12057871866?profile=RESIZE_400xRed Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain.  Full report available here.

Significant Vessel Keys Words:

12057739499?profile=RESIZE_710x

 

 

 


 

 

12057751672?profile=RESIZE_710x

Figure 1. Map displaying location of attacker domains

 

12057758698?profile=RESIZE_710x

Figure 2. Map displaying location of victim domains

 

12057774281?profile=RESIZE_710x

Figure 3. Distribution of attacker and target domains

 

12057789470?profile=RESIZE_710x

Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full table attached.

Analysis

The five most common subject lines seen in our recent query are as follows:

  • CARGO ARRIVAL NOTICE 2/6/2023
  • Bill of Lading for 1x40FT Shipping Documents Outstanding Container Release
  • CMA CGM BLUE WHALE - 1QY12N1NL PEB COPY MISSING
  • [***SPAM*** Score/Req: 08.0/5.0] FW: M/V MSC QINGDAO - LASHING ITEMS
  • Arrival Notice of B/L#MEDUSI938235 on MAERSK ARIA III/JE316A received

There are several themes represented by the subject lines seen.  Specifically, we can see stock requests, arrival notifications, and bill of lading notifications.  These emails are seen to utilize common terminology to establish credibility.  This credibility can make for a solid lure.  In terms of the sending emails themselves, we can see impersonations of companies in many industries.  We see logistics companies, a Chinese part manufacturer, and maritime supply companies.

12057818278?profile=RESIZE_400xIn addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels.  Some of the vessels being impersonated by these emails include the following:

  • Baoshan Hope (pictured right), which is a general cargo ship currently en route to Keelung, Taiwan and is sailing under the flag of Panama.
  • Dato Fortune (pictured below), which is a bulk carrier currently located at Sokhna Port Anch and is sailing under the flag of Panama.
  • MSC Qingdao, which is a container ship currently located at Port Said Arch and is sailing under the flag of Liberia.
  • Xing Fu Hai, which is a bulk carrier currently en route to Richards Bay, South Africa and is sailing under the flag of Singapore.

As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.

The top five most prevalent malware detections associated with these emails are as follows:

  • HTML.Phish.aar – ZoneAlarm
  • Other:SNH-gen [Phish] – Avast
  • HTML.Doc – Ikarus
  • HTML/FakeLogin.A!phish – Fortinet
  • Artemis!239D47EF2B01 - McAfee

12057837471?profile=RESIZE_400x

These emails are typically used for the propagation of generic trojans and their variants.  Interestingly, this month’s most prevalent detections are more focused on phishing malware than in previous reports.  Hoax.HTML.Phish.aar we have been seeing since the last quarter of 2021.  HTML.Phish variants are generally known for being malicious, password-stealing websites much like with Phishing.HTML.  Other:SNH-gen [Phish] we have seen consistently since early 2021 with the heaviest occurrences in July of 2022.  HTML/FakeLogin.A!phish is a detection name that we have been seeing since fall of 2022 and depending on the identifier of the detection this can also be identified as Other:SNH-gen [Phish].  Artemis!239D47EF2B01 is a detection name that we have only been seeing very recently and appears to be related to MSIL.Keylogger, which is a trojan that is meant to run in the background of a victim’s machine monitoring and logging keyboard activity.

Vessel Flag of Convenience – All shipping size vessels which fall under international law, must fly a country flag where it is registered.  The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations.  When the ships are involved in this system, they are not connected to the laws of the countries where they are registered.  The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.[1] 

Supply Chain Spoofing:  In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets.  Maritime shipping is just one portion of the entire commercial transportation supply chain.  By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails.  The five most prevalent subject lines seen with a general supply chain focus are as follows:

  • Re: Proforma Invoice
  • Payment confirmation: Invoice #2782-
  • Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List
  • Urgent Purchase Order 29 May 2023
  • DHL: AWB Shipment Notification!

Much like maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails.  Most prevalently in the last month, we can see invoices, purchase orders and delivery confirmations.  In terms of the sending emails, we can see a Nigerian print services store, a commercial real estate broker, a compressed air products distributor, an Australian digital marketing firm, and the town of Smithtown, New York.

The five most prevalent detections associated with these emails are as follows:

  • HTML.Doc – Ikarus
  • HEUR:Trojan.Script.Generic – ZoneAlarm
  • HTML/Phishing.Office.AO - ESET-NOD32
  • Trojan[Phishing]/HTML.Agent - Antiy-AVL
  • Trojan.44094 - CAT-QuickHeal

As mentioned in previous reports, detections found in more general supply chain related emails tend to exhibit more focus on phishing malware, as we can see above.  Many of those listed are repeat detections from previous reports.  Phishing.HTML variants we have been seeing since 2016, with the largest number of detections occurring near the beginning of 2021 and recently at the end of 2022.  HEUR:Trojan.Script.Generic we have seen consistently since 2016, with the heaviest activity occurring in the spring/summer months of 2017 and 2020.  HTML/Phishing.Office.AO is a relatively new detection name that we have been seeing since the beginning of the year, but depending on the vendor identifying the detection, this can also be seen as another Phishing.HTML variant along with Trojan[Phishing]/HTML.Agent.  Script.Trojan variants we have been seeing since 2016, with the heaviest activity occurring in August of 2021 and December of 2022.

12057697072?profile=RESIZE_710x

Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line.  Full Table Attached.

Closing:  These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails.  It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.  With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. 

Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line.   These threats often carry a financial liability to one or all those involved in the Transportation Supply Chain.  Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  

The more convincing an email appears, the greater the chance employees will fall victim to a scam.   To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is important to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to identify a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.

About Red Sky Alliance

12057693057?profile=RESIZE_400x

 

 

 

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending cyber-attacks.  Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.  All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization.  We have been tracking vessel impersonation for over 5 years (and maintain historical reports).  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: 

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

 

[1] https://naylorlaw.com/blog/flag-of-convenience/

You need to be a member of Red Sky Alliance to add comments!