Ccybercriminals have not spared any industrial sector during the pandemic. Especially, hackers are attacking the oil and gas industry with spearphishing campaigns.
What’s going on?
- On April 10, 2020, Russia and the Organization of the Petroleum Exporting Countries (OPEC+) alliance signed an agreement with G20 to address the rising oil prices.
- While Saudi Arabia and Russia are settling their disputes over the fuel prices in an attempt to uphold the declining market, threat actors are leaving no stones unturned to deface the oil industry.
- Two massive spearphishing campaigns affecting oil and gas companies, one in late March and another in early April, were identified by security researchers.
- Researchers noted that the spearphishing emails in these campaigns were meticulously crafted without any errors so as to appear completely legitimate to the unsuspecting victims.
A closer look at the spearphishing attempts
On March 31, 2020, hackers posed as the Egyptian oil company, Engineering for the Petroleum and Process Industries (ENPPI), to send fraudulent emails representing a government-led deep-sea drilling and natural gas production company, Burullus.
- The emails were an official invitation to the targets for submitting a firm bid as part of the Rosetta Sharing Facilities Project.
- The email body enclosed two zip-type attachments that were rigged to install the malicious Agent Tesla spyware trojan payloads once the user opened them.
The second spearphishing attempt was witnessed on April 12, 2020, when a high-profile employee of a Philippines-based oil company received an official email regarding an unsettled Estimated Port Disbursement Account (EPDA).
- The recipient was asked for additional information on tanker operations such as the container flow information (CFM) for an oil tanker, Mt. Sinar Maluku.
- This email also contained the Agent Tesla spyware payload in the form of a WinRAR archive, which carried a Tesla-infected executable.
Oil and Gas in the cross hairs before COVID-19
The oil and gas industry has been impacted long before the COVID-19 pandemic. Below are some of the noteworthy spearphishing attacks that took place prior to the arrival of this deadly disease.
- In 2019, a threat group called LYCEUM circulated several spearphishing emails containing DanBot malware among the high-profile targets in the oil and gas industry.
- A report by Aon, the insurance company, in 2018, revealed that a hydroelectric dam contractor lost control over the floodgate operations due to a spearphishing attack.
- According to a 2017 report, hackers managed to invade the power grid ops of several power facilities in Europe and the US.
What can be done?
- When emails look suspicious, one must scrutinize the actions mentioned in the email’s body before it compromises their company’s security.
- Employ a security solution to effectively block the malicious connections to attackers' command and control servers, before sanitizing your device.
- To ensure that the attachments enclosed in an email are legitimate, it is advised to open or execute them in a secure environment.