The Marine Transportation System (MTS) continues to be a target of increasingly sophisticated malicious email spoofing techniques. In September, 2020, the Coast Guard published Marine Safety Information Bulletin 19-20, highlighting malicious email spoofing events targeting the MTS. Building on those attack methods, advanced cybercriminals are registering domains with deliberately misspelled names of company websites and using them to launch spear-phishing attacks. These events have been analyzed and investigated, and the following are recommendations for MTS stakeholders:
Domain-Based Message Authentication Reporting and Conformance (DMARC)
It is strongly recommended that organizations implement DMARC to help ensure all emails that appear to come from official sources pass the Sender Policy Framework/Domain Keys Identified Mail (SPF/DKIM) checks to confirm origin. DMARC is designed to fit into an organization’s existing inbound email authentication process and protect against direct domain spoofing. It allows a sender to indicate that their messages are protected by SPF and/or DKIM, and it tells a receiver what to do if neither of those authentication methods passes. For more information on DMARC please visit https://DMARC.org.
Organizations should implement email greylisting as a method for reducing potentially malicious spam. Greylisting will initially block any email from an unknown sender and return a temporary SMTP error code informing the sending server the email was temporarily rejected. A legitimate SMTP server will try resending the email after a period of time, whereas a typical spamming server will not attempt to resend. If the sending server resends the email within the specified time limit then it will be treated as legitimate and accepted.
User Awareness and Training
Employee awareness and engagement is key to effective cybersecurity protection. It is strongly recommended that organizations implement Information Technology (IT) Security Awareness training programs in accordance with National Institute of Standards and Technology Special Publication 800-50, ISO 27001 or similar standards, and per guidance set forth in Navigation and Vessel Inspection Circular (NVIC) 01-20: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities to meet this objective.
As always, any potential threat to the cybersecurity of your unit, vessel, or facility should be taken seriously. Breaches of Security or Suspicious Activities resulting from cyber incidents shall be reported to the National Response Center at 1-800-424-8802. Consider also reporting the event to your local Coast Guard Captain of the Port or the Coast Guard Cyber Command 24×7 watch at 202-372-2904 or CyberWatch@uscg.mil. Your willingness to comply and report in a timely manner helps the U.S. respond quickly and effectively and makes the maritime critical infrastructure more secure.
See the Maritime Commons Blog for more detail: Recommendations for fending off malicious email attacks.