The energy sector was having problems prior to the global pandemic, but the spread of COVID-19 has only exasperated the industries issues. Oil companies have always been a logical target for hackers. When times are good, these companies are flush with cash so ransomware attacks are highly profitable. The structure of the industry increases its vulnerability as well. The energy sector is an intricate web of sites, contractors and subcontractors that share networks.
As a result, workers are accustomed to working with strangers and therefore less guarded. Such a dynamic and fluctuating workforce also makes cybersecurity training nearly impossible. What’s more, the affixed dependency that the world has for energy gives hackers the opportunity to create huge disruptions on a global scale with their attacks
Cyberattacks are not always about Money
Oil companies of course are not the only ones in a cash crunch. A large number of companies are seeing their cash reserves dwindle as a result of sheltering in place strategies. But while ransomware attacks are on the decrease with so many companies lacking the ability to pay, it doesn’t mean that cyberattacks have stopped. Since September, the number of attacks targeting the energy sector has increased every month with more than 13,000 attacks so far this year.
Hackers are kicking the industry when they are down, not for money, but for espionage. On April 1, 2020, an Algerian based petroleum company was victimized by a ransomware group who stole 500 MB of confidential documents related to budgets, company strategies, production quantities and other sensitive and proprietary information. Earlier this year, a state sponsored hacking organization targeted a number of oil and gas companies as part of a large scale attack. These and other incidents appear to be state sponsored as countries turn to cyber espionage to further their political, economic and national security goals. Ironically, some of the oil producing companies themselves may be behind the attacks in an attempt to gain information that can be used in OPEC negotiations.
A Notorious Trojan named Agent Tesla
Most of the recent attacks on the oil and gas industries use phishing and spear-phishing techniques. In many cases, the goal is to trick users into clicking on a link or document that then launches a Trojan called Agent Tesla.
Agent Tesla is active spyware that collects and steals personal information from the victim’s machine by capturing keystrokes, taking screenshots and dumping browser passwords. Once captured, the information is then sent back to an SMTP server hosted by the attackers. Cybersecurity experts have seen a surge in its use throughout the COVID-19 crisis.
Agent Tesla has been hiding in plain sight for years. Brian Krebs reported on it in 2014. According to Krebs, “…the Agent Tesla Web site and its 24/7 technical support channel (offered via Discord) is replete with instances of support personnel instructing users on ways to evade antivirus software detection, use software vulnerabilities to deploy the product, and secretly bundle the program inside of other file types, such as images, text, audio and even Microsoft Office files.”
Phishing Attacks Show Great Attention to Detail
As we know phishing attacks are growing increasingly more sophisticated. Many phishing attacks are no longer characterized by incorrect spelling and bad grammar. The motives of these types of attacks are far more realistic and enticing too. For instance, many of the attacks launched against the energy sector are derived around discount opportunities for companies to take advantage of during these financially difficult times such as the pre-purchasing of supplies.
It is this attention to detail and industry specifics that has cybersecurity professionals concerned. One such spear-phishing campaign that incorporated Agent Tesla took place between March 31 and April 12. The supposed sender invited recipients to submit bid proposals for equipment and materials as part of an actual gas venture project half-owned by an Egyptian state oil company. The email was sent to more than 150 gas and oil companies, mostly located in Malaysia, the United States, South Africa and Iran.
Another phishing campaign in April appeared to be originated from a shipping company that used legitimate information concerning a gas project in the Philippines. Only someone well versed in the oil industry would have been able to craft these emails and the attention to detail convinced some recipients to click the attached document that masqueraded as a formal bid proposal.
Lessons we can Learn From These Attacks
The growing frequency and sophistication of these types of attacks present a real threat to organizations of all industry sectors. Hackers are utilizing highly complex attack techniques that cannot be readily identified by the average user. In addition, the surge of employees working remotely is increasing the vulnerability of these isolated users. How can we combat these recent threats:
- The growing sophistication of phishing attacks calls for a more sophisticated email security system such as SpamTitan, that includes advanced tools such as double antivirus protection and sandboxing. SpamTitan Cloud is also a vital additonal email security layer in protecting Office 365 from malware and zero day attacks.
- Because cyber attacks often have an email and web component, a powerful DNS based web filtering solution like WebTitan will provide complete protection from online threats such as viruses, malware, ransomware, phishing and comprehensive content filtering.
- The value of cybersecurity training for your employees is more important than ever as users are now finding themselves on their own working from remote workspaces.
- Due to the distributed nature of enterprises today, cloud based security systems are required in order to instantly scale security measures.
Contact our cybersecurity specialists at TitanHQ to learn how you can better prepare your enterprise for the advanced email and web based cyberattacks of today.