The maritime transportation sector has seen a very sudden rise in the number of phishing emails making it through security filters. Part of the problem is that many of the phishing emails are coming from known addresses that have been compromised through credential harvesting techniques. Please ask your staff to be continually cautious when receiving unexpected emails with links or attachments as these often allow further compromise. A quick phone call to the sender to verify can save a lot of time and money if the sender’s email was compromised. While the USCG does not regulate business, you are still encouraged to report suspicious emails to us through the NRC or Sector Command Center. This allows the Department of Homeland Security to track events and shut down operations before problems escalate into financial losses.
Please share this with your IT/Cyber Security teams so that they can be on the lookout for indicators of compromise.
As an update to the alert in late May about an APT group known as Volt Typhoon: This group is known to be associated with the People’s Republic of China. There is increased activity that indicates networks across all critical infrastructure could be potentially affected. This includes all industries associated with maritime transportation and energy/oil production.
Website Updates
The Coast Guard updated its maritime cybersecurity website. The updates reflect a better partnership with CISA and MARAD. It includes contact information for all the people in my role as a an MTSS-C in case your company has facilities outside of Sector Upper Mississippi River. The updates include both facility and vessel resources. It also has links to the known indicators of compromise that your IT/Cybersecurity teams can use to find potential compromises on your networks. The website’s landing page is fairly large, but I think taking a few minutes to scroll through it might benefit your facilities.
___________________________________
Summary
First reported in March 2023 and starting again in early June 2023, maritime transportation system (MTS) stakeholders reported an increase in unblocked, bid-themed phishing emails received from compromised senders. The threat actor(s) behind these phishing campaigns are leveraging the same cloud-hosted collaboration service, Box[.]com, to host the embedded link and malicious content.
In a sandbox environment, execution of the embedded link opens to a Box webpage containing another embedded link which then directs the prospective victim to a Captcha and login landing page. The bid-themed emails have been received by users in MTS engineering, security, procurement, and other departments. In one case, MTS stakeholders received emails from different compromised senders, but the credential harvesting login page used to exfiltrate victim credentials was the same (see bolded item below).
If you are seeing threat activity related to this advisory, please contact the MTS-ISAC. Identified Threat Activity Information Phishing Domains
Recommended Actions
The following are some of the best practices to counter malicious email attacks:
Please share suspicious activity with the MTS-ISAC for further analysis, trending, and reporting to the maritime community.
Conclusion
Please continue to use heightened awareness and contact the MTS-ISAC if there are questions or if your organization has similar activity to report: [email protected].
Industry updates and weekly newsletter direct to your inbox!