By Joel Snape, Senior Threat Researcher at Nettitude
Sometimes it feels like everything runs on email. We all know we get far too many each day, and crucial information is constantly being sent back and forth between individuals and companies. It has become so common that often we don’t stop to question whether it is the most effective way of carrying out a task, and whether it is exposing us to harm. One area in which email seemingly cannot be escaped is in communication with port authorities; this could be anything from arrival notifications to requests for bunkering, ballast discharge or diving. Although online reporting systems such as the CERS portal do exist, in many cases vessels still have to fill in a Word form or Excel spreadsheet and email it to the relevant authority. They may also then have to respond to follow up questions, or get more paperwork to fill out.
In the world of physical safety, it is well known that safe working practises must become a habit - PPE must always be worn for example. When that habit is not enforced, people fall back to what is easiest or quickest without fully assessing the risk that their actions might pose. The same is true in people’s use of computers too. While security awareness training is important and can help users to understand the ways in which criminals operate, for those who are receiving emails on a daily basis and opening attachments the situation is a little different. When we carry out repetitive actions, we become habituated to the situation and tend to respond in the same way each time. Our threshold for noticing things that might look a little bit ‘off’ becomes higher if it broadly fits our internal narrative of what we are expecting to receive.
Criminals know this, and Nettitude tracks the ways in which they have been attempting to leverage common scenarios where the maritime industry shares information by email. We have uncovered an ongoing campaign which has been emulating the common messages sent between ships, agents and ports to attempt to trick users into opening malicious documents. The group used many different forms of fake documents, although the most common was a notice of arrival of a vessel, with arrival forms attached. There was even one example where the spoofed email appeared to come from the IMO, pretending to be carrying out a survey on cyber security in the maritime industry!
Figure 1: An example arrival notice email (left), and sample document (right) - in this case it is pretending to be a cyber security questionnaire from the IMO. (NB. the association with Cosco is completely spoofed).
In this campaign, the documents were a type of office file (RTF) which opens with Microsoft Word, and attempts to exploit a vulnerability discovered in 2017. Once exploited, the malicious document downloads and installs a variant of the ‘Hawkeye reborn’ key logger, which is a type of malware that scrapes sensitive information and passwords from the infected machine (e.g. passwords saved in the browser, or email accounts configured in Outlook).
The malware sends these back to the attackers using emails to users at domains the attackers have created, designed to look like they belong to legitimate maritime-related companies:
|
Malicious domain |
Likely impersonated company |
|
tellaurus[.]net |
Telaurus Communications (now Globecomm Maritime) |
|
nedai[.]net |
Neda Maritime Agency (Greece) |
|
championtankers[.]com |
Champion Tankers (Norway) |
|
cofcoainternational[.]com |
Cosco International (Hong Kong) |
|
marmedsaa[.]com |
Marmedsa shipping agency (part of Noatum) (Spain) |
|
meadwaysshipping[.]com |
Meadway Shipping (Greece) |
|
oceantrendcarrier[.]com |
Ocean Trend Carriers (Gibraltar) |
|
omicronships[.]com |
Omicron Ship Management (Greece) |
|
penavicohhn[.]com |
Hainan Fanyu Foreign Wheel Agency Co., Ltd. (China) |
|
penavicot[.]com |
Penavico Shenzhen Logistics Ltd. (China) |
|
premiummaritime[.]com |
Premium Maritime S.A. (Greece) |
|
roxanashiping[.]com |
Roxana Shipping S.A. (Greece) |
|
seaposvcs[.]com |
Seaport Services Pvt Ltd. (India) |
|
sunbeamlogistic[.]com |
Sunbeam Logistics (India) |
|
goshipg[.]com |
Go Shipping (Greece) |
|
gulfagancys[.]com |
Gulf Agency Services (Djibouti) |
|
bulkshiping[.]com |
Bulk Shipping (Pakistan) |
|
brise-chartering[.]com |
Briese Chartering (Germany) |
|
seacon-dz[.]com |
La SARL SEACOM |
|
age-line[.]cf |
AGE-LINES Co. Ltd (Vietnam) |
|
age-lines[.]cf |
AGE-LINES Co. Ltd (Vietnam) |
|
firstcoast[.]cf |
FirstCoast Maritime Academy (USA) |
|
gpl-sg[.]ml |
Genshipping Pacific Line (Singapore) |
|
nsuship[.]cf |
NS United Shipping |
|
chunweshipping[.]com |
China Shipping |
|
vpnet[.]cf |
Vostochny Port (Russia) |
|
tonglishippingpte[.]cf |
Tongli Shipping (China) |
Table 1A: Subset of malicious domains registered by attackers, aiming to impersonate legitimate companies.
This is likely to be an attempt to evade detection by any kind of network monitoring. Once the attacker has obtained passwords from victim organisations, they can be used to access company networks, emails accounts etc. and depending on their motivations could be used to mount further attacks, deploy ransomware or get access to sensitive information. For a full, in-depth description of how the malware operates, see our post on Nettitude Labs and take a look at our full research report on this attack.
Figure 2: Hawkeye for sale on a well-known hacking forum
This is a relatively unsophisticated threat using commodity ‘off-the-shelf’ malware, but is an indication of the awareness that cyber threat-actors have of the maritime industry. Given that these sorts of attacks are ongoing, it is important to take steps to protect yourself against them:
- Move away from sending documents via email to providing information online where possible.
- Implement strong email defence - consider installing a mail filtering system and blocking emails containing features your business doesn’t need (for example macro-enabled Office documents)
- Make sure security updates are promptly applied to systems that deal with data or messages from untrusted sources (e.g. emails, files etc.)
- Monitor networks to detect anomalous or malicious traffic, and systems to detect unusual access or data access.
- Provide security awareness training for staff who send and receive emails.
Nettitude, part of the Lloyd’s Register Group, provides a range of services to the maritime industry, from understanding the risks that are present in your environment, to proactive testing to find weak spots and security monitoring to detect and respond to attacks. Visit our website or contact us to learn more about how to protect your business from cyberthreats.
