Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation
Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Significant Vessel Keys Words:
MT, M/T | merchant tanker |
MV, M/V | merchant vessel |
MY, M/Y | motor yacht |
VLCC | very large crude carrier |
ULCC | ultra large crude carrier |
RV, R/V | research vessel |
FPSO | floating production storage & offloading |
Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.
Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.
Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from October 25, 2019 to November 1, 2019.
First Seen |
Subject Line Used |
Malware Detection |
Sending Email |
Targets |
October 27th 2019 | Delivered: Re: M/T Eleanna | TrojanDownloader:O97M/Emotet.OU!MTB - Microsoft | \"smugica@smprevencio.com\" <sales1@microcomm.com.sg> | relay2.station12.com
brts.barracuda.com
amosconnect.com
microcomm.com.sg
cloudmail101.zonecybersite.com
spamexpertfilterw.mschosting.com |
October 27th 2019 | Request PDA - MV Tasmanic Winter - V 075 / Discharging | Trojan:Script/Oneeva.A!ml - Microsoft
| \"COSCO SHIPPING BULK CO\" <1f02726728@a5eeea0a73a.com> | a5eeea0a73a.com
c2634.net
|
|
In the above collections for MT Eleanna and MV Tasmanic Winter we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.
Figure 3. Marine Traffic results for MT Eleanna
MT Eleanna is an actual oil and chemical tanker operating under the flag of Panama. Analysis reveals that a malicious email was sent to multiple domains registering to telecommunications and web hosting companies. The malware that was attempted to be sent to these companies is TrojanDownloader:O97M/Emotet.OU!MTB[1], which is a popular banking trojan. The subject line of the malicious email is: “Delivered: Re: M/T Eleanna”.
An unsuspecting employee at one of these web hosting companies would see an email with this Subject Line and see the word “Delivery” possibly tempting them to open the email to see the details of an apparent delivery. One of the domains observed to be targeted is amosconnect.com which is the website for the AmosConnect Software by Stratos Global. The AmosConnect software is an e-mail service that uses satellite connections for communication and as such sees much use in the maritime industry onboard vessels. If this malware is delivered, with any of these exploits, the company, or potentially the AmosConnect email service could then become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.
Figure 4. Website for the AmosConnect software from Stratos Global
In the second example, we see a subject line of: “Request PDA - MV Tasmanic Winter - V075/ Discharging”. The intended targets of this malicious email were two domains that appear to be obfuscated. The MV Tasmanic Winter is a real American flagged general cargo ship currently sailing in the English Channel just north of France. At first glance by any recipient of this email, an American cargo ship is requesting shipping documents. To any employee of a shipping company expecting the arrival of the MV Tasmanic Winter, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed Trojan:Script/Oneeva.A!ml malware detected by Microsoft’s Antivirus.
Figure 5. MV Tasmanic Winter info from Marinetraffic.com
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Wapack Labs RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts are beginning to see maritime-specific examples of these attacks. A recent incident in the Gulf of Guinea saw cyber criminals send spoof emails requesting a cargo manifest, with a view to possibly attacking the vessel and targeting the containers with the highest-value contents.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.[2]
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Wapack Labs RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber attacks from identified malicious actors.
About Wapack Labs
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
[1]https://www.virustotal.com/gui/file/97850a2cb486e962b0aa0f66d37212a71e0c14a9de4dc489fce8c34c2e907b5b/detection
[2] https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444
Comments