Features
Industrial Cyber Attacks
Mining, Oil & Gas
Reports

Spearphishing potential to disrupt the oil and gas vertical

April 23, 2020
spearphishing oil and gas

Bitdefender’s assessment of two recent spearphishing campaigns highlights the growing risk of cybersecurity violations for companies along the oil and gas vertical. Cyberattacks on critical infrastructure, particularly the energy industry are trending upward at a time when oil and gas operators are already under strain because of market volatility

The oil and gas industry is in a state of turmoil, with prices for some benchmark grades of crude sinking below zero and the coronavirus pandemic making a mockery of all attempts to balance supply and demand. But these aren’t the only developments that have disrupted the sector lately. Oil and gas firms – and their contractors – are being targeted in spearphishing campaigns that have the potential to disrupt operations all the way down the vertical supply chain.

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

 

Bitdefender outlined the problem in a blog post dated April 21. It explained that its researchers had collected evidence from two initiatives that specifically targeted the oil and gas industry:

[We] recently found a campaign that seems to specifically target the oil & gas sector, based on a telemetry spike on March 31st. Interestingly, the payload is a spyware Trojan that packs keylogging capabilities, and has not been associated with oil & gas spearphishing campaigns in the past.

The second campaign that impersonated a shipping company seems to have started on April 12 and targeted only a handful of shipping companies based in the Philippines over the course of two days.

The oil and gas vertical was targeted in two separate campaigns

The first campaign consisted of email messages sent out on March 31, ostensibly for the purpose of inviting recipients to submit bids to Engineering for Petroleum and Process Industries (Enppi), a state-owned Egyptian company, for an equipment and materials supply contract. The recipients of these messages included upstream oil and gas operators, as well as manufacturers and other companies that have provided services to the energy industry.

The messages included attachments that were said to contain specifications and other documentation related to the bidding process. These .zip attachments did include apparently valid documents, but they also served as a delivery path for the Agent Tesla spyware Trojan.

The second campaign appears to have focused on a narrower range of companies, including 15 marine operators based in the Philippines. It was launched on April 12 and consisted of email messages that instructed recipients to provide details on the Estimated Port Disbursement Account (EPDA) and container flow management (CFM) plan for the MT Sinar Maluku, an Indonesian-registered oil/chemical tanker.

As in the first campaign, these messages included attachments that appeared to contain legitimate documentation. Likewise, the documents were delivered in a .zip archive that contained the same type of malware.

Specific details made these spearphishing messages look legitimate

Bitdefender pointed out that neither campaign was particularly extensive. The first campaign saw the number of malicious reports peak at just 107 on March 31, and the second garnered only 18 reports on April 13, it noted.

It also pointed out, though, that both campaigns were notable for their careful use of the names of established companies, ongoing projects, official-looking documentation, and industry jargon. “While the number of reports may be low, the construction of the messages and the jargon used do show the attackers have a clear understanding of their victim’s profile and use relevant language and information to seem believable and trick the victim into opening the rigged attachment,” it said.

In other words, these spearphishing messages stand out because they do not take a scattershot approach. Instead, they feature multiple details that were purposely selected to make them seem legitimate – and even routine – to industry insiders.

These details indicate that the originators are both knowledgeable about the industry they are targeting and willing to go to great lengths to “get their facts straight, make the email seem legitimate, and specifically target a vertical,” Bitdefender said.

Cyberattacks are increasing at a time of increased volatility on oil markets

It also pointed out that these campaigns occurred at a time when the number of cyberattacks on companies involved in the oil and gas vertical was trending upward.

This trend, it said, emerged last October, when the number of malicious reports was less than 3,000. It has gained steam since the beginning of this year, and its peak came in February, when the number of reports topped 5,000. But cyberattackers did remain active in March, when the number exceeded 4,500.

Bitdefender noted that the upswing had occurred during a period of significant volatility on world crude oil markets and speculated that this was not a coincidence. “[Cybercriminals] seem to have taken a keen interest in this vertical, perhaps as it has become more important and strategic after recent oil price fluctuations,” it commented.

If so, there is a very real possibility that the number of malicious reports will be higher than ever before this month. April has been very volatile indeed for the energy industry, with front-month prices for WTI futures contracts dropping from the $25-30 range in the first week of the month to an unprecedented low of -$37.63.

With the market in such a precarious state, energy companies and their contractors may become an even more enticing target – and a rise in the number of spearphishing attacks has the potential to cause disruption all the way down the oil and gas vertical.

The stakes are high for oil and gas companies

This would be unfortunate, as the industry can ill afford to absorb any of the losses and complications that could follow a cyberattack.

On the one hand, many upstream operators and oilfield service providers have already seen their finances crumble this year as a result of the coronavirus pandemic, which has spurred a drop in prices, perceptions of market oversupply and uncertainty about when energy demand might recover. For companies teetering on the edge, a successful spearphishing attack might just turn out to be the straw that breaks the camel’s back.

On the other hand, the more fortunate players in the industry now have more to lose. Current market conditions have actually benefitted the operators of tankers, such as the MT Sinar Maluku referenced above, by creating incentives for the use of marine vessels as floating storage. If their recent successes draw the attention of cybercriminals, they may have difficulty meeting the needs of producers and traders who need paces to put their extra barrels, and this would only exacerbate concerns about a supply glut.

Under these circumstances, oil and gas companies and their contractors ought to review their cybersecurity arrangements – and take the time and effort to improve their defenses. Even if the spearphishing campaigns described by Bitdefender are relatively small in scope, they demonstrate the potential for large amounts of disruption in a crucial sector of the economy that is already in turmoil.

Jennifer DeLay Iacullo
Jennifer DeLay Iacullo is a freelance writer specializing in global oil, gas, and power engineering topics. She has covered the energy industry of the former Soviet Union, China, Africa, Latin America and North America for more than 20 years. She lives in Atlanta with her family.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet's FortiClient EMS
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet’s FortiClient EMS
Proposed CIRCIA rule boosts cyber threat understanding, early detection of adversary campaigns, offers coordinated actions
Proposed CIRCIA rule boosts cyber threat understanding, early detection of adversary campaigns, offers coordinated actions
The Takepoint Research report indicates a significant shift towards adopting the Zero Trust model in OT, with 72% of professionals integrating it to boost security and efficiency. It highlights secure remote access as a key application, aligning with goals to reduce risk and enhance operations. Moreover, it points out the need for collaborative efforts across organizational roles to implement Zero Trust effectively, aiming to improve productivity and security.
Xage-Takepoint Research report reveals growing adoption of zero trust security in industrial enterprises
New JRC-ENISA report enhances cybersecurity standards alignment through CRA requirements mapping
New JRC-ENISA report enhances cybersecurity standards alignment through CRA requirements mapping
CSRB reports Microsoft Exchange breach by Storm-0558, urges security reforms following espionage incident
CSRB reports Microsoft Exchange breach by Storm-0558, urges security reforms following espionage incident