Cyber-Enabled Maritime Sanctions Evasion

MITRE Techniques

• [T1583.001 ] Acquire Infrastructure: Domains – Threat actors registered and used multiple fake maritime domains to support sanctions evasion and impersonation (‘over 36 inauthentic websites’; ‘domain registration patterns’).
• [T1583.006 ] Acquire Infrastructure: Web Services – The infrastructure was hosted across web services and IP ranges to support reusable fake organizations (‘different hosting arrangements’; ‘co-hosted on 159.198.36.123’).
• [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – Websites impersonated real maritime administrations, registries, classification societies, and training bodies (‘impersonating the Benin Maritime Administration’; ‘masquerading as a classification society’).
• [T1036.003 ] Masquerading: Rename System Utilities or Files – Fraudulent websites reused legitimate-looking names and document templates to appear official (‘reusing document templates’; ‘claimed to be associated with multiple jurisdictions’).
• [T1001.001 ] Data Obfuscation: Junk Data – QR codes and layered website structures were used to complicate verification and enforcement (‘QR codes very likely facilitate the presentation and verification of documents’).
• [T1056.004 ] Input Capture: Credential API Hooking – The article does not describe credential capture, but it does mention login panels and queryable databases that could support credential harvesting (‘login pages’; ‘queryable database of certificates’).
• [T1132.001 ] Data Encoding: Standard Encoding – QR codes were generated to encode links to fraudulent PDF documents (‘The app also generates QR codes linking to the PDF files’).
• [T1568.002 ] Dynamic Resolution: Domain Generation Algorithms – Not explicitly stated, but the reuse of multiple domain variants and subdomains suggests dynamic-style infrastructure management (‘beninmaritime[.]org’, ‘beninmaritime[.]co’, ‘beninmaritime[.]net’).