10215100865?profile=RESIZE_400xRed Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.


Significant Vessel Keys Words:

10215032059?profile=RESIZE_710x

10215037268?profile=RESIZE_584x

Figure 1. Map displaying location of attacker domains

10215038877?profile=RESIZE_584x
Figure 2. Map displaying location of victim domains

10215057882?profile=RESIZE_400xFigure 3. Sender host by country

10215066265?profile=RESIZE_400x

Figure 4. Target host by country

Table 1: List of subject lines, type of malware sent, sender data and targets seen in Red Sky Alliance’s malicious email collection from last 90 days. Information extrapolated from the Subject Line. The Full Table is attached -> maritime_collection_data_table_march_2022.pdf

10215084892?profile=RESIZE_584xAnalyzing the subject lines shows a few similarities between phishing attempts.  For instance, many of the subject lines use company or vessel impersonations and port names.  Additionally, we see the use of common phrases used within the industry, attempting to establish credibility for the attacker.  Analysts notice some emails using fake Purchase Orders, Remittances, and Pro-forma Disbursement Account Requests (PDA) to try scamming their victims. These are tempting lures for the recipient.  Most of the vessel impersonations use the name of real ships, such as MV Blue Everton, MV Pacific Selina, MV Ever Shining, MV Atlantic Harmony, and MV Shaman Wisdom.

In the Sending Email field, we noticed the impersonations of different companies. These companies include Cosco Shipping Lines, Maersk, Kawasaki Kisen Kaisha, Ltd. ("K"Line), and Well Reach Logistics.  All large and legitimate international companies.  Other companies that show up as the sender on emails seem to be fake or overly generalized and do not represent existing companies.  These include Warong Soto, Coscon, Part Sales & Technical Service Team, and Operation Department.10215069859?profile=RESIZE_400x

One sample phishing attack from the collection is sent from “Maersk Line Shipping mir.bak@warongsoto.com” with the subject line “Maersk Line Shipping Notification. AWB45321xxxxx”.  From 13 February to 17 February 2022, our data collections show this combination of subject line and sender email was used to send malware thirteen (13) times.  The actor impersonating Maersk Line Shipping is sending the malicious email from the domain warongsoto.com.  Another email claiming to be from Maersk used the subject line “B-L NOTICE FROM MAERSK” and was sent from “Anara Utepova <anara.serikbayeva@isker.kz>”  Our collections show that this campaign was used to send eight (8) emails between 21 February and 23 February 2022.  A third Maersk impersonation campaign made use of the subject line, “Maersk : Arrival Notice // NO: 1KT002324 // YENIGUN ORMAN // 7*40 FCL” sent from the address “Maersk Notification <h.nathaniel@borsarigroups.com>”  This campaign sent seven emails between 10 February and 11 February 2022.

A number of phishing campaigns reuse the same subject lines and send the malware to multiple targets. The lures they use apply generically to most ports, shipping companies, and vessels. Vessels that have been impersonated multiple times include MV Pacific Selina (pictured right), MV Jabal Shams, MV Valerio, and MV Hai Phuong 87. 

Finally, in the email analysis, we noticed malware similarities.  In most of the emails, we have noticed some form of Trojan virus.  The most notable Trojans installed include Agent Tesla, Valyria, Emotet, Darkstealer, and STRRat among other generic trojans and exploits.  Agent Tesla acts as a keylogger, downloader, password-stealer, and is capable of taking screenshots on infected machines.  Valyria is a trojan downloader that is frequently used to distribute Emotet by leveraging corrupted Microsoft Word documents.  Emotet has recently made a comeback after the law enforcement operation “Ladybird” took Emotet down in January of 2022.  It is likely that the Valyria infections are connected to the resurgence of Emotet as it was used in previous campaigns to install the Emotet banking trojan.  Darkstealer is a spyware used to steal passwords and banking information.  STRRat is a Java-based Remote Access Trojan.  These malware strains are commonly spread through phishing emails, usually by getting the victim to click a malicious link or download a malicious file disguised to look like a purchase order or invoice, using corrupted Microsoft Excel or Word Documents as well as using PDFs.

10215070873?profile=RESIZE_400xThese analytical results illustrate how a recipient could be fooled into opening an infected email.  It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line.   These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.  Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  

 

The more convincing an email appears, the greater the chance employees will fall for a scam.   To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is important to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to identify a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.

The full Maritime Watch List is available here -> maritime_watchlist_march_2022.csv

About Red Sky Alliance

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending cyber-attacks.  Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!