Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Malicious Email collection 2 Dec 20 - 09 Jan 21
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Jan 03, 2021 |
RE: MV BULK CHILE/ AFG - CP DD 25th APRIL 2021- calling for discharging 48870mt of DAP in bulk - AGENCY NOMINATION |
TrojanDownloader:O97M/AgentTesla.BK!MTB |
f460b1@eb2033.gr |
d9b56062b9b34.com |
Jan 04, 2021 |
Enquiry: MV Liberty Island, E2381813839 |
Trojan:Win32/Ymacco.AA33 |
“Captain Sergiy Kuzmenko” master@libertyisland.pacificbasin.com |
Targets Not Disclosed |
Jan 04, 2021 |
MV Madeira / request of PDA for discharging iron ore at Ganyu |
Backdoor:Win32/Bladabindi!ml |
"Yuswan" agency@sdunison.com |
hlcfinancier.com |
Jan 04, 2021 |
Re: CARGO SHIPPING REQUEST |
TrojanDownloader:O97M/EncDoc.RVL!MTB |
"Nguyen Trong Trinh (Mr.)" caf9@39ea27d.com |
39ea27d.com |
Jan 05, 2021 |
Tanker Vessels Synergy Maritime |
VB:Trojan.Valyria.3561 |
"Sidhartha Mishra" engel.deleon@aguaplanetaazul.com |
synergyship.com |
Jan 06, 2021 |
Re: RE: ARRIVAL NOTICE / FREIGHT INVOICE[HBL#HKPELGB1803456] |
TrojanDownloader:O97M/Emotet.CSK!MTB |
"Grace" martina.stengg@aon.at |
htns.com |
Jan 06, 2021 |
Re: RE: !!!!URGENT !!!!! We have a live reefer that is threw cargo SZLU9827820 on the HYUNDAI NEPTUNE We cant repair it on the ves |
TrojanDownloader:O97M/Emotet.RKC!MTB |
“Paul Keller” paulke@totalterminals.com |
totalterminals.com |
Jan 06, 2021 |
[Fwd: Re: Verify offshore company bank details for balance\r\n Remittance] |
Exploit:O97M/DDEDownloader.P |
"Mr.Chandrakant L. Shah" asdf@coral.lt |
coral.lt |
Jan 07, 2021 |
RE: MV. KEY FRONTIER (ETA: KAW THAUNG : 05-11-2020) ESTD PORT D/A |
Trojan:Win32/Pwsteal.Q!rfn |
"y-kamiariya"y-kamiariya@fmarine.co.jp |
fmarine.co.jp |
Jan 07, 2021 |
Hyundai Neptune - Move Cargo |
TrojanDownloader:O97M/Emotet.PEG!MTB |
“Drew Sisco” hermien@atikiz.co.za |
hmm21.com |
Jan 07, 2021 |
[FDT] Freight Invoice from FDT. |
TrojanDownloader:O97M/Emotet.SS!MTB |
"Brian Jung" jiperezcabello@wanadoo.es |
htns.com |
Jan 07, 2021 |
OOCL Arrival Notice At Final Destination: OOCL_AN_BL54620153018400012- 6ZE1MA CMA CGM |
Backdoor:Win32/Bladabindi!ml |
490a93719c1a41e96d175b70f8e1@96aa.com |
dfb80f1afb.net |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Liberty Island” and “MV Key Frontier” - among others.
Analysts observed two malicious emails targeting the same shipping company this week, both of which contain the same vessel name “Hyundai Neptune”. This email leverages a few techniques to get the targeted users to open the malicious attachments. As with many malicious emails, this attacker is trying to create a sense of urgency in the target.
The first malicious email uses an abnormally long subject line “Re: RE: !!!!URGENT !!!!! We have a live reefer that is threw cargo SZLU9827820 on the HYUNDAI NEPTUNE We cant repair it on the ves.” This email chain consists of a conversation between multiple employees at Total Terminals International regarding the repair of the Hyundai Neptune vessel. At the end of the email chain, a message is sent to one of the Total Terminal International employees containing a malicious attachment. The attachment, an MS Word document, is titled, “Report.doc.” It is common for attackers to give malicious files a generic name to avoid detection. When the target opens this malicious document, they would actually activate TrojanDownloader:O97M/Emotet.RKC!MTB malware. This malware can install other malicious modules which are used to steal sensitive victim information and/or activate ransomware on the network to earn a profit.
A second email containing the “Hyundai Neptune” vessel name uses the subject line “Re: RE: Hyundai Neptune - Move Cargo.” Just as with the first malicious email, the malicious attachment in this instance was sent at the end of an ongoing email chain. The second email consists of a conversation about the repairs from the first malicious email, with one employee notifying others at the company that cargo from the vessel must be moved. The malicious attachment in this second email is also an MS Word document, however this one is titled, “INV524080 050121.doc.” This attachment also contains a variant of Emotet malware, identified as TrojanDownloader:O97M/Emotet.PEG!MTB. Attackers seem to be targeting this company specifically with Emotet malware. Analysts believe this is likely part of a ransomware campaign or a supply chain attack.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to: