Maritime Cyber Security & Threats Jun 2020 Week Four

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

In this week’s collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  Our analysts observed a wide variety of maritime-related subject lines.    Some of the new vessel names used this week include “MV Jia Yu Shan” and “MV Aanya” among others.  For the first time in June, “Maersk Kleven” was not observed in the threat data as part of a malicious subject line.

Analysts observed subject line “RE: PO 525 - Japanese Marine pump inquiry - DC project - Hong Ha shipyard (QE190912R00)” being used in a malicious emails this week. “PO” is an abbreviation which is commonly used in malicious subject lines to indicate purchase orders.  Purchase orders are so common among clients and vendors, that they are also a common disguise malicious use by email senders looking to spread malware.

This malicious email appears to have been sent by, “m-kiire@naniwa-pump.co.jp.” The signature contains a name “Maya Kiire” but their position at the company is unclear.  Although this is the first time this user has been observed sending malicious emails, Red Sky Alliance has observed malicious emails being sent from the naniwa-pump[.]co[.]jp domain as far back as September 2019.  It is common to see attackers leverage multiple employee accounts to commit cyber-attacks after they have infiltrated a company, or to impersonate multiple employees from the same company.

The message body is very short and implies a previous interaction, thanking the recipient for their “cooperation” and asking the recipient to see the “attached COO (Certificate of Origin) reflected your comment.”  However, the COO being referenced is actually a malicious file compressed with GZIP.  Once opened, the attachment would activate Trojan.Win32.VIGORF.C malware which has the ability to steal and exfiltrate sensitive victim information.

Analysts observed a malicious email subject line which was seen last week as well. The email listed as the sender "CHLOE LI <sales@moton-electric.com>” was seen sending a malicious email to the same targets last week.  An email using the sender domain “info@moton-electric.com” appears in a Chinese directory and may belong to Jiangsu Muteng Auto Parts Co., Ltd.  The signature in the email, however, is possibly from SMC Marine Management Pte Ltd and lists the email as “rifai@smcmarine.com.sg” further signaling the email is illegitimate.  Red Sky Alliance has seen “rifai@smcmarine.com.sg” sending malicious emails since at least January 2020.

The message body of the email is also relatively short.  It asks the recipient to “revert best quote attached MV Eviapetrol V Trader requisition” referencing the attached .cab file. Notably, the reply-to email address for the email is a generic Gmail account “hiscod76@gmail.com.” This email has been directly linked to a malspam campaign distributing AgentTesla malware.  Attached to the email is a .cab file which, when decompressed, contains “DMQ0570718 MV EVIAPERTROL V.PDF.exe,” the malicious executable.[1]

In this case, the attackers identified Chloe Li as someone at Jiangsu Muteng Auto Parts Co., Ltd. and attempted to impersonate them.  Attackers will often leverage one user on a network to send malware to an email address used by multiple parties, such as sales@moton-electric.com.

[1] https://bazaar.abuse.ch/sample/4811ffffcb93be6329a8b6653e78a0e84a5f08ec4a467184a8babdecd24eae7b/

Top 5 Malicious Maritime Subject Lines

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

• Train all levels of the marine supply chain to realize they are under constant cyber-attack.
• Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
• Provide practical guidance on how to look for a potential phishing attempt.
• Use direct communication to verify emails and supply chain email communication.
• Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.