The energy sector was having problems prior to the global pandemic, but the spread of COVID-19 has only exasperated the industries issues. Oil companies have always been a logical target for hackers. When times are good, these companies are flush with cash so ransomware attacks are highly profitable. The structure of the industry increases its vulnerability as well. The energy sector is an intricate web of sites, contractors and subcontractors that share networks.
As a result, workers are accustomed to working with strangers and therefore less guarded. Such a dynamic and fluctuating workforce also makes cybersecurity training nearly impossible. What’s more, the affixed dependency that the world has for energy gives hackers the opportunity to create huge disruptions on a global scale with their attacks
Oil companies of course are not the only ones in a cash crunch. A large number of companies are seeing their cash reserves dwindle as a result of sheltering in place strategies. But while ransomware attacks are on the decrease with so many companies lacking the ability to pay, it doesn’t mean that cyberattacks have stopped. Since September, the number of attacks targeting the energy sector has increased every month with more than 13,000 attacks so far this year.
Hackers are kicking the industry when they are down, not for money, but for espionage. On April 1, 2020, an Algerian based petroleum company was victimized by a ransomware group who stole 500 MB of confidential documents related to budgets, company strategies, production quantities and other sensitive and proprietary information. Earlier this year, a state sponsored hacking organization targeted a number of oil and gas companies as part of a large scale attack. These and other incidents appear to be state sponsored as countries turn to cyber espionage to further their political, economic and national security goals. Ironically, some of the oil producing companies themselves may be behind the attacks in an attempt to gain information that can be used in OPEC negotiations.
Most of the recent attacks on the oil and gas industries use phishing and spear-phishing techniques. In many cases, the goal is to trick users into clicking on a link or document that then launches a Trojan called Agent Tesla.
Agent Tesla is active spyware that collects and steals personal information from the victim’s machine by capturing keystrokes, taking screenshots and dumping browser passwords. Once captured, the information is then sent back to an SMTP server hosted by the attackers. Cybersecurity experts have seen a surge in its use throughout the COVID-19 crisis.
Agent Tesla has been hiding in plain sight for years. Brian Krebs reported on it in 2014. According to Krebs, “…the Agent Tesla Web site and its 24/7 technical support channel (offered via Discord) is replete with instances of support personnel instructing users on ways to evade antivirus software detection, use software vulnerabilities to deploy the product, and secretly bundle the program inside of other file types, such as images, text, audio and even Microsoft Office files.”
As we know phishing attacks are growing increasingly more sophisticated. Many phishing attacks are no longer characterized by incorrect spelling and bad grammar. The motives of these types of attacks are far more realistic and enticing too. For instance, many of the attacks launched against the energy sector are derived around discount opportunities for companies to take advantage of during these financially difficult times such as the pre-purchasing of supplies.
It is this attention to detail and industry specifics that has cybersecurity professionals concerned. One such spear-phishing campaign that incorporated Agent Tesla took place between March 31 and April 12. The supposed sender invited recipients to submit bid proposals for equipment and materials as part of an actual gas venture project half-owned by an Egyptian state oil company. The email was sent to more than 150 gas and oil companies, mostly located in Malaysia, the United States, South Africa and Iran.
Another phishing campaign in April appeared to be originated from a shipping company that used legitimate information concerning a gas project in the Philippines. Only someone well versed in the oil industry would have been able to craft these emails and the attention to detail convinced some recipients to click the attached document that masqueraded as a formal bid proposal.
The growing frequency and sophistication of these types of attacks present a real threat to organizations of all industry sectors. Hackers are utilizing highly complex attack techniques that cannot be readily identified by the average user. In addition, the surge of employees working remotely is increasing the vulnerability of these isolated users. How can we combat these recent threats:
Contact our cybersecurity specialists at TitanHQ to learn how you can better prepare your enterprise for the advanced email and web based cyberattacks of today.
Sign-up for email updates...