Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.
Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
This week Red Sky Alliance reports a large percentage of these malicious emails attempting to deliver Wacatac, with the D variant showing up for the first time. More specifically:
- Vessel names seen include “MV WAF PASSION”, and “MV OCEAN HERO” among others. One malicious email included in the report does not attempt to impersonate a vessel. However, it attempts to impersonate a Corona Virus advisory from the World Health Organization warning of vessels with infected crew.
- An email was observed attempting to impersonate “MV OCEAN HERO” using a subject line of “MV OCEAN HERO : CTM DELIVERY”. According to maritimetraffic.com, this name is shared by a Singaporean Oil/Chemical tanker, a Panamanian general cargo carrier, and another general cargo ship sailing under the Hong Kong flag.
- We also see an email attempting to impersonate the vessel “MV WAF PASSION” using the subject line “MV WAF PASSION – PDA”. The vessel name belonged to a Sri Lankan General Cargo vessel until October 5, 2019 when the name was changed to ZEA PASSION and then changed again to MERCS PASSION at an unknown time.
- Another e-mail uses the subject line “CORONA VIRUS / AFFECTED VESSEL TO AVOID”, which supposedly contains a list of vessels with infected crew. However, the message body provides guidelines and procedures for ships Masters to avoid crew infection. There are also numerous calls to action in the message body enticing recipients to open, fill out, and return the attached forms by email. The attached document, an Excel spreadsheet named “”CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm” echoes the subject line in its promise to reveal affected (infected) crew and vessels.
- Lastly, a malicious email was observed impersonating the World Health Organization (WHO), specifically Monika Kosinska, Project Manager at the WHO Regional Office for Europe. Overall, the use of language in this message is good, but on close inspection there are punctuation errors, capitalization errors, and slight phrasing issues throughout. These are errors that a former resident of the UK, Kings College graduate, and fluent English language speaker like Ms. Kosinska is unlikely to make.
In order to be protected from such malicious actions, Dryad Global recommends the following as preventive measures:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
You may see more information on Dryad Global website.
