Maritime Risk Intelligence Blog

Maritime Cyber Security & Threats Sep 2020 Week Three

Written by Dryad Global | September 22, 2020 at 10:56 AM

Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector.

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Malicious Email collection 14-17 Sep 2020

 First Seen

Subject Line Used

Malware Detections

Sending Email

Targets

Sep 14, 2020

Re: Bulk Cargo Shipment for saaten-union.de

HackTool:Win64/Mimikatz.A

“Chen Xin” <felix.chen@longsailing.net>

saaten-union.de

Sep 14, 2020

Re: Re: Purchase Purse seiner. Tuna vessel

Trojan:Win32/Woreflint.A!cl

Lei Yang <49fd2d524@064b6638.cf>

de8041c.com

Sep 14, 2020

Fwd:RV and Boat Storage Future Add-on

Trojan-Downloader.VBA.Emotet

"Charles Shajari" <08fc70@7a904f387a30206b9.com>

42f15e645c23f02ff1dad28eb.com

Sep 14, 2020

RE: Final Permit set - Boat Storage

Trojan-Downloader.VBA.Emotet

"charles shajari" <ce3f7c@8adcef713a5.mk>

42f15e645c23f02ff1dad28eb.com>

Sep 14, 2020

Fwd:Swain Boat House

TROJ_FRS.VSNW0EI20

"Brittney Phillips" <ab8c7e66da21af@5808ec15.com>

27cde66c2a.com

Sep 15, 2020

MV GENCO STAR / ARRIVAL REPORT AT MIRI PORT

W97M/Downloader.dbv

"star@sea-one.com" <majid@hulumtele.com>

kwship.com

Sep 15, 2020

MOL HIROSHIMA - REMINDER Counter-measure for Soot damage to cargo vehicles in MAZDA stock yard-2

Trojan.W97M.POWLOAD.THIADBO

"FUKUSHIMA, Hajime" <srashidzada@vicc.co>

cidoship.com>

Sep 15, 2020

MV DIVINEGATE / Owners husbandry matter appointment - Yantai Port

Trojan:Win32/Wacatac.C!ml

"Nicholas Chin" <nicholas_chin@epshipping.com.sg>

epshipping.com.sg

Sep 15, 2020

MV. OCEAN LEADER - ARRIVL REPORT AT MIRI

TrojanDownloader:O97M/Emotet.PEE!MTB

"oceanleader@sea-one.com" <storeag@bwrl.in>

kwship.com

Sep 15, 2020

MV KMTC INCHEON - SBP for off Signer -

TrojanDownloader:O97M/Emotet.RKC!MTB

"KMTC INCHEON" <viviana.ramirez@suministroseimpresos.com>

“Lee Won-gun” <wglee@withuskor.com>

Targets Not Disclosed

Sep 15, 2020

Re: RE: MV KMTC TOKYO - 3/O\'s BIO DATA & CRD FORM

TrojanDownloader:O97M/Emotet.RKC!MTB

"CrewYGN" <edp@veeyesfoundry.com>

withuskor.com

Sep 15, 2020

Re: [Operation] - GFO(V090) - Sailing Report at Kashima, Japan - 200316

TrojanDownloader:O97M/Emotet.CSK!MTB

"GFOREVER" <compras02@casaguerra.com.mx>

skshipping.com

Sep 15, 2020

RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 //

Trojan-Downloader.MSWord.Agent.buh

"A.P. Moller - Maersk" <noreply@maersk.com>

Targets Not Disclosed

Sep 15, 2020

RE: CMA CGM CHRISTOPHE COLOMB - Bridge

Trojan-Downloader.VBA.Emotet

"CMA CGM CHRISTOPHE COLOMB - Bridge <b0cc76405561ab7f3b1@7689502.com>" <f1d968@55be7fd0a4.za>

eae0ec1d660.com

Sep 16, 2020

MV TBN CALL AT DAFENG port / EPDA

Trojan:Win32/Agenttesla.TB!MTB

"OPS"<ops@esmaritime.com>

royaleg.co.kr

Sep 16, 2020

Re: Re: MV DARYA KIRTHI/YANGZHONG -EPDA

Trojan:Win32/Agenttesla.TB!MTB

"csacjpqsw@cnshipping.com"<csacjpqsw@cnshipping.com>

cnshipping.com

Sep 17, 2020

PRE ARRIVAL FORMS FOR SUBJECT VESSEL

Trojan:Win32/Wacatac.D7!ml

lutfullah.ansary@aplombtechbd.com

pacificpatent.com

Sep 17, 2020

Re: [Operation] - GFO(V093) - Sailing report at Port Elizabeth, South Africa - 200805

