Maritime Cyber Security & Threats January 2020 Week Four

George Papaioannou : CEO & co founder at Crontab Cyber Security Limited

 LinkedIn Profile: https://www.linkedin.com/in/georgios-papaioannou-a88aa614/

In the below collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. All malicious emails attempt to deliver a single malware, Trojan:Win32/Wacatac.C!ml. Vessel names seen this week include "S.S. PACIFIC ENLIGHTEN", and "SEA LONGITUDE" among others.

Only 2 of the emails observed this week contained unredacted message bodies.

An email was observed attempting to impersonate "S.S. PACIFIC ENLIGHTEN". This vessel is a liquefied natural gas (LNG) tanker vessel sailing under the Bahaman flag and currently en route to to the Australian port of Dampier.

The message contains the subject line "/Inquiry PDA at Incheon(S.S. Pacific Enlighten)" and a RAR compressed attachment identified by Microsoft as the Trojan:Win32/Wacatac.C!ml malware. The message body requests a PDA for this vessel and invites the user to check the attached document for vessel details to be used in preparing the PDA. However, opening the attachment could activate the malware.Analysis reveals that a malicious email was sent from an IP address in the Republic of Korea to a recipient at the lngmt.jp domain. The target domain is owned by the Japanese LNG shipping company LNG Marine Transport Limited and hosted bvy by Japanese ISP NTT Communications Corporation.

In another example this week, we seen an email attempting to impersonate the vessel "SEA LONGITUDE". This vessel is an oil and chemical tanker sailing under the Tuvalu flag and currently en route to the port of Mangalore, India.

Analysis reveals that a malicious email was sent to a recipient at the tck-shipping.co.id domain. The domain is owned by the Indonesian shipping company PT Tarunacipta Kencana (TCK). The tck-shipping.co.id domain appears to be no longer in use as evidenced by the web page located there displaying an "Index of" page. The company's main page is now located at tck.co.id. The contact page lists email addresses using the newer domain (tck.co.id) but that does not mean that email addresses at the old domain (tck-shipping.co.id) are inactive.

The message uses the subject line "REQUEST FOR EPDA FOR SEA LONGITUDE CALLING LUBUK GAUNG FOR LOADING ABOUT 15,000MT RBD PALM OLEIN" revealing a level of detail in the attacker's reconnaissance. Examination of the target's corporate website reveals the company's origin as shipping Palm Oil. They currently seek to be an industry leader in liquid cargo ocean shipping.

The message body requests loading agent services and references the attached document as a Q88 form, inviting the user to prepare an EPDA using the Q88 data. However, opening the attachment could activate the malware's malicious payload.