Vessel Impersonation 11 27 2019

3744313596?profile=RESIZE_710xWeekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Red Sky Alliance performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this weekly list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.  

Significant Vessel Keys Words:

MT, M/T

merchant tanker

MV, M/V

merchant vessel

MY, M/Y

motor yacht

VLCC

very large crude carrier

ULCC

ultra large crude carrier

RV, R/V

research vessel

FPSO

floating production storage & offloading

3744306367?profile=RESIZE_710xFigure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Red Sky Alliance’s malicious email collection.

3744305689?profile=RESIZE_710xFigure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Red Sky Alliance’s malicious email collection from November 21, 2019 to November 26, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

Nov 22, 2019

BUNKER ESTIMATE - MV SEA HORSE 20TH MAY.2019

Trojan:Win32/Skeeyah.A!MTB

- Microsoft

"YEOSU OCEAN CO.,LTD." <ybalicaway@cebuace-maritime.com.ph>

woas.net

Nov 23, 2019

MT DELIA //CTM REQUEST with ETA 31st Nov 20192

Trojan:Script/Casur.A!cl - Microsoft

\"China Construction Bank\" <309cd38@e49cdf609f3ac2.com>

e49cdf609f3ac2.com

Nov 25, 2019

MV BAO XIANG LING-ARRIVAL NOTICE

MSOffice/CVE_2017_11882.C!exploit - Fortinet

"Hengxin Shipping Co.,Ltd." <ops1@hengxinshipping.com>

Target not reported

 

3744308725?profile=RESIZE_710x

Figure 3. Marine Traffic results for the Delia Vessel

In the above collections for MV Sea Horse, MT Delia, MV Bao Xiang Ling and others, we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.

MT Delia is an oil and chemical tanker under the Panama flag. Analysis reveals that a malicious email was sent to at least one domain which appears to be obfuscated. The malware that was attempted to be sent is Trojan:Script/Casur.A!cl[1]. The subject line of the malicious email is: “MT DELIA //CTM REQUEST with ETA 31st Nov 20192”.

An unsuspecting employee at any company receiving this email would see an email with this Subject Line, possibly tempting them to open the email to see the details of an apparent call for discharge. If this malware is delivered, with any of these exploits, any recipient could become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.3744310413?profile=RESIZE_710x

Figure 4. MV Bao Xiang Ling info from Marinetraffic.com

In another example, we see a subject line of: “MV BAO XIANG LING-ARRIVAL NOTICE” The MT Bao Xiang Ling is a bulk carrier ship under the China flag, currently moored in Tangshan, East of Beijing. At first glance by any recipient of this email, a bulk carrier vessel is notifying the reader of its apparent arrival to a port. To any employee of a port that may be expecting the arrival of the MV Bao Xiang Ling, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed MSOffice/CVE_2017_11882.C!exploit malware detected by Fortinet.

3744312011?profile=RESIZE_710x

Figure 5. Contents of email with subject line “MV BAO XIANG LING-ARRIVAL NOTICE

In the contents of the email using the subject line “MV BAO XIANG LING-ARRIVAL NOTICE” we see the author of the email further instructing the user to open the provided attachment within the email by using the common shipping terms  “arrival notice”, “cargo details” and “cargo manifest”. The language used in the email attempts to add to its legitimacy.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.  Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.[2]

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to identify a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber-attacks from identified malicious actors.

About Red Sky Alliance

Red Sky Alliance is in New Boston, NH.   We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or direct assistance, please contact Red Sky directly at 1-844-492-7225, or feedback@wapacklabs.com

 

[1]https://www.virustotal.com/en-gb/file/dc55ab2cf3ce10bb3b166a82b6da06eba2c9df3067c331aa2f73aba6063a02f6/analysis/

[2] https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444

 

Link to full report PDF: Vessel_Impersonation_TR-19-331-002.pdf

You need to be a member of Red Sky Alliance to add comments!