Oil and Gas Companies Targeted via Spear-Phishing and Vulnerability Exploitation Attacks

What exactly happened

• The first campaign used spam emails posing as Egyptian state oil company Enppi, targeting organizations in the United States, Malaysia, Iran, South Africa, Oman, and Turkey.
• The second campaign used spam emails posing to be from a shipment company and leveraged legitimate information about a chemical/oil tanker to target organizations in the Philippines.

Other recent attacks on Oil companies

• On April 1st, 2020, Groupement Berkine, the Algeria-based Petroleum products company, was targeted by the notorious Maze ransomware group, stealing over 500MB of confidential documents related to budgets, organizational strategies, production quantities, and similar sensitive data.
• Between January 20 and March 11, the state-sponsored APT41 group targeted 75 customers located all over the globe, which included several oil and gas companies.

Quick statistics

• As per a report from Bitdefender, since October 2019, the cyberattacks on the energy sector, and specifically oil and gas have been increasing steadily on a monthly basis.
• Cyberattacks on the energy sector worldwide have gradually increased from around 2500 malicious attacks in Sept 2019 to as high as 5000 attacks in Feb 2020.

Characteristics of the attacks

• Usually, cyberattackers prefer targeting the vulnerabilities in industrial control systems (ICS) or other hardware or software applications, as happened in the case of APT41.
• The attacks involving Agent Tesla were carried out via spearphishing emails, a kind of social engineering attack.
• During the COVID-19 epidemic era, the oil and gas companies are forced to switch to remote access connectivity to maintain their operations. This exposure might be the reason they are becoming easy targets of cyberattacks.