Maritime security intelligence firm Dryad Global and cyber partners RedSkyAlliance monitor attempted cyber attacks in the maritime sector, examining how email is used to deceive the recipient and potentially expose the target organizations. The following update regards the week 4-11 April 2021.
It is reminded that email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. As such, the partners perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.
Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments,
…the companies remind.
4-11 April: Key observations
Last week’s data saw malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain, with a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Ocean Chemist” and “MV Autai” among others.
This week, analysts observed attackers attempting to send malware to targets working for the government of Córdoba, Argentina, former home of Lockheed Martin Aircraft Argentina S. A. and current location of Argentina’s main aircraft manufacturer Argentine Aircraft Factory “Brigadier San Martín” S.A.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
Notably, the attackers target recipients at both the “cba[.]gov[.]ar” and “cba[.]gob[.]ar” domains. Both of these domains are owned by the government of Córdoba. In the past two months alone, these domains have over 2,200 CTAC hits indicating malicious email activity. CTAC visualization data shows that these attacks have significantly increased in a short time span beginning in November 2020.
It is unclear why the attackers are targeting the province with a subject line referencing shipping. While webmail filters ID the email as spam, the subject line used to target multiple recipients is “FW: TT NO 013220150027 SHIPPING DOCUMENT.” It is also noteworthy that while the emails were sent to multiple unique targets, they appear to have been sent at the same time.
The message body of the emails is exactly the same with one exception. The greeting uses the first part of the email address so if the target uses a “Joseph.Smith@cba[.]gov[.]ar” email address, the greeting in the malicious email would be “Dear Joseph.Smith,”. This indicates the attackers are likely using an automated tool to generate these malicious emails. It would also indicate the attackers are not reviewing these emails for errors before sending them.
The email signature is relatively professional in appearance, but the company listed in the signature does not have a public-facing website. The sender is also sending from a hanmail[.]net email address which is a generic Korean webmail provider (similar to Gmail, or Hotmail). Attackers often use these types of accounts because they are more disposable than a legitimate business email address.
At this time, it appears attackers are targeting the government of Córdoba for unknown reasons using malicious email subject lines related to shipping. Often times spikes such as this indicate attackers targeting the company for a specific end goal such as exfiltration stolen sensitive data or activating ransomware for a profit. Red Sky Alliance will continue to monitor this activity.