Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. Full report download available here.
Significant Vessel Keys Words:
Figure 1. Map displaying location of attacker domains
Figure 2. Map displaying location of victim domains
Figure 3. Distribution of attacker and target domains
Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full table attached.
Analysis
The five most common subject lines seen in our recent query are as follows:
- Jiangsu Haibang Freight entrusts EM23001 CIF LCB FIRST THAILAND to send Foster materials to Thailand
- Maersk : Arrival Notice ready for Bill of Lading 209530072.
- RE: Re: DRAFT BL _INV_SHIPPING DOCUMENT// INVOICE NO: Container Shipping_CUSTOMS DETAILS
- Your Transport Plan has Changed – Maersk
- RE: VSL: MV ASIA EMERALD II, ORDER: AHOC-A77180011E
There are several themes represented by the subject lines seen. Specifically, we can see shipping notifications, invoice notifications, itinerary change requests, and order notices. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see Chinese email providers, shipping account software companies, logistics companies, an Indonesian commodities exporter, and a Middle Eastern shipping agency.
In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:
- Indigo Flora (pictured above), which is a bulk carrier that is currently located at Puerto Quetzal Anch and is sailing under the flag of Marshall Islands
- Strategic Spirit (pictured below), which is a bulk carrier that is currently en route to Pisco, Peru and is sailing under the flag of Singapore
- Aquajoy, which is a bulk carrier that is currently en route to Balboa, Panama and is sailing under the flag of Panama
As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.
The top five most prevalent malware detections associated with these emails are as follows:
- HTML/FakeLogin.A!phish – Fortinet
- EXP/CVE-2017-0199.Gen - F-Secure
- Trojan[Phishing]/HTML.Phish - Antiy-AVL
- Gen:NN.ZemsilF.36132.5m0@au312Nh – BitDefenderTheta
- Zmutzy.1081 – BitDefender
These emails are typically used for the propagation of generic trojans and their variants, such as Trojan.Zmutzy.1081 and Gen:NN.ZemsilF.36132.5m0@au312Nh. Although, there are some clear detections of phishing malware such as HTML/FakeLogin.A!phish and Trojan[Phishing]/HTML.Phish. HTML.Phish variants we have been seeing off and on since late 2019, while FakeLogin.A!phish is a relatively new detection that we have been seeing since late 2022. The Exploit.EXP/CVE-2017-0199 detection is representative of a malware which allows for remote code execution by exploiting Microsoft Office files. We have been seeing this detection off and on since mid-2019, but recent months have experienced higher levels of detection than previously seen.
Vessel Flag of Convenience – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.[1]
Supply Chain Spoofing: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:
- MAURI anz Tax Invoice 106339611 1182600 20230321
- AIR WAY BILL - INVOICE AND PACKING LIST
- FedEx Billing - Invoice Ready for Payment
- DHL TRACKING NUMBER // ORIGINAL SCAN DOCUMENTS // VERIFY BL COPY FOR CHECKING // SHIPMENT ADVISE AGAINST OUR CONTRACT NO- WGCBD-141-21/22 (02X40\" 28LBS/1PLY)
- (2) Invoice Payment
Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full table attached.
Much like maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails. Specifically, we can see invoices, packaging lists, payment requests, and tracking notifications. In terms of the sending emails, we can see Penn State University, the Houston Botanic Garden, Cambodian financial institutions, biofuel manufacturers, and shipping companies.
The five most prevalent detections associated with these emails are as follows:
- HTML.Doc – Ikarus
- Other:SNH-gen [Phish] – Avast
- HTML.PHISH.SMJM3 – TrendMicro
- DownLoader45.50863 – DrWeb
- HEUR:Trojan.Script.Generic - Kaspersky
Supply chain email detections will tend to have a focus on phishing malware, as we see with Phishing.HTML.Doc, Other:SNH-gen, and Trojan.HTML.PHISH.SMJM3. Phishing malware will generally manifest as fraudulent emails, web pages, or other software for the purpose of luring the user into exposing personal information like usernames, passwords, or even financial information. Detections of Phishing.HTML.Doc we have been seeing since mid-2017, but this detection has been exhibiting a resurgence in the last year, with a heavy spike of detections occurring in July 2022. Other:SNH-gen we have been seeing since early 2021, with similarly heavy activity in the summer of last year. Trojan.HTML.PHISH.SMJM3 is a newer detection that we have only been seeing in the last couple of months. Trojan.DownLoader45.50863 and HEUR:Trojan.Script.Generic are representative of generic trojans as discussed above.
Closing: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter.
Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the Transportation Supply Chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.
The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is important to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments