Skip content

A technical assessment of a recent malicious email campaign against the maritime sector

Are your email habits putting you at risk? Email is one of the most common means of communication but is also an easily and widely abused system for providing entry points for attackers into our organisations. In particular, during the recent pandemic, we have seen a significant rise in the amount of Phishing attacks carried out by email, meaning organisations need to be even more vigilant.

Nettitude uncovered a recent Maritime campaign focused on manipulating behaviours and common industry practices to deliver malicious payloads and compromise networks. In the following blog post, we’ll go over our findings on a recent attack, as well as how to spot this type of attack and the best methods for responding.

Corporate Email Security Risks

Sometimes it feels like everything runs on email. We all know we get far too many each day, and crucial information is constantly being sent back and forth between individuals and companies. It has become so common that often we don’t stop to question whether it is the most effective way of carrying out a task, and whether it is exposing us to harm.

One area in which email seemingly cannot be escaped is in communication with port authorities; this could be anything from arrival notifications to requests for bunkering, ballast discharge or diving. Although online reporting systems such as the Consolidated European Reporting System1 (CERS) portal run by the UK’s Maritime and Coastguard Agency (MCA) do exist, in many cases vessels still have to fill in a Word form or Excel spreadsheet and email it to the relevant authority. They may also then have to respond to follow up questions or get more paperwork to fill out.

Phishing emails exploiting trust

Whilst email communications are incredibly convenient, cyber criminals recognise this and draw on its vulnerabilities, as well as our vulnerabilities as humans. Nettitude tracks the ways in which cyber criminals have been attempting to leverage common scenarios where the Maritime Industry shares information by email.

As part of this activity we have recently uncovered an ongoing campaign which has been emulating the common messages sent between ships, agents and ports to attempt to trick users into opening malicious documents. Below we’ll look at some of the details of the malicious activity, what was done about it, and the impact it had.

Email spoofing in the Maritime industry

This specific phishing e-mail campaign was carried out by a group who used many different forms of fake documents, although the most common was a notice of arrival of a vessel, with arrival forms attached. There was even one example where the spoofed email appeared to come from the IMO, pretending to be carrying out a survey on cybersecurity in the Maritime industry.

In this campaign, the documents were a type of office file (RTF) which opens with Microsoft Word, and attempts to exploit a vulnerability discovered in 2017. Once exploited, the malicious document downloads and installs a variant of the ‘Hawkeye reborn’ key logger, which is a type of malware that scrapes sensitive information and passwords from the infected machine (e.g. passwords saved in the browser, or email accounts configured in Outlook). The malware sends these back to the attackers using emails to users at domains the attackers have created, designed to look like they belong to legitimate Maritime-related companies.

How to respond to phishing e-mail campaigns

This is a relatively unsophisticated threat using commodity ‘off-the-shelf’ malware but is an indication of the awareness that cyber threat-actors have of the Maritime industry. Given that these sorts of attacks are ongoing, it is important to take steps to protect yourself against them. To do this, the following steps are an excellent place to start -

  • Move away from sending documents via email to providing information online where possible.
  • Implement strong email defences - consider installing a mail filtering system and blocking emails containing features your business doesn’t need (for example macro-enabled Office documents) and install mail filtering software.
  • Make sure security updates are promptly applied to systems that deal with data or messages from untrusted sources (e.g. emails, files etc.)
  • Monitor networks to detect anomalous or malicious traffic, and systems to detect unusual access or data access.
  • Provide security awareness training for staff who send and receive emails.

Preparing for when, not if

In the world of physical safety, it is well known that safe working practices must become a habit; PPE must always be worn for example. When that habit is not enforced, people fall back to what is easiest or quickest without fully assessing the risk that their actions might pose. The same is also true in people’s use of computers. While Security Awareness Training is important and can help users to understand the ways in which criminals operate, for those who are receiving emails on a daily basis and opening attachments, the situation is a little different.

When we carry out repetitive actions, we become habituated to the situation and tend to respond in the same way each time. Our threshold for noticing things that might look a little bit ‘off’ becomes higher if it broadly fits our internal narrative of what we are expecting to receive. This makes it all the more important to have the correct SOC Monitor and Incident Response measures in place, to ensure that should your organisation be targeted by a Phishing attack, you’re fully prepared.

For more information, on protecting your organisation from Phishing attacks, please don’t hesitate to get in touch with your local Nettitude team. In addition, the full technical brief for the above Phishing scam can be downloaded here.