Transportation

Vessel Impersonation and Supply Chain Report / October 2023

Posted by JD Thomason on October 20, 2023 at 4:38pm

12262852665?profile=RESIZE_400x

Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain.  Full report available here.

Significant Vessel Keys Words:

12262851901?profile=RESIZE_710x

 

 

 

 

 

 12262852679?profile=RESIZE_710x

Figure 1. Map displaying location of attacker domains

 

12262852693?profile=RESIZE_710x

Figure 2. Map displaying location of victim domains

 

12262852878?profile=RESIZE_710x

Figure 3. Distribution of attacker and target domains

 

12262852899?profile=RESIZE_710x

Figure 4. Common Attack Chain Overview

 

12262851657?profile=RESIZE_710x

Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full table attached.

 

Analysis

The five most common subject lines seen in our recent query are as follows:

  • MOST URGENT: VESSEL HAS ARRIVED: Copy of document required : CFIMKAT2308122 arrival on 04-10-2023
  • Deer Park permit 5101 deck O\'Leary July 2023.xls
  • MV BERDEN - ORIGINAL DOCUMENTS
  • PO# FCL-SL23-09 Yaosheng quotation SEA-FCL....104.168.142.103
  • Re: RV: REVISED EPDA & JULY - AUGUST SOA //23461//-2023 MV OCEAN GLORY 60DAYS CREDIT TERMS

12262851458?profile=RESIZE_400x

 

There are several themes represented by the subject lines seen.  Specifically, we can see shipping document requests and quotes, arrival notices, and document update notifications.  These emails are seen to utilize common terminology to establish credibility.  This credibility can make for a solid lure.  In terms of the sending emails themselves, we can see impersonations of companies in many industries.  In our most recent query, we saw freight companies, logistics management companies, a pager manufacturer, and an automation technology manufacturer.

In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels.  Some of the vessels being impersonated by these emails include the following:

 

 

  • Ipsea Colossus (pictured above), which is a bulk carrier currently en route to IDMLB and is sailing under the flag of Singapore.
  • Efendi Baba (pictured below), which is a container ship that is no longer in service and previously sailed under the flag of Turkey.
  • Berden, which is a bulk carrier currently en route to Tuapse, Russia and is sailing under the flag of Marshall Islands.
  • Cartagena Express, which is a container ship currently en route to Santos, Brazil and is sailing under the flag of Germany.

As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.

The top five most prevalent malware detections associated with these emails are as follows:

  • PDF:PhishingX-gen [Phish] – AVG
  • Troj.MSOffice.2022001 – Kingsoft
  • Win32:DropperX-gen [Drp] – AVG
  • CVE-2018-0798.4 – DrWeb
  • HTML:Phishing-CSO [Phish] - Avast

12262851284?profile=RESIZE_400xPDF:PhishingX-gen is a detection we have seen since late 2021, with the most occurrences showing in the early summer of this year.  Script.Troj.MSOffice.2022001, which is indicative of a malicious MS Office document, is a detection we have only seen specifically in the last month, though it can also be identified as Exploit.CVE-2018-0802.Gen, which we see a large number of between 2021 and 2022.  Win32:DropperX-gen is a trojan detection that we have been seeing since 2019, with the heaviest detection occurring in the summer of 2022.  Exploit.CVE-2018-0798.4 is an exploit of the equation editor in select versions of Microsoft Office products that allows remote code execution.  This detection we have seen since early 2022.  HTML:Phishing-CSO specifically we have been seeing since July, though it is worth mentioning that this can also be identified as Phishing.HTML.Doc which we have seen for much longer.

Vessel Flag of Convenience – All shipping size vessels which fall under international law, must fly a country flag where it is registered.  The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations.  When the ships are involved in this system, they are not connected to the laws of the countries where they are registered.  The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.[1] 

Supply Chain Spoofing:  In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets.  Maritime shipping is just one portion of the entire commercial transportation supply chain.  By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails.  The five most prevalent subject lines seen with a general supply chain focus are as follows:

  • PROFORMA INVOICE sent via wetransfer
  • FW:PROFORMA INVOICE
  • [info] Purchase Order #88392
  • DSV Solutions SRL (RO1) - Otopeni - RO8119502 - 6403211820 –
  • FedEx Shipping Documents

Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails.  Most prevalently in the last month, we can see invoice notifications, purchase orders, and shipping document notifications.  These emails can also contain impersonations of companies in many industries.  In our most recent query, we saw shipping companies, a Greek dialysis care unit, a Serbian health data management company, and work clothing manufacturers.

The five most prevalent detections associated with these emails are as follows:

  • Ks.Malware.249 – Kingsoft
  • HTML/Phish.05F9!phish – Fortinet
  • Agent.GGUT – BitDefender
  • HTML:PhishingAdb-JC [Phish] – Avast
  • Script.Iframe.hqvxv - NANO-Antivirus

Script.Ks.Malware.249 we have been seeing since April of this year, with the largest number of detections occurring in the last month.  It is worth mentioning here that this detection is only reported by Kingsoft and could be worth investigating as a false positive.  HTML/Phish.05F9!phish is a detection specifically we have been seeing only in the last month, but we have seen HTML/Phish variants since 2016, with the most occurrences being in 2023.  Similarly, Trojan.Agent.GGUT we have only seen detections for in the last month, but this detection can also be identified as a variety of “phishing” detections, such as Phishing.HTML.Doc, similar to HTML:PhishingAdb-JC.  A Trojan.Script.Iframe.hqvxv detection indicates the presence of malicious JavaScript code in a webpage, in this case embedding malicious code into an iframe with the intent on misdirecting the user to a certain location or displaying unsolicited content.  This detection we have seen since 2017, though it’s occurrences were few and far between until May of this year, where it became more consistent.


12262850700?profile=RESIZE_710x

Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line.  Full table attached.

 

Closing:  These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails.  It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.  With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. 

Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line.   These threats often carry a financial liability to one or all those involved in the Transportation Supply Chain.  Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection.  This supports our recommendation of daily cyber diligence.  

The more convincing an email appears, the greater the chance employees will fall victim to a scam.   To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is important to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to identify a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.

About Red Sky Alliance

12262850665?profile=RESIZE_400x

 

 

 

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending cyber-attacks.  Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.  All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization.  We have been tracking vessel impersonation for over 5 years (and maintain historical reports).  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: 

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

 

[1] https://naylorlaw.com/blog/flag-of-convenience/

Tags: ir-23-293-001, vessel impersonation, maritime, supply chain, spoofing, phishing, ipsea colossus, efendi baba, berden
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!