Wapack Labs reports on the use of vessel names as lures in malicious emails. Using the names of Motor Vessel (MV), or Merchant/Motor Tanker (MT) in the subject line, is a social engineering tactic used by attackers when sending malicious emails to companies related to the shipping industry. Successful infiltrations into transportation related networks can result in the theft of valuable financial information or corrupt a system with damaging results. This report provides details about Vessel Impersonations and trending information found in our collections and open source repositories.
Vessel Impersonation emails will often use the name of a MV or MT in the subject line of a malicious email to lend credibility and increase the likelihood of infection. Using open source data from sites like Marinetraffic.com, attackers can find information on the names of Motor Vessels and their past and future ports of call.
The following image is an example of a malicious email using Motor Vessel Impersonation to make the email appear as correspondence regarding the Motor Tanker (MT) Ocean Star.
The domain amshipco.com is a typosquat of the American Steamship Company. The malicious attachment is lokibot malware that attempts to communicate with the following lokibot C2.
The email is socially engineered to appear as if it came from a legitimate shipping company with legitimate contact info listed at the bottom. This email is consistent with other Vessel impersonation emails we see in our collections and in open source intelligence (OSINT).
Wapack Labs has collected Vessel Impersonation emails since 2015 for situation awareness and trending purposes. The following image shows receiving IP’s from malicious emails in our collections from the last 90 days.
Most of these hits are in the US, UK, Germany, China and Singapore. These locations are consistent the top ten largest shipping countries.
In the last 90 days the following vessels were used the most in our Vessel Impersonation emails.
A full list of MV’s impersonated in the last 90 days is provided in Appendix A. of this report. The following chart breaks down the types of malicious attachments used in MV impersonation emails.
Most of the malware used in the last 90 days is Lokibot which is readily available online and easily customizable and concealable. The following C2 URL’s were identified delivering malware associated with our Vessel Impersonation emails in the last 90 days.
In addition to checking on motor vessels and merchant tanker vessels, Wapack Labs routinely checks on all major vessel key words:
very large crude carrier
ultra large crude carrier
floating production storage & offloading
The following chart shows the most used subject lines from Motor Vessel Impersonation emails over the last 90 days.On 19 March 2019, the company Norsk Hydro, one of the world’s largest aluminum producers, fell victim to a major cyber-attack. The company’s computer systems were compromised by the ransomware variant LockerGoga which moved through the firm’s network encrypting files as it spread. This is just one example of a major cyber-attacks that may be employed against maritime targets. Maersk in 2017, COSCO and Austal in 2018 - all fell victim to targeted cyber-attacks. Providing information on companies and ships targeted by cyber criminals is important for situation awareness and early warnings.
MV Impersonation Subject line
Times seen last 90 days
RE: M.V. OCEAN OUTBACK//CTM REQUEST with ETA January 17th 2019
MV Tianjin Highway - request for quotation for Docking Repair
MV Olympic V.1812//Request For EPDA and Liner Expenses
[SYMSCO] D02011009M - ( M/V Not Specified )
MV SHUHA QUEEN II
Ref: M/V SUCCESS V1 (IMO No 9104081 )
MV.\"XIE RONG 31\" (TT)port charge remittance
Bunker Purchase Order Confirmation : M/V ECOFAITH G.O (Supply Date :
M/V CHANCE STAR-ARRIVAL NOTICE
VSL: MV Glory Sea
REQUEST INFO :: New RFQ for MV YI CHUN 15 (OUR REF.17CF02627)
MV HUA SHENG HAI - SAN LORENZO PDA
MV \"Alentejo\" TO DISCHARGE 50,000MT OF Hot Briquettted Iron (HBI)
MV ICE RIVER - VOY 201901 / OUR PFDA /
MV TAKASHI ORDER:TKHA-B89170010A
M/V La Guimorais - Discharging Kakinada - Agency Appointment
M/T BASSILEVOUSA INQUIRY
RE: DELIVERY AND DOCUMENTS FOR MV /-EC3/01/19 [CArgo Arrival]
Monitoring Vessel Impersonation emails allows Wapack Labs to identify trends and campaigns targeting shipping and help protect container shipments, tanker products (oil and gas) and bulk commodities. Identifying the vessels chosen for impersonation gives situation awareness to our customers within the transportation and energy sectors. Wapack Labs produces weekly Maritime Watch Lists and Vessel Impersonation reports that identify malicious cyber activity involving the impersonation of Motor Vessels and Merchant/Motor Tankers. If you have any specific questions regarding the below vessels, please reach out to our analysts for assistance.