Red Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Analyzing the subject lines shows a few similarities between phishing attempts. For instance, many of the subject lines use company or vessel impersonations and port names. Additionally, we see the use of common phrases used within the industry, attempting to establish credibility for the attacker. We also notice some emails (in table 2) using fake Purchase Orders or Remittances to try scamming their victims. Most of the vessel impersonations use the name of real ships, such as Navios Galaxy II, Almi Hydra, Jin Gang, Atlantic Harmony, and SM Jakarta. A few vessels seem to use create fake names derived from names of other real vessels, including Grand Hulk and VTB 38.
When investigating the Sending Email field, we noticed the impersonations of many different companies. Companies impersonated in these phishing emails include Hebei Ocean Shipping Company, Ltd (although the attacker replaces Company with Agency), Almi Tankers, S.A., SM Line, and DSV. Other companies that show up as the sender on emails seem to be fake or overly generalized and not represent currently existing companies. These are CML Logistics, Sahar Supply, and NSTQA.
One example that exemplifies the phishing attacks are the emails sent from “Interport Freight Systems, Inc”. The attacker is using the name of an existing company based out of Hawthorne, California, but uses an invalid web-port.live email domain address. When attempting to visit this URL, Google Chrome flags the website as dangerous for its use in phishing attacks.
Lastly, in the email analysis, we noticed malware similarities. In all the emails, we have noticed some form of Trojan virus. The most notable Trojans installed include Emotet, Kryptic, and STRRat. Emotet was designed to steal sensitive information from the victim’s computer and acts like a work to spread to other connected computers. Kryptic malware is a backdoor Trojan. Similar to Emotet, Kryptic also steal sensitive information from the victim’s computer. STRRat is a Java-based Remote Access Trojan. All of these malware strains are commonly spread through phishing emails, usually by getting the victim to click a malicious link or download a malicious file disguised to look like a purchase order or invoice.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is important to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org