On the morning of September 20th, 2018, the Port of Barcelona was hit by a cyber-attack that forced the operators of the port’s infrastructure to launch emergency procedures. A few days later, several computers at the Port of San Diego were infected with ransomware. The incident impacted the processing of park permits and record requests, as well as other operations. The incidents have raised discussion about security for these types of critical infrastructures and demonstrated that ports and other such locations are too vulnerable to cyber-attacks. The increased usage of computer systems for navigation, container inspection, design and manufacturing of vessels is exposing the industry to cyber-threats. The design center, ships and safe navigation, satellite communications systems, tracking systems, marine radar systems and automatic identification systems are just a few examples of potential targets for attackers. According to experts, the rapid and increasing convergence of IT and OT systems, along with the diffusion of connected devices, is exposing the navy and shipping to cyber-threats. Threat actors could launch cyber-attacks for the purpose of either espionage or sabotage. To mitigate threats, it is necessary to adopt a new model of cybersecurity based on threat intelligence and information sharing on cyber-threats. The maritime sector is particularly threatened by disruptions due to the role of technology in global trade. Many cyber-attacks have been carried out on commercial ships. In one such incident, a commercial ship contracted to the U.S. military was the victim of a cyber-attack powered by suspected Chinese military hackers. In 2012, the China-linked hackers compromised “multiple systems” on a commercial ship on contract to Transcom. Over 2018, the China-linked APT group Leviathan, aka TEMP.Periscope, increased its attacks on engineering and maritime entities. In November the top Australia defense firm Austal, also working with the United States Navy, suffered a serious security breach. Unfortunately, many cyber-events in the maritime industry have remained undetected. Businesses have also been reluctant to reveal them to the public. Another worrisome aspect is that many organizations in the maritime industry are not properly conducting regular security assessments to evaluate their vulnerability to a cyber-attack.
Case Study: MartyMcFly Cyber-Espionage Campaign Targets Italian Naval Industry
A few weeks ago, malware researchers at the Yoroi security firm uncovered a targeted attack utilizing the MartyMcFly malware against one of the most important companies in the Italian naval industry. The victim is one of the most important firms of the defensive military-grade naval ecosystem in Italy. The investigation started after an email was sent to a certain office at an unnamed naval company. The message was asking for naval engine spare parts prices. It was quite clear, written in a perfect language and detailed spare parts matching the real engine parts. The analyzed email presented two attachments to the victim:
A company profile, aiming to present the company who was asking for spare parts A Microsoft.XLSX document where the list of the needed spare parts was (apparently) available
The attacker asked for a quotation of the entire spare part list that was reported in the attached spreadsheet. With this scheme, the attackers attempted to trick victims into opening the Microsoft Excel file in attachment. Opening up the weaponized file, the result is infection. A deeper analysis of the weaponized file revealed it contained encrypted content: OleObj.1 and OleObj.2. Both objects are real encrypted OLE objects where the encrypted payload sits in the “EncryptedPackage” section and information on how to decrypt it is available in the “EncryptionInfo” xml descriptor. At the time of the analysis, the EncryptionInfo held the encryption algorithm and additional information regarding the payload, but no keys were provided. The first challenge for the researchers was to discover how Microsoft Excel is able to decrypt such a content if no password is requested to the end user. Put another way, if the victim opens the document and he/she is not aware of “secret key,” how can he/she get infected? Why would the attacker use an encrypted payload if the victim cannot open it?
Figure 1 – Stage1: Encrypted Content
Using an encrypted payload is quite a common way to evade antivirus software, since the encrypted payload changes depending on the used key. But what is the key? Microsoft Excel implements a common way to open documents called “Read Only.” In “Read Only” mode, the file can be opened even if encrypted. Microsoft Excel only asks the user for a decryption key if the user wants to save, print or modify the content. In that case, Microsoft programmers used a special and static key to decrypt the “Read Only” documents. The key has the value “VelvetSweatshop.” The experts used the “key” to decrypt the content and they were able to extract more objects wrapped in the Excel file, which begins Stage 2. Stage 2 exposes a new object inclusion. That object was created on 2018-10-09, but it was seen for the first time on 2018-10-12. At the time of the analysis, the extracted object is clear text and not encrypted content at all. The following image shows the extracted object from Stage 2.
Figure 2 – Stage 2: Extracted payload
The payload exploits the CVE-2017-11882 flaw by spawning the Equation Editor, dropping and executing an external PE file. We might define the Equation Editor dropping and executing as Stage 3. Stage 4 is represented by the GEqy87.exe executable, a common Windows PE. It’s placed inside an unconventional folder (js/jquery/file/… ), into a compromised and thematic website. This placement usually has a double goal: (a) old-school or unconfigured IDS bypassing, and (b) hiding malicious software inside the well-known and trusted folder structure in order to persist despite website upgrades. Stage 4 malware is written in Borland Delphi 7. According to VirusTotal, the software was “seen in the Wild” in 2010 but submitted only on 2018-10-12! “This is pretty interesting, isn’t it? Maybe hash collision over multiple years? Maybe a buggy variable on VirusTotal? Or maybe not, something more sophisticated and complex is happening out there,” said Marco Ramilli, founder and CEO at Yoroi.
