'Gold galleon' hackers target shipping industry

Crooks tried to steal more than $3 million from the shipping industry.

Hackers have been targeting shipping companies in a series of attacks over the past year, according to new research from Dell SecureWorks' Counter Threat Unit, presented at the RSA Conference this week.

Dell SecureWorks has dubbed the group Gold Galleon because it has solely targeted the global maritime shipping industry, due to a relative lack of IT security and awareness.

Between June 2017 and January 2018, the group orchestrated a series of attacks, taking advantage of weak security mechanisms and legacy IT systems, according to Dell SecureWorks.

The attackers attempted to steal an estimated $3.9 million from a range of companies, including ship management providers and port administrators.

SecureWorks researcher James Bettke, who uncovered the hacking group, said the attackers chose to target the shipping industry because it is a global operation that relies heavily on email for communication purposes, leaving it vulnerable to phishing.

Many shipping companies that are very small are not worried about security - they don't have two-factor authentication and are running Windows XP

In an interview with ThreatPost, he said that the hackers were able to launch the attacks as a result of a "lack of security". Bettke called the situation "a perfect storm" for the attackers.

Overall, it is thought that around 20 cyber criminals were involved in the attacks, which Dell SecureWorks traced to Nigeria.

This particular hacking organisation identified targets by searching for information available in the public domain, such as company websites.

Bettke said the problem comes down the fact that many companies in this industry fail to take security issues seriously, believing that they are not at risk of attack.

He continued: "Many shipping companies that are very small are not worried about security - they don't have two-factor authentication and are running Windows XP.

"The second piece is that many of these small companies are doing international business and communicating primarily with email, so it's hard to know if someone is being impersonated."

The Gold Galleon group used a range of techniques to scrape shipping company email addresses, before peppering them with phishing emails intended to compromise their targets' PCs.

Dell SecureWorks claims that the group is relatively unsophisticated at a technical level, but more advanced in terms of social engineering techniques.

"Gold Galleon displays similar tradecraft to other Nigerian-based BEC groups... The group follows a common operational pattern, often relying on low-tier, free, or inexpensive tools," warn the researchers in a report released to coincide with the RSA Conference presentation.

It continues: "What it lacks in technical prowess is made up for in social engineering, agility, and persistence. Despite technical challenges and minimal investments in cybercrime tools, infrastructure, and automation, the group's profit margins are orders of magnitude greater than its initial investment."

The report added: "Tools deployed by Gold Galleon include the Predator Pain, PonyStealer, Agent Tesla and Hawkeye keyloggers. All of the malware leveraged by Gold Galleon is readily available from online hacking markets."

The aim of the attacks is to gather sufficient information in order to intervene in a legitimate transaction.

"Once the Gold Galleon crew compromises the business email accounts of a company's employees, crewmembers monitor the employees' inboxes to identify emails for ongoing business transactions.

"In a typical BEC scam an attacker compromises a seller's email account to position themselves as a 'man-in-the-middle' between the seller and a buyer in an existing business transaction. The threat actor then uses their control of the seller's account to passively monitor the transaction.

"When it is time for payment details to be relayed to the buyer via an invoice, the threat actor intercepts the seller's email and changes the destination bank account on the invoice to the attacker's money mule account. If the revised payment account does not appear to be suspicious, the buyer will likely submit the payment."