After the discovery of MartyMcfly, the Yoroi- Fincantieri SOC cyberforce is born to analyze cyber threats to the naval industry in Italy
Someone is conducting a campaign of cyber attacks aimed at the naval industry in Italy. This was discovered by Yoroi’s cyber security experts and by Fincantieri’s Security Operation Center (SOC), who recently created a joint cyberforce. The partnership was born after the ICT company discovered “MartyMcFly”, a malware used in a timed attack, planned in 2010 and executed in 2018, against an Italian company operating in the shipping sector. A few days later, an addition by Kaspersky suggested that the threat could be much larger. Even related to a set of cyber attacks in other parts of the world: from Germany to Spain, through India and some areas of North Africa. It also has been confirmed by the last attack trends to the sector. This new perimeter intrigued the Yoroi’s analysts who created the cyberforce with the SOC of Fincantieri, one of the main European organizations operating in the sector.
Why the Italian shipbuilding industry is undergoing cyber attacks. The vectors are the same: mail and websites with suppliers as bait
The Yoroi and Fincantieri cyberforce has started a new analysis on the cyber attack with MartyMcFly, based on further evidence in possession of the Italian naval industry giant. The company has not been attacked by malware, but lately its SOC has observed further threats, which apparently have the same modus operandi. The cyber security experts have highlighted some elements that leave no doubt. Both malicious campaigns use emails, impersonating service providers or small suppliers in the naval industry. This states that these are targeted actions against the sector. The aggressor, in fact, employs a series of baits that are valuable only if used to hit targets in this area. To further confirm, domains similar to those actually existing in the ecosystem of suppliers of the Naval industry are adopted. Finally, in the body of messages there are specific language and references to “spare parts” for boats (also used in the field of maritime defense).
Malware (Payload) and “Drop” change: from the Microsoft Equation Editor vulnerability to phishing web pages
Instead, there is an element that changes within the cyber attacks against the Italian naval industry: the malware. The Yoroi-Fincantieri cyberforce discovered that in the case of “MartyMcFly” the payload was a known RAT (Remote Access Trojan), which was used to maintain control of the targeted machines. This in order to silently steal information and possibly tamper with documents (cyber espionage – cyber warfare). In the new case, however, the payload was a web page whose goal was to defraud credentials. Furthermore, the “Drop” paths vary. In the first case a multi-stage system based on “Microsoft Office Default Encryption OLE OBJ” was used, which exploited a vulnerability known as CVE-2017-11882 (Microsoft Equation Editor vulnerability). In the second, the classic phishing web page, disguised as that of a well-known shipping company.
There is no doubt that someone has targeted the naval industry in Italy, perhaps in the wake of what is happening all over the world. Surely there is that cyber criminals are human beings: experienced, trained and motivated professionals
As a result, as evidenced by the elements discovered by the Yoroi-Fincantieri cyberforce, there is no doubt that someone is targeting the Italian naval industry. Probably in the wake of what is happening globally. In fact, the sector is increasingly hit by cyber attacks. In particular in the field of shipping and infrastructure. Moreover, it is not a matter of cybernetic attacks on the spot or generated by software. But of ad hoc campaigns, studied and launched by human beings. This is confirmed by the study on baits, counterfeit domains and the construction of fake websites. Not to mention the technical language in emails, which no software is able to replicate. Furthermore, its syntactic and grammatical correctness, together with the fluid strategy adopted, suggest that the attackers are experienced, trained and motivated professionals. Therefore, the threat in addition to being concrete is also very dangerous.