Figure 3 – Stage 4: According to VirusTotal
The analysis of the GEqy87 binary revealed that it was hiding an additional Windows PE. Stage 5 deploys many evasion tricks, such as GetLastInputIn, SleepX and GetLocalTime to trick debuggers and sandboxes. It makes an explicit date control check to 0x7E1 (2017). If the current date is lesser than or equal to 0x7E1, it ends up by skipping the real behavior. However, if the current date is, for example, 2018, it runs its behavior by calling “0xEAX” (typical control flow redirection on memory crafted). The following evidence is worth noting: Assuming there were no hash collisions over years and that VirusTotal’s “First Seen in The Wild” listing is right (and not bugged), we might think that we are facing a new threat targeting the naval industry, planned in 2010 and run in 2018. The name MartyMcFly (a Back to the Future reference) comes pretty naturally here due to this interesting date-back from Virus Total.
MartyMcFly Is a Broad Campaign
Security experts at Kaspersky Lab who analyzed the Yoroi report speculated the involvement of a cybercriminal group carrying out spearphishing attacks against various companies in several states, including Germany, Spain, Bulgaria, Kazakhstan, India and Romania. “We believe it is worth noting that well considered and carefully prepared phishing emails and remote administration tools can also be used by ‘advanced’ phishers. We believe that a cybercriminal group is behind this attack. The group conducts massive campaigns that involve sending phishing emails to various companies, some of which are critical infrastructure facilities. The objective of such groups is to steal financial data and money,” reads the analysis published by Kaspersky. “According to our data, the phishing documents mentioned in the Yoroi publication have been emailed, under different names, to companies located in many different countries, including Germany, Spain, Bulgaria, Kazakhstan, India, Romania, etc. The companies attacked work in a variety of areas, from supplying beans to providing consulting services.”
Figure 4 – MartyMcFly attacks
Researchers from Yoroi conducted further analysis on the campaign in a joint investigation with Fincantieri, one of the biggest players in the naval industry across Europe. Fincantieri, who was not involved in the previous MartyMcFly attack, identified and blocked additional threats targeting their company-wide infrastructure intercepted during the week of August 20th, 2018, a few months before the MartyMcFly campaign. Yoroi and the Fincantieri team worked to find a link between the attacks targeting Italian naval industries and attempt to attribute them. Fincantieri’s security team shared a copy of a malicious email with Yoroi, as carefully themed as the ones intercepted by the Yoroi’s Cyber Security Defense Center between 9th and 15th October. At first glance, the message appears suspicious due to the inconsistent sender’s domain data inside the SMTP headers: From: alice.wu@anchors-chain.com Subject: Quotation on Marine Engine & TC Complete User-Agent: Horde Application Framework 5 X-PPP-Vhost: jakconstruct.com The evidence collected during the joint maneuver suggests that some still-unspecified threat actor is likely trying to establish a foothold in the Italian naval industry at the very least. At this time, it is not possible to confirm that the two waves of attacks have been planned and executed by the same threat actor behind the “MartyMcFly” campaign; many differences such as the distinct type of payload must be considered relevant. However, at the same time, common elements demand that we not discard the possibility of this relationship. For example, the following indicators are likely, suggesting a correlations behind the campaigns:
Personification of the service provider and satellite companies of the naval industry sector Usage of domain names carefully selected to appear similar to legitimate names of known companies Usage of professional-sounding emails containing reference and documents carefully designed to impersonate other addresses Possible usage of “Microsoft Word 2013”
Conclusions
The MartyMcFly malware attack is just the tip of the iceberg. Hackers continue to target operators in the naval industry with the intent of stealing industrial secrets. The level of sophistication of many attacks make their detection difficult. In some cases, cyber-espionage campaigns go undetected for years. As previously mentioned, Austal, a top Australia defense firm that works with the U.S. Navy, has suffered a serious security breach – hackers accessed personnel files as part of an extortion attempt. The only way to rapidly detect campaigns carried out by threat actors is to share knowledge about their activities and adopt a multi-layered security approach to defend organizations in this sector.
Sources
Troubled Waters: How A New Wave of Cyber-Attacks is Targeting Maritime Trade, Security Week Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona, Security Affairs Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”), Yoroi Phishing attack targeting Italian naval and defense industry, Kaspersky Lab Top Australia Defence company Austal notifies a serious security breach, Security Affairs The ‘MartyMcFly’ investigation: Italian naval industry under attack, Security Affairs MartyMcFly Malware: new Cyber-Espionage Campaign targeting Italian Naval Industry, Security Affairs Hackers target Port of Barcelona, maritime operations had not affected, Security Affairs Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries, Security Affairs
