Red Sky Alliance monthly queries our backend databases, identifying all new data containing supply chain keywords in the subject line of malicious emails. Malicious actors use emails with various supply chain related keywords as a lure to entice users in the maritime industry to open emails containing malicious attachments. The identified emails attempted to deliver malware or phishing links to compromise the entire Transportation Supply Chain. Specific names or key words in the transportation supply chain can be queried using our two services and tools. Full report available here.
Common Transportation Attack Chain Overview:
Supply Chain Report
Figure 1. Map displaying location of attacker domains
Figure 2. Map displaying location of victim domains
Figure 3. Distribution of attacker and target domains
Supply Chain Spoofing: In 2023, our analyst began monitoring the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:
- RE: MRP : RFQ - Bernard Controls - PO8585-MAMEX-EUR6616 / Proforma invoice
- QUOTE INVOICE-0678900
- RE: PROFOMA INVOICE// SWIFT COPY
- DHL Delivery Notification failed
- Invoice and Remittance
We can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see primarily shipping and invoice notifications. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw a green manufacturing company in Mumbai, several shipping companies, a gynecology office in Greece, a Russian law firm, a pharmaceuticals manufacturer in Ecuador, among many others.
The five most prevalent detections associated with these emails are as follows:
- Trojan-Downloader.PDF.Agent – Ikarus
- HTML.Doc – Ikarus
- trojan.cryxos – CTX
- HTML/Phishing.Gen - ESET-NOD32
- JS/Redirector.RVR - ESET-NOD32
The detections found the wider scope of supply chain emails tend to show a focus towards phishing activities. Trojan-Downloader.PDF variants we have seen fairly consistently since late 2015, with detection spikes occurring most often in summer and autumn months. Phishing.HTML.Doc detections are seen often in these reports, and we have been seeing these detections since 2017, though a slight increase in the number of detections began near the end of 2022. The eml.trojan.cryxos detection is fairly new in our system, but this can also be identified as Phishing.HTML.Doc depending on the security vendor. HTML/Phishing.Gen we have also seen since 2015, with occasional detection spikes occurring in the late spring or early summer months. We have also seen JS/Redirector variants since 2015, though its heaviest activity occurred between 2015 and 2019, with seemingly only minimal activity since then.
Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full table attached.
Closing: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected and potentially harmful to other members along the chain.
Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the Transportation Supply Chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence.
The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human element as well as organizational workflows and procedures.
It is important to:
- Train all levels of the supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny.
Red Sky Alliance is in Steamboat Springs, CO USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 6 years (and maintain historical reports). For questions, comments or assistance, please contact our lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments