exploit CVE-2017-11882, the commonly observed AV detection. The previously targeted employee was an International Technical Marine sales individual. This company is based in the Netherlands. That same employee is again being targeted, 7 months later, in another malicious email.

Another example of using past identifiers, this past week, a malicious email was sent from a “Senior Procurement Officer” from Wilhelmsen Ship Management. Red Sky Alliance observed attackers sending malicious emails using the same company’s name as an alias in the past (TR-20-307-006). The sender identifies himself as “Hsin Yung, Fong.”

The email consists of a conversation between the attacker and the victim user which eventually leads to a message to the same recipient containing a malicious file attachment. Unlike many of the malicious emails seen in the past, this email uses a specific “Dear [Employee Name]” greeting. The attachment titled “dec.-22-6940019-2020.doc” is a malicious MS Word document. As with many of the malicious Emotet documents seen in the past, this one displays a message to “enable content” and “editing” further enabling the malware to infect the system.

If opened, the targeted victim would activate the infamous Emotet malware on their system. This malware is an advance trojan with the ability to steal sensitive information and download other malware as part of a cyber-attack. This malware is often spread via email through a malicious link or, as in this case, a malicious attachment. Often attackers are looking to steal sensitive data, yet this access to the network also provides an option to activate ransomware if they decided to make a quick profit.

Those who work in the security industry can quickly identify the suspicious aspects of these emails, but a targeted user often will not. Even if attackers can only get 10% of victims to open their malicious email attachments, they will send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This tactic is still the number one attack vector for attackers looking to attack a network.

These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

• Train all levels of the marine supply chain to realize they are under constant cyber-attack.
• Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
• Provide practical guidance on how to look for a potential phishing attempt.
• Use direct communication to verify emails and supply chain email communication.
• Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.