Protecting oil and gas industry from email threats: part one

According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy sector, including oil and gas, is facing a significant rise in cyber attacks. There are a number of reasons that this industry is an ideal target for attack: Oil and gas pipelines are part of a country’s critical infrastructure, and they are an ideal target for those looking to cause disruptions in critical services for political or military motives; The industry is highly competitive, as both private enterprise and countries engage in aggressive market share tactics, often with global implications; Intellectual property is highly-valued, making it an attractive target for cyber-espionage. Finally, the sheer value of the oil and gas industry’s commodities make it an especially lucrative target. With producer and broker transactions ranging in the millions, one carefully crafted attack can lead to a payout that could support the hacker’s operations for months, or even years.

Spear phishing attacks are socially engineered emails that try to trick employees into triggering network breaches, conducting fraudulent wire transfers, or even aiding in corporate espionage. Regardless of motivation, the high volume of business communications conducted via email within this industry give hackers quite the window of opportunity to intercept sensitive information through the use of spear phishing, including log-in credentials, reserve records, order forms, broker correspondences, and other documents which can then later be used to defraud unsuspecting industry professionals.

This article describes spear phishing attacks that have occurred in various sectors of oil and gas, along with recommendations on how the industry can boost their cyber security and specifically adopt new preventative measures to protect against these and other email-borne threats.

Government warnings: critical infrastructure disruption

Politically-motivated hacker groups sometimes target state-owned facilities by breaching a point within the supply chain in order to hinder the nation’s ability to obtain, transport, and store energy resources. Other rogue political groups use phishing attacks to gain access to privileged information to pose as corporate decision makers in order to delude, debunk, or destroy a nation’s oil and gas industry. A data breach at any point in an energy supply chain, or within a bureaucratic organisation, can cause severe damage to infrastructure, put public safety in jeopardy, or even sway the balance of international negotiations.

For instance, new evidence showed that a Turkish pipeline explosion that occurred in 2008 was caused by hackers who injected malware into the system through the pipeline’s wireless network. The pipeline was thought to be one of the most secure in the world, but hackers were able to successfully destroy the pipeline by injecting malware (Brocklehurts, 2014). Although the malware used in this attack was not delivered via email, it does provide a stark warning about the physical damages that could be inflicted via cyber-attack.

United States

In April of 2012, the Industrial Control Systems - Cyber Emergency Response Team (ICS – CERT), issued a statement in their monthly report regarding their investigation of a year-long campaign to try to infiltrate multiple natural gas pipelines. ICS-CERT analysis found that the malware used and artefacts associated with these cyber-attacks were tied to a single spear phishing campaign, from a single source or group, and had been attempting to disrupt the control systems of the pipelines (ICS, 2012). Approximately 200 000 miles of these natural gas pipelines are responsible for over 25% of the nation’s energy supply, and so threats to this infrastructure are taken very seriously by the federal government.

Norway

In August of 2014, Norway’s national security authority (Nasjonal Sikkerhetsmyndighet – NSM) stated that 250 oil sector organisations may have been breached by hacker groups while 50 of those organisations had confirmed data breaches. All of the breaches were reported to be the result of targeted spear phishing attacks in 2011. When asked to comment on the largest breach in Norwegian history, NSM Director Kjetil Nilsen told a local publication that, “The ability to attack [networks] is increasing and there is great interest for our data”.

The main source or method of the 2014 attacks remains unclear, but apparently this type of attack has happened to Norwegian oil companies before. Three years ago, hacker groups used spear phishing emails to obtain industrial drawings, contracts, as well as log-in credentials (Ibid).

Loziak Trojan: corporate espionage

Corporations in highly competitive industries may have incentives to obtain sensitive trade information about their competitors in order to gain a strategic advantage. In March of 2015, Symantec reported that hackers have been targeting energy industry workers with malicious spear phishing emails. The campaign primarily targeted OPEC, specifically the UAE, Kuwait, and Saudi Arabia, but has also affected the United States, UK, and Uganda. The intended targets and method of attack made those at Symantec believe that industrial espionage was the motive. Stating that “whoever is behind these attacks may have a strategic interest in the affairs of the companies affected” (Hacket, 2015). The Trojan used in the attack, Loziak, was able to masquerade as an Excel spreadsheet, in order to spread strains of malware designed to observe and report device data. Once downloaded, the malware would steal sensitive information such as system configuration data and send it back to its source. The configuration data told the source whether or not the infected device was a valuable target. If the hackers decided that the device was worth targeting, they would then forward additional malware to that targeted device in order to strip it of more information. In this case, the Loziak Trojan was followed by Back.door.cyberat and Trojan.Zbot.

Once the Loziak Trojan was able to infect, inspect, and transmit data, it opened up new backdoors on the system in case additional breaches were needed in the future. In order to repair the damage done, administrators would have to patch each new backdoor in order to limit future exploits (Hacket, 2015).

Part 2 of this article to follow 27/11/15

Read the article online at: https://www.oilfieldtechnology.com/digital-oilfield/26112015/protecting-oil-and-gas-industry-from-email-threats/