Night view of an oil refinery showing oil and gas industry fending off a major spyware campaign using spear phishing attack

Troubled Oil and Gas Industry Under Siege From Spyware; Novel Spear Phishing Attacks Thought to Be Espionage-Driven

The global oil and gas industry would have had a tough year even if the coronavirus had never surfaced; overproduction by the United States and a price war between Russia and Saudi Arabia might well have driven prices to record lows in 2020 anyway. But with the added complication of a halt to the majority of travel due to a pandemic, a barrel of oil briefly had a negative value in April as supply overwhelmed storage capacity. Oil price fluctuations continue but as we have seen with other industries, hackers don’t give anyone a break during hard times and pounce on whatever opportunities are available. The oil and gas industry is currently fending off a major spyware campaign, notable for its use of highly targeted spear phishing attacks, during one of the toughest periods in its history.

The use of novel tools and the type of information that is being sought also indicates that sophisticated advanced persistent threat (APT) groups backed by a nation-state are the culprits, and that espionage is behind the sudden interest in this vertical. The hackers seem to want to know in advance what countries in the OPEC alliance and the Group of 20 nations are planning.

Spear phishing attacks focused on the oil and gas industry

This sophisticated campaign of spyware directed at the oil and gas industry is being tracked and reported on by Romanian cybersecurity firm BitDefender, led by senior analyst Liviu Arsene. The campaign is centered around impersonation of two well-known industry contractors that many international oil and gas industry companies regularly work with.

The attackers impersonate either Engineering for Petroleum and Process Industries (ENPPI), a major engineering contractor based in Egypt that has been in business for decades, or a shipping company whose identity has been kept private. The attacks that spoof ENPPI have been directed at a variety of targets around the world, while the fake shipping company emails were sent to specific businesses in the Philippines.

The spear phishing attack emails that purport to come from ENPPI all use the same standard format. They invite the recipients to bid on equipment and materials from the “Rosetta Sharing Facilities Project” run by the major Egyptian gas company Burullus. This was an actual project that Burullus was involved with that was scheduled to be completed in late 2019. The BitDefender researchers mention that these spear phishing attacks are not strictly limited to oil and gas industry companies; related industry energy organizations, such as hydraulic plants and manufacturers of raw materials, have also been targeted in connection with this campaign.

The emails include what appear to be .ZIP files containing related documents, but are actually disguised .EXE files that deliver the Agent Tesla spyware when run. This spyware has been around since at least 2014, but the use of it in a targeted phishing campaign against oil and gas industry targets is novel. Agent Tesla is something of an “all-in-one” espionage package; once installed on a target system it logs keystrokes, takes screenshots, harvests credentials from certain installed applications, and forwards anything copied to the system clipboard to the attacker’s email address.

This spyware has a history of being spread through Microsoft Word documents that contain malicious macros, and is available on the open market via various dark web forums and sites. The group behind it essentially licenses it as a “software as a service” model and makes continual updates to it.

The spear phishing attack emails directed at companies in the Philippines also try to trick recipients into installing Agent Tesla, but they do so by asking for a response to a query about the movements of a chemical oil tanker. BitDefender noted that activity spiked on March 31, but there have been at least a handful of these attack attempts each day since then.

A nation-state spyware campaign?

The focus on delivering spyware indicates that the attackers want a glimpse into the future of oil prices and strategic moves. Some oil and gas industry companies are entirely (or at least partially) government-owned, but even the ones that are entirely private enterprises still have close government ties and likely handle confidential information on a regular basis.

Though the spyware delivery technique is somewhat blunt and there are no zero-day elements or particularly sophisticated methods in use in these spear phishing attacks, the use of industry terms and methods of communications indicates that the attackers have a strong familiarity with this somewhat fenced-off world.

The timing also indicates that whoever is behind the spear phishing attacks is interested in learning how various nations intend to respond to the historic OPEC alliance deal that was reached in mid-April, in which the world’s biggest producers reached an agreement to cut output. The most frequently attacked countries include Malaysia, Iran and the United States.

Attackers in #spyware campaign are impersonating two well-known contractors in the oil and gas industry. #cyberattacks #respectdataClick to Tweet

Dave Weinstein, Chief Security Officer at Claroty, warns that targeted spear phishing attacks are not just an oil and gas industry or government concern. A wide variety of industries should expect to see increased attention and novel approaches as the world continues to grapple with the coronavirus pandemic: “This is part of a growing threat against industrial organizations, including oil and gas companies, that rely heavily on remote access to maintain their operations. This reliance is even more pronounced in the era of COVID-19. Financially motivated hackers are taking notice and engaging in targeted spear phishing campaigns to compromise the accounts of those with privileged access for the purposes of stealing data or extorting operations with ransomware. Organizations must monitor all of their remote connections during this time of heightened risk and implement strict authentication controls to prevent compromised accounts from gaining access to operational technology (OT) networks.”


Senior Correspondent at CPO Magazine