Bitdefender’s assessment of two recent spearphishing campaigns highlights the growing risk of cybersecurity violations for companies along the oil and gas vertical. Cyberattacks on critical infrastructure, particularly the energy industry are trending upward at a time when oil and gas operators are already under strain because of market volatility
The oil and gas industry is in a state of turmoil, with prices for some benchmark grades of crude sinking below zero and the coronavirus pandemic making a mockery of all attempts to balance supply and demand. But these aren’t the only developments that have disrupted the sector lately. Oil and gas firms – and their contractors – are being targeted in spearphishing campaigns that have the potential to disrupt operations all the way down the vertical supply chain.
Bitdefender outlined the problem in a blog post dated April 21. It explained that its researchers had collected evidence from two initiatives that specifically targeted the oil and gas industry:
[We] recently found a campaign that seems to specifically target the oil & gas sector, based on a telemetry spike on March 31st. Interestingly, the payload is a spyware Trojan that packs keylogging capabilities, and has not been associated with oil & gas spearphishing campaigns in the past.
The second campaign that impersonated a shipping company seems to have started on April 12 and targeted only a handful of shipping companies based in the Philippines over the course of two days.
The oil and gas vertical was targeted in two separate campaigns
The first campaign consisted of email messages sent out on March 31, ostensibly for the purpose of inviting recipients to submit bids to Engineering for Petroleum and Process Industries (Enppi), a state-owned Egyptian company, for an equipment and materials supply contract. The recipients of these messages included upstream oil and gas operators, as well as manufacturers and other companies that have provided services to the energy industry.
The messages included attachments that were said to contain specifications and other documentation related to the bidding process. These .zip attachments did include apparently valid documents, but they also served as a delivery path for the Agent Tesla spyware Trojan.
The second campaign appears to have focused on a narrower range of companies, including 15 marine operators based in the Philippines. It was launched on April 12 and consisted of email messages that instructed recipients to provide details on the Estimated Port Disbursement Account (EPDA) and container flow management (CFM) plan for the MT Sinar Maluku, an Indonesian-registered oil/chemical tanker.
As in the first campaign, these messages included attachments that appeared to contain legitimate documentation. Likewise, the documents were delivered in a .zip archive that contained the same type of malware.
Specific details made these spearphishing messages look legitimate
Bitdefender pointed out that neither campaign was particularly extensive. The first campaign saw the number of malicious reports peak at just 107 on March 31, and the second garnered only 18 reports on April 13, it noted.
It also pointed out, though, that both campaigns were notable for their careful use of the names of established companies, ongoing projects, official-looking documentation, and industry jargon. “While the number of reports may be low, the construction of the messages and the jargon used do show the attackers have a clear understanding of their victim’s profile and use relevant language and information to seem believable and trick the victim into opening the rigged attachment,” it said.
In other words, these spearphishing messages stand out because they do not take a scattershot approach. Instead, they feature multiple details that were purposely selected to make them seem legitimate – and even routine – to industry insiders.
These details indicate that the originators are both knowledgeable about the industry they are targeting and willing to go to great lengths to “get their facts straight, make the email seem legitimate, and specifically target a vertical,” Bitdefender said.
Cyberattacks are increasing at a time of increased volatility on oil markets
It also pointed out that these campaigns occurred at a time when the number of cyberattacks on companies involved in the oil and gas vertical was trending upward.
This trend, it said, emerged last October, when the number of malicious reports was less than 3,000. It has gained steam since the beginning of this year, and its peak came in February, when the number of reports topped 5,000. But cyberattackers did remain active in March, when the number exceeded 4,500.
Bitdefender noted that the upswing had occurred during a period of significant volatility on world crude oil markets and speculated that this was not a coincidence. “[Cybercriminals] seem to have taken a keen interest in this vertical, perhaps as it has become more important and strategic after recent oil price fluctuations,” it commented.
If so, there is a very real possibility that the number of malicious reports will be higher than ever before this month. April has been very volatile indeed for the energy industry, with front-month prices for WTI futures contracts dropping from the $25-30 range in the first week of the month to an unprecedented low of -$37.63.
With the market in such a precarious state, energy companies and their contractors may become an even more enticing target – and a rise in the number of spearphishing attacks has the potential to cause disruption all the way down the oil and gas vertical.
The stakes are high for oil and gas companies
This would be unfortunate, as the industry can ill afford to absorb any of the losses and complications that could follow a cyberattack.
On the one hand, many upstream operators and oilfield service providers have already seen their finances crumble this year as a result of the coronavirus pandemic, which has spurred a drop in prices, perceptions of market oversupply and uncertainty about when energy demand might recover. For companies teetering on the edge, a successful spearphishing attack might just turn out to be the straw that breaks the camel’s back.
On the other hand, the more fortunate players in the industry now have more to lose. Current market conditions have actually benefitted the operators of tankers, such as the MT Sinar Maluku referenced above, by creating incentives for the use of marine vessels as floating storage. If their recent successes draw the attention of cybercriminals, they may have difficulty meeting the needs of producers and traders who need paces to put their extra barrels, and this would only exacerbate concerns about a supply glut.
Under these circumstances, oil and gas companies and their contractors ought to review their cybersecurity arrangements – and take the time and effort to improve their defenses. Even if the spearphishing campaigns described by Bitdefender are relatively small in scope, they demonstrate the potential for large amounts of disruption in a crucial sector of the economy that is already in turmoil.