TrojanDownloader:O97M/Emotet.CSK!MTB

"GFOREVER" <finance@centralpoint.team>

skshipping.com

Sep 17, 2020

Various spare parts to M.V. Sunrise Ace through Norton Lilly Inter=

Trojan.W97M.EMOTET.TIOIBELH

"Donald Young" <ag@arzni.com>

amosconnect.com>

Sep 17, 2020

One piece of coupling spare part to be delivered to M.V. Heroic Ac=

TrojanDownloader:O97M/Emotet.RKC!MTB

"Atlas Marine Services" <export@arzni.com>

amosconnect.com

Sep 17, 2020

[PR259 BIO-MEG] OIL AND MARINE / RFQ / Toyo Engineering &

Trojan:Win32/Woreflint.A!cl

nmw_ikram <nmw.ikram@toyo-eng.com>

Targets Not Disclosed

Sep 17, 2020

Re: : PO 646900 - freight charge - New York Power

TrojanDownloader:O97M/Donoff!MSR

<jerome.marionneau@deffeuille.fr>

safeguard-technology.com

Sep 17, 2020

HAPAG ,MSC PAYMENT JOB NO:1419-1421-1422-1524-1525--1541

TrojanDownloader:O97M/Emotet.CSK!MTB

"Vinod Mudaliar" <c86a7775c664@727aefab.com>

2010546c.biz

Sep 17, 2020

RE: [Operation] - GFO(V093) - Sailing report from Taixing, China - 200607

TrojanDownloader:O97M/Emotet.CSK!MTB

"GFOREVER" <contacto@comarlot.com.mx>

skshipping.com

I

Top 5 Malicious Senders

Sender

Malware Sent

Mr. Astley Huang / MOLSHIP(S)<BR>\r

Trojan.W97M.EMOTET.TIOIBELH

\"A.P. Moller - Maersk\" <noreply@maersk.com>

Exploit-GBW!3D4258FDCC47, W97M/Downloader.bjx

\"GFOREVER\" <finance@centralpoint.team>

Trojan.W97M.EMOTET.TIOIBELH

\"star@sea-one.com\" <majid@hulumtele.com>

W97M/Downloader.dbv

\"oceanleader@sea-one.com\" <storeag@bwrl.in>

TrojanDownloader:O97M/Emotet.PEE!MTB

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Divinegate” among others. Analysts observed bad actors leveraging “Maersk Kleven” in malicious email subject lines again this week. Actors have used this vessel name multiple times over the past year. Over the past year, this vessel has been observed in over a dozen malicious email subject lines. The sender continues to use the "’A.P. Moller – Maersk’ <noreply[at]Maersk[.]com>" email address in an attempt to trick the users into thinking they are receiving a legitimate email from the shipping company, Maersk.


Analysts observed the malicious subject line “RE: [Operation] - GFO(V093) - Sailing report from Taixing, China - 200607” being used this week. Notably, the phrase “Re: [Operation] - GFO(V093)” is contained in multiple malicious subject lines this week. This subject line mentions the Taixing Port in China, but the other subject lines reference ports in South Africa and Japan.


The email starts off with a generic “Good day” greeting. Typically, this would indicate that the attackers are using a generic spam template for use against multiple targets. However, in this case, there is a specific schedule laid out in the email indicating that this email is referencing a specific vessel/voyage. The message is signed by the “Master of M/V G. Forever Capt. Sin Jong Hwan.” This captain’s signature is listed in all three emails. This indicates that the captain is being impersonated to commit cyber-attacks and may potentially indicate that their account has been taken over by attackers to be used in cyber-attacks.

All these email look very similar and appear to use the voyage schedule as a lure to entice victims to open the malicious attached documents. Although the emails reference ports in different countries, the attachments are all titled with the following filenames written in Japanese:


• からの変更.doc (Changes from.doc)
• 変化-2020_09_16.doc (Change-2020_09_16.doc)
• に修_2020_09_15.doc (Osamu _2020_09_15.doc)


Although each email targets a separate employee at the company, all the emails target employees of SK Shipping, a major South Korean shipping company. The employees’ positions could not be identified using open source and the targeted email addresses do not appear anywhere on the company website.
The company is being targeted by Emotet malware (attached to all three malicious emails). This malware has evolved and become a significant threat to companies as it currently can steal sensitive information and leverage infected devices in attacks against other networks.

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.