Canadian Cyber Centre warns oil and gas sector of cyber threats originating in digital supply chain

(Updated Jun. 26, 2023, to add about Suncor cybersecurity incident)

The Canadian Centre for Cyber Security has warned its oil and gas sector that medium- to high-sophistication cyber threat hackers are likely to consider striking organizations indirectly by initially targeting the supply chain. The agency also expects an even chance that Canada’s oil and gas infrastructure would be affected by cyber activity against U.S. assets due to cross-border integration.

These adversaries target the supply chain to obtain commercially valuable intellectual property and information from suppliers about the target organization’s networks and OT (operational technology) and as an indirect route to access a target organization’s networks, the lead Canadian cybersecurity agency said in guidance published last week. “Large industrial asset operators, including those in oil and gas, depend on a diverse supply chain of products and services from laboratories, manufacturers, vendors, integrators, and contractors, as well as Internet, cloud, and managed service providers for daily operation, maintenance, modernization, and development of new capacity.”

The agency added that oil and gas OT asset operators’ dependence on the supply chain is a critical vulnerability that gives cyber actors inside information on and opportunities for access to otherwise protected IT and OT systems. “We assess that medium- and high-sophistication actors will almost certainly continue to target the supply chain for these purposes for the next 12 months and beyond.”

The guidance further assesses that financially motivated cybercrime, particularly business email compromise (BEC) and ransomware, is almost certainly the main cyber threat facing the Canadian oil and gas sector. Ransomware is almost certainly the primary cyber threat to the reliable supply of oil and gas to Canadians. It also warned that the oil and gas sector in Canada will very likely continue to be targeted by state-sponsored cyber espionage for commercial or economic reasons. At risk are proprietary trade secrets, research, and business and production plans.

“We assess that since the oil and gas sector is critical infrastructure, it is very likely a strategic target for state-sponsored cyber activity to project state power, especially in times of geopolitical tension,” the Canadian agency outlined. “We assess that the primary target for state-sponsored actors is very likely the operational technology (OT) networks that monitor and control the sectors’ large industrial assets. State-sponsored actors are almost certainly striving to improve their capability to sabotage the OT in critical infrastructure. We assess that it is very unlikely that a state-sponsored cyber actor would intentionally disrupt or damage the oil and gas infrastructure in Canada outside of hostilities.”

The document further added that the ‘most likely targets’ for cyber threat hackers intending to disrupt the supply of oil and gas in Canada are bottlenecks in the oil transmission and processing stages. Potential targets include the business and OT networks of large-diameter pipelines, transfer terminals, and major refining facilities.

Russia has repeatedly demonstrated intent to project power by deploying destructive cyber attacks against strategic critical infrastructure targets of their adversaries as geopolitical crises escalate, the guidance revealed. “The Cyber Centre is aware of efforts by Russian state-sponsored threat actors to compromise and establish persistence (i.e. pre-positioning) on the networks of Canadian and US critical infrastructure providers, including organizations in the oil and gas sector. We assess that Russian espionage, with the goal of pre-positioning on OT networks, will very likely continue.”

The agency also said that it is very likely that state-sponsored cyber threat actors are almost certainly continually improving their capability to conduct destructive or debilitating cyber activity against critical infrastructure (CI). “State-sponsored cyber threat actors also sometimes work with non-state cyber groups as a force multiplier to enhance their capabilities and to avoid direct attribution. The Cyber Centre is aware that Russia’s long-standing practice has been to coordinate with non-state actors to conduct cyber threat activity against Ukrainian and allies’ CI,” it added. 

“The Cyber Centre notes that pre-built cyber tools and training in their use are becoming readily available via the Internet and we judge that there is an even chance that low-sophistication actors with the intent to disrupt the oil and gas sector could adopt these tools to mount a future successful sabotage attack,” the guidance outlined.

For example, there are OT-specific exploit modules in free cyber tools as well, such as the open-source Metasploit framework developed and released by researchers and security professionals for testing OT network defenses, the document said. “These tools are widely available to actors of all sophistication levels and include documentation and tutorials in their use.

