Maritime cybersecurity and threats in January 2020

Maritime cybersecurity and threats in January 2020

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.

Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. With its cyber security partner company is providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Having seen a significant decrease in vessel impersonation traffic at the turn of the new year, Red Sky Alliance observed an increase this week. The reason for this fluctuation in vessel impersonation traffic is unknown.

Malicious actors attempt to use vessel names to try to spoof companies in the maritime supply chain. The names observed include: “MV OCEAN INTEGRITY”, “MSC RANIA”, “MV BRENDA”, “MV CHLOE”, and a repeat appearance of “MV ROSCO LEMON” which was mentioned in one of Red Sky Alliance’s December reports.

This week, an email was again observed attempting to impersonate “MV ROSCO LEMON” This vessel is currently at anchorage in the East China Sea near Shanghai, China.

Analysis reveals that a malicious email was sent to an unreported target domain. The message contains the subject line “MV ROSCO LEMON DRAFT SHIPPING DOCUMENTS” and an attachment identified by Microsoft as the Trojan:Win32/Wacatac.B!ml malware. According to Fortinet, this malware exploits an IT automation product, known as AutoIT, to provide a wide range of capabilities to an attacker such as: remote access, key logging, upload and download of files, running or terminating processes, and performing denial-of-service attacks.

The message body invites the user to check the attached document for details about “CI, PL, Draft HBL, Draft COO Draft Insurance for this shipment”. However, opening the attachment could activate the malware.Having seen a significant decrease in vessel impersonation traffic at the turn of the new year, Red Sky Alliance observed an increase this week. The reason for this fluctuation in vessel impersonation traffic is unknown.