Critical infrastructure
Mining, Oil & Gas
News
Risk & Compliance
Vendors

Hackers are still active in oil and gas supply chain, says DeNexus

March 05, 2021
oil and gas supply chain

Researchers from DeNexus have discovered around three campaigns in the wild that are adopting the same or matching spear phishing email templates. The campaigns were first spotted during investigations of targeted attacks on the oil and gas supply chain industries in the Middle East.

Headquartered in California, DeNexus delivers cyber risk modeling for industrial networks. It discovered additional details of the attack, and identified new victims of the threat actor. The firm also confirmed that the campaigns carried out have evolved over time, and the threat actor is still active with more campaigns.

“We currently know that the threat actor is trying to collect information from the targeted companies and much of the time uses information stealers as final payloads,” DeNexus said in a statement on Wednesday. “In most cases, the threat actor is using AgentTesla malware as the information stealer. It was found that seven industrial companies were compromised and ten more were targeted located in Middle East, APAC, Europe and North America.”

The evolving threat landscape has led to changes in the malware distribution strategy. More recent campaigns use an email with a PDF attachment, which contains a link to a ZIP file hosted on a server controlled by the hacker, or in a third-party file hosting service, DeNexus said.

Apart from modifying distribution methods, the nature of the spear phishing campaigns have also become more sophisticated. The hacker can now register a domain like the original victim’s domain, victim’s trusted partner, or supplier in order to make the email look even more real.

A report released by Zscaler last September detailed the targeted cyber attack on oil and gas supply chain industries in the Middle East. It warned users to be cautious when receiving emails out of the blue, even if those emails appear to be related to something that they could be interested in, such as a legal tender for a project that might appear relevant. Given the approach used by these hackers, it recommended that users ‘always be wary of links embedded inside file formats such as PDF since these links could lead to download of malicious files on your system.’

“Changes in the behavior of attackers indicate that they need to reduce the level of detection of their malicious actions at the first stages of attacks. It is very important to track the evolution of such behavior in order to increase protection and timely assess the damage from such cyber attacks,” said Markel Picado, DeNexus’ malware analyst and threat hunter.

Data released last week from IBM Security X-Force disclosed that data theft and leak emerged as the top attack type for the energy sector, accounting for 35 percent of all attacks in this sector, and underscoring the threat from information-stealing malware and phishing attacks. Many of these attacks were against oil and gas companies in particular, it added.

Throughout 2020, industrial cybersecurity firm Dragos identified new EKANS activity targeting multiple verticals including electric, oil and gas, medical, pharmaceutical manufacturing, and automotive.

In March, the Parasite threat group leveraged Citrix vulnerability CVE-2019-19781 in intrusions targeting North American electric and oil and gas entities, according to Dragos. This was worrisome as the Parisite group conducts initial access operations potentially enabling future disruptive operations associated with Magnallium group, which exemplifies the critical need to track any groups that tried to access ICS (industrial control systems) through IT networks, it added.

Last April, Bitdefender researchers stumbled upon two spearphishing campaigns that either impersonated an Egyptian engineering contractor or a shipment company, and dropped the Agent Tesla spyware trojan. The malware collects sensitive information and different types of credentials and sends them back to the command and control (C&C) server. The oil and gas supply chain was already under considerable strain at the time, as the global COVID-19 pandemic lowered oil demand.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems