By Doug Rangi, OPSWAT
According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy sector, including oil and gas, is facing a significant rise in cyber attacks. There are a number of reasons that this industry is an ideal target for attack: Oil and gas pipelines are part of a country’s critical infrastructure, and they are an ideal target for those looking to cause disruptions in critical services for political or military motives; The industry is highly competitive, as both private enterprise and countries engage in aggressive market share tactics, often with global implications; Intellectual property is highly-valued, making it an attractive target for cyber-espionage. Finally, the sheer value of the oil and gas industry’s commodities make it an especially lucrative target. With producer and broker transactions ranging in the millions, one carefully crafted attack can lead to a payout that could support the hacker’s operations for months, or even years.
Spear phishing attacks are socially engineered emails that try to trick employees into triggering network breaches, conducting fraudulent wire transfers, or even aiding in corporate espionage. Regardless of motivation, the high volume of business communications conducted via email within this industry give hackers quite the window of opportunity to intercept sensitive information through the use of spear phishing, including log-in credentials, reserve records, order forms, broker correspondences, and other documents which can then later be used to defraud unsuspecting industry professionals.
This article describes spear phishing attacks that have occurred in various sectors of oil and gas, along with recommendations on how the industry can boost their cyber security and specifically adopt new preventative measures to protect against these and other email-borne threats.
1. Government Warnings: Critical Infrastructure Disruption
Politically-motivated hacker groups sometimes target state-owned facilities by breaching a point within the supply chain in order to hinder the nation’s ability to obtain, transport, and store energy resources. Other rogue political groups use phishing attacks to gain access to privileged information to pose as corporate decision makers in order to delude, debunk, or destroy a nation’s oil and gas industry. A data breach at any point in an energy supply chain, or within a bureaucratic organisation, can cause severe damage to infrastructure, put public safety in jeopardy, or even sway the balance of international negotiations.
For instance, new evidence showed that a Turkish pipeline explosion that occurred in 2008 was caused by hackers who injected malware into the system through the pipeline’s wireless network. The pipeline was thought to be one of the most secure in the world, but hackers were able to successfully destroy the pipeline by injecting malware (Brocklehurts, 2014). Although the malware used in this attack wasn’t delivered via email, it does provide a stark warning about the physical damages that could be inflicted via cyber-attack.
In April of 2012, the Industrial Control Systems – Cyber Emergency Response Team (ICS – CERT), issued a statement in their monthly report regarding their investigation of a year-long campaign to try to infiltrate multiple natural gas pipelines. ICS-CERT analysis found that the malware used and artefacts associated with these cyber-attacks were tied to a single spear phishing campaign, from a single source or group, and had been attempting to disrupt the control systems of the pipelines (ICS, 2012). Approximately 200,000 miles of these natural gas pipelines are responsible for over 25 percent of the nation’s energy supply, and so threats to this infrastructure are taken very seriously by the federal government.
In August of 2014, Norway’s national security authority (Nasjonal Sikkerhetsmyndighet – NSM) stated that 250 oil sector organisations may have been breached by hacker groups while 50 of those organisations had confirmed data breaches. All of the breaches were reported to be the result of targeted spear phishing attacks in 2011. When asked to comment on the largest breach in Norwegian history, NSM Director Kjetil Nilsen told a local publication that, “The ability to attack [networks] is increasing and there is great interest for our data”.
The main source or method of the 2014 attacks remains unclear, but apparently this type of attack has happened to Norwegian oil companies before. Three years ago, hacker groups used spear
phishing emails to obtain industrial drawings, contracts, as well as log-in credentials (Ibid).
2. Loziak Trojan: Corporate Espionage
Corporations in highly competitive industries may have incentives to obtain sensitive trade information about their competitors in order to gain a strategic advantage. In March of 2015, Symantec reported that hackers have been targeting energy industry workers with malicious spear phishing emails. The campaign primarily targeted OPEC, specifically the UAE, Kuwait, and Saudi Arabia, but has also affected the United States, UK, and Uganda. The intended targets and method of attack made those at Symantec believe that industrial espionage was the motive. Stating that “whoever is behind these attacks may have a strategic interest in the affairs of the companies affected” (Hacket, 2015). The Trojan used in the attack, Loziak, was able to masquerade as an Excel spreadsheet, in order to spread strains of malware designed to observe and report device data. Once downloaded, the malware would steal sensitive information such as system configuration data and send it back to its source. The configuration data told the source whether or not the infected device was a valuable target. If the hackers decided that the device was worth targeting, they would then forward additional malware to that targeted device in order to strip it of more information. In this case, the Loziak Trojan was followed by Back.door.cyberat and Trojan.Zbot.
Once the Loziak Trojan was able to infect, inspect, and transmit data, it opened up new backdoors on the system in case additional breaches were needed in the future. In order to repair the damage done, administrators would have to patch each new backdoor in order to limit future exploits (Hacket, 2015).
3. The Phantom Menace
Fraud targeted attacks impacting oil and gas organisations usually focus on the big-ticket transactions inherent to the industry, and seek to capitalise on their efforts by deluding the victims into sending them large deposits for oil orders. Panda Security, a leading computer software company in Spain, investigated a targeted attack that employed or used a fake .pdf containing compressed files, encryption instructions, and files designed to affect the registry of the device each time the system restarted (Operation Oil Tanker, 2015) . The file, later referred to as the Phantom Menace, was a self-extracting executable file capable of bypassing the latest malware behaviour filters and leaking sensitive personnel information and corporate resources in a text file back to the original sender. This attack was very troubling because of its ability to remove traces of its actions from the registry, allowing it to do the damage and leave little to no clues. With the sensitive information and resources in hand, hackers were easily able to pose as legitimate oil producers who were offering extremely competitive oil prices—prices that seemed especially attractive given Saudi Arabia’s dominance of the market at that time. The Phantom Menace hackers used the order forms and business insights to craft an illusion that they were, in fact, a legitimate oil producer. The oil brokers were then prompted to pay an “advance fee” in order to finalise their crude and refined orders. However, once the advance fee or deposit was sent, neither their oil nor their contact to the oil producer could ever be found.
Even if oil brokers, producers, and distributors use antivirus, anti-malware, and the necessary endpoint protections, they are still vulnerable to socially engineered attacks via email. The human component of receiving and opening a seemingly harmless email can leave an entire organisation’s resources and strategies open to prying eyes. Those at Panda Security said that for those in the oil and gas industry:
The most concerning fact to the antivirus research community and those at Panda Security, was not only that the Phantom Menace was able to avoid detection, but also that it was able to extract all the information it needed without utilising any malware. The only point of prevention hinged on the ability of the user to somehow know that the senders were impostors. However, there are few security solutions available to comprehensively protect against a socially engineered attack like the Phantom Menace.
Email Protection Solutions
Phishing attacks against oil and gas can have various motives, from committing espionage and fraud to causing critical infrastructure and supply chain disruptions. Though there may not be a single silver-bullet solution to secure an organisation’s network from all of these potential motives, protecting the organisation from targeted attacks is not impossible, and it doesn’t have to cost a fortune.
Investing in advanced security architecture now may save a corporation from targeted attacks in the future. As the risks associated with not investing in one can lead to losses in revenue, market share, and reputation, the costs of recovery far outweigh the initial investment in preventative measures.
In order to combat the growing challenges of protecting against orchestrated email scams, oil and gas professionals should look for email security systems that use advanced threat detection and prevention, and are equipped to detect spear phishing scams. Traditional email security products are typically not designed to detect and block spear phishing attacks, and most spam filtering products rely on prior detection and black lists in order to flag an email as spam. Also, many spear phishing attacks make use of unknown threats or zero-day vulnerabilities that not all anti-malware engines will be able to detect. Organizations can improve their email threat protection by taking the following precautions:
Use Multiple Anti-malware Engines:
Multi-scanning leverages the power of the different detection algorithms and heuristics of multiple engines, therefore increasing detection of both known and unknown threats, as well as protecting against attacks designed to circumvent particular antivirus engines. In addition, since anti-malware vendors address different threats at different times, using multiple scan engines will help detect new outbreaks much faster. It is important to distinguish between multi-scanning and simply using multiple antivirus engines. When using multi-scanning technology, performance is greatly enhanced and potential conflicts between different engines are avoided.
Sanitize Email Attachments:
Many spear phishing emails include malicious Word or PDF attachments, so as a precautionary measure it is highly recommended to sanitise incoming email attachments in order to remove any embedded threats that may go undetected by antivirus engines.
Set Attachment Limits:
By blocking potentially dangerous email attachment types such as .exe files and scripts, it is more difficult for malware to spread. It is also important to verify the attachment file type so that .exe files that are renamed as .txt files do not get through the company’s filters.
Enforce an Email Content Policy:
With user-based email content policies, such as keyword and attachment filtering, organisations can ensure that no confidential content or intellectual property is sent out through email.
Implement an SFT Server:
A secure file transfer server allows an organisation to easily send and receive large and confidential files ensuring trackable, instant, and secure delivery. By encrypting files and implementing user authentication, the interception of potentially valuable information can be prevented.
Utilize Advanced Threat Detection and Prevention:
Ultimately, organisations need to make sure their email security system is backed by powerful anti-malware engines, as the performance of the email security program will hinge on the engine’s ability to detect, prevent, sanitise, or quarantine the suspicious email or attachment.
Scan Running Processes on Endpoints:
If email-born threats have already entered your network, scanning running processes and DLLs on both in-network and remote endpoints helps to identify malware before it spreads.
By having these added layers of security incorporated into the organisation’s email security infrastructure, those in the oil and gas industry can better protect themselves from targeted email attacks, and not risk losing millions to fraud, or having to conduct costly image campaigns.