Anonymous Reporting
MCA Chatter
V-ID Terminal
My Account


Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019

Maritime and defence sectors hit with new malware attacks

October 18th 2017
Mysterious cyber espionage campaign uses 'torpedo' lure to trick you into downloading malware

Researchers at Proofpoint say the 'Leviathan' threat group is regularly launching phishing and malware attacks in an effort to steal sensitive data.

An espionage group is launching cyber attacks against organisations in the maritime and defence sectors in what's highly likely to be an effort to steal confidential information and research data.

Dubbed Leviathan, the group has been active since at least 2014 and takes particular interest in maritime industries, naval defence contractors and associated university research institutions as well as related government and legal agencies.

Organisations targeted by the campaign are mostly in the US and Western Europe, with while some targets are active in the South China Sea.

Military and defence contractors are often the target of cyber attacks and researchers at Proofpoint recently detected new campaigns targeting US shipbuilding companies and a university research centre with military ties. Researchers dubbed the threat Leviathan due to its focus on organisations related to naval technology and maritime interests.

Phishing emails distributed in mid-September used references to job applications, resumes and a "Torpedo recovery experiment" in an effort to lure targets into messages containing malicious Microsoft Excel and Word documents laced with macros.

The malicious documents leveraged CVE-2017-8759, a parser code vulnerability which allows attackers to inject code to execute Visual Basic scripts containing PowerShell commands for the installation of malware. Researchers note that the zero-day was only discovered days before the campaign, indicating the attackers are quick to exploit new attack vectors.

In addition to the September campaign, researchers say the same attackers sent spear-phishing emails containing malicious URLs to multiple defence contractors in August. The messages contain lures ranging from fake Microsoft licensing agreements to phony messages purporting to be from companies involved with the building of military ships, submarines and other vessels.

This version of the campaign leveraged CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files, which can ultimately enable attackers to take full control of an infected system.

The vulnerability was patched in April, but the attackers are likely aware of how many organisations are slow to get round to installing updates.