Additionally, the Cyber Centre is also aware of high-impact crimeware such as Trickbot, Qakbot, Dridex, etc., using the leaked commercial cyber tool Cobalt Strike to target large organizations and critical infrastructure in Canada. Both Metasploit and Cobalt Strike are in wide use by states and criminal groups to facilitate cyber espionage and ransomware activity. 

“In addition, a large illegal marketplace for cyber tools and services is greatly reducing the start-up time for cybercriminals and potentially other actors by enabling them to conduct more complex and sophisticated campaigns,” the guidance disclosed. “Many online marketplaces allow vendors to sell specialized cyber tools and services that users can purchase and use to commit cybercrime, including espionage, distributed denial of service (DDoS ) attacks, and ransomware attacks, any of which could be used by actors intending to sabotage OT systems.”

The agency also said that it assesses that the wide availability of free, stolen, commercial, and criminal cyber capabilities and services is likely lowering the threshold of sophistication necessary to target and sabotage OT. 

“In the National Cyber Threat Assessment 2020, the Cyber Centre assessed that the development of commercial markets for cyber tools and talent has reduced the time it takes for cyber actors to build cyber capabilities. Some vendors are developing OT-specific capabilities for sale to clients,” the document said. “As more cyber actors gain access to commercial cyber tools, actors that are interested in sabotaging OT, but previously lacked the capability, can now more readily attempt this type of cyber threat activity. The proliferation of commercial tools also makes it more difficult to identify, attribute, and defend against this cyber threat activity.” 

The guidance evaluated that “although the threat to oil and gas from other actors is likely currently low, the inconsistent level of cyber security in connected OT devices, the global discoverability of devices on the Internet through OT-specific search engines, and the availability of free cyber tools will, in combination, likely increase the threat from low sophistication cyber actors in the near future.”

The Cyber Centre assesses that critical infrastructure, and especially the network-connected OT across critical infrastructure, is a strategic target for disruption or destruction by state-sponsored cyber actors in times of rising hostilities between states. ^“Energy, water, government, telecommunications, and finance sectors have been targeted over geopolitical disputes. Offensive cyber activity against oil and gas OT to deny essential products to a target country could be used to send intimidating messages about power and capability, delegitimize target governments, demoralize leaders and the public, degrade defences, and threaten a population’s health and safety,” it added. 

The guidance also identifies that it is very unlikely that a state-sponsored cyber actor would intentionally disrupt or damage the oil and gas infrastructure in Canada outside of hostilities. It also warned that it is very likely that state actors are using the information gathered from cyber reconnaissance and espionage to develop access and additional capabilities that would allow them to sabotage the OT used in Canada’s CI sectors, including oil and gas.

The Cyber Centre assesses that state-sponsored cyber threat actors are almost certainly continually improving their capability to conduct destructive or debilitating cyber activity against CI. “We assess that the state-sponsored actors intending to disrupt the supply of oil and gas in Canada are likely to target supply bottlenecks in the product transmission and processing stages to maximize the effect. Potential targets for this activity could include large-diameter pipelines, marine terminals, and major refining facilities,” it added.

On Sunday, Canadian integrated energy company Suncor announced that it experienced a cyber security incident. “The company is taking measures and working with third-party experts to investigate and resolve the situation, and has notified appropriate authorities,” the company said in a media statement.

At this time, “we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation.” The company also did not provide details on whether its systems were affected in the attack, or who were the likely adversaries that led the attack

However, Suncor did warn that “while we work to resolve the incident, some transactions with customers and suppliers may be impacted.”

Earlier this month, the agency urged Canadian organizations to be vigilant and prepared for potential disruptive cyber activity, based on public threats made by Russian-aligned malicious cyber actors. The advisory follows a February alert that previously warned Canadian organizations and critical infrastructure operators to be prepared for the possible disruption and defacement of websites by cyber threat actors aligned with Russian interests.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.