As Maritime technology progresses, towage vessels (tugboats) and their crews are increasingly connected to online services during operations, increasing their vulnerability to cyber threats, malware, viruses, and hackers. These cyber security concerns were raised by the US based Maritime Transportation System (MTS) - Information Sharing and Analysis Center (ISAC)[1] after a tugboat fell victim to a phishing email. This was the first time a tugboat reported receiving this type of phishing email, according to MTS-ISAC. This ISAC subsequently sent a report to the whole US maritime industry to phishing type cyber-attacks during Riviera Maritime Media’s: Where Port Security Meets Cyber Security webinar last month.[2]
This cyber security advisory said a tug operating organization received the phishing email with a voicemail-themed attachment, who then notified the FBI sponsored Louisiana InfraGard of the cyber threat, which notified the MTS-ISAC.
This malware email spoofed the vessel operator as the sender and was sent to the tug with an Office 365 eVoiceMail Express-themed attachment. The MTS-ISAC analyzed the offending email, headers and the attachment. Analysts discovered one of the HTTP (hypertext transfer protocol) requests, received a 404 (not found) message. The other was not flagged as malicious when examined.
Besides spoofing the tug operator as the sender, the MTS-ISAC noticed that the email subject line used three different fonts, which may be an indicator that similar emails were sent to other prospective victims by replacing parts of the subject line text (a common tactic and actual error). The sending IP address, which was geolocating to Germany, was associated with spam and phishing by multiple open source intelligence reports since June 2020. MTS-ISAC has asked other maritime organizations to contact them if they receive similar activity through this link www.mtsisac.org/contact The ISAC hopes its advisory increases all tug operators’ with situational knowledge and heightens their awareness of these cyber threats to their vessels and people.
Figure 1. screen shot of “eVoiceMessage” email received by tug |
The MTS-ISAC advisory explained best practices to counter malicious email attacks in its advisory. Tug operators should provide regular email awareness training to employees, including how to handle links and attachments in emails, and help them understand how to identify and report suspicious emails to a security team. Owners of towage vessels may need to implement additional email security technologies and tools to detect and filter spam and phishing attacks.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports. Specifically our analysts have been collecting and analyzing on maritime cyber security issues for years. We publish weekly Vessel Impersonation report and associate IOCs.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Red Sky Alliance can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[2] https://www.rivieramm.com/news-content-hub/news-content-hub/tug-owners-warned-after-first-detected-cyber-attack-60905
Comments