Oil and Gas Companies Targeted via Spear-Phishing and Vulnerability Exploitation Attacks

Two new Agent Tesla malware campaigns have recently been observed targeting Oil and Gas companies in a large number of countries around the world, posing a threat to this sector, globally.

What exactly happened

Two different spear-phishing campaigns were launched between March 31 and April 12, 2020, delivering "Agent Tesla" spyware trojan.
  • The first campaign used spam emails posing as Egyptian state oil company Enppi, targeting organizations in the United States, Malaysia, Iran, South Africa, Oman, and Turkey.
  • The second campaign used spam emails posing to be from a shipment company and leveraged legitimate information about a chemical/oil tanker to target organizations in the Philippines.

Other recent attacks on Oil companies

Besides the previously mentioned attacks, the sector also witnessed other incidents such as:
  • On April 1st, 2020, Groupement Berkine, the Algeria-based Petroleum products company, was targeted by the notorious Maze ransomware group, stealing over 500MB of confidential documents related to budgets, organizational strategies, production quantities, and similar sensitive data.
  • Between January 20 and March 11, the state-sponsored APT41 group targeted 75 customers located all over the globe, which included several oil and gas companies.

Quick statistics

Here are some statistics on these cyberattacks.
  • As per a report from Bitdefender, since October 2019, the cyberattacks on the energy sector, and specifically oil and gas have been increasing steadily on a monthly basis.
  • Cyberattacks on the energy sector worldwide have gradually increased from around 2500 malicious attacks in Sept 2019 to as high as 5000 attacks in Feb 2020.

Characteristics of the attacks

These attacks had peculiar characteristics as follows:
  • Usually, cyberattackers prefer targeting the vulnerabilities in industrial control systems (ICS) or other hardware or software applications, as happened in the case of APT41.
  • The attacks involving Agent Tesla were carried out via spearphishing emails, a kind of social engineering attack.
  • During the COVID-19 epidemic era, the oil and gas companies are forced to switch to remote access connectivity to maintain their operations. This exposure might be the reason they are becoming easy targets of cyberattacks.