Oil and gas industry facing spearphishing attacks
Cyber criminals are aiming their attacks at the oil and gas sector by impersonating specific engineer contractors and shipping companies. Know what to look for and how to avoid a cyber attack.
Spearphishing campaigns are targeting the oil and gas sector by either impersonating a known Egyptian engineering contractor or a shipment company and dropping the Agent Tesla spyware Trojan.
The impersonated engineering contractor (Enppi – Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, according to a post written by Bitdefender’s Liviu Arsene based on company research. Attackers are leveraging the company’s reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, based on Bitdefender telemetry.
The second campaign, impersonating the shipment company, used legitimate information about a chemical/oil tanker, plus industry jargon, to make the email believable when targeting victims from the Philippines.
Oil and gas has been under tremendous stress in recent weeks, as the global COVID-19 pandemic lowered oil demand. Oil prices per barrel have dropped by more than half to the lowest since 2002.
While the malware payload itself is not as sophisticated as those used in more advanced and targeted attacks, the fact that they’ve been orchestrated and executed during this time, and before all the news surrounding the oil industry, suggests motivation and interest in knowing how specific countries plan to address the issue, Arsene said.
Oil & gas is an attractive target
“Cybercriminals are often opportunistic and leverage popular media topics in spearphishing campaigns that usually target large numbers of victims,” Arsene said. “However, we recently found a campaign that seems to specifically target the oil & gas sector, based on a telemetry spike on March 31. Interestingly, the payload is a spyware Trojan that packs keylogging capabilities, and has not been associated with oil & gas spearphishing campaigns in the past.”
The second campaign that impersonated a shipping company started April 12 and targeted only a handful of shipping companies based in the Philippines over the course of two days, he said.
The spearphishing email mimics Egyptian state oil company Enppi and claims to invite the recipient to submit a bid for equipment and materials, as part of a project (Rosetta Sharing Facilities Project) on behalf of a well-known gas company (Burullus).
“Enppi is globally recognized as a major engineering, EPC main contractor, and management contractor, with decades of experience in onshore and offshore projects in the oil and gas, refining and petrochemical industries,” reads the legitimate company description from their website.
While the email does sound legitimate by having a bid submission deadline and even requesting a bid bond, the attached archives that should contain a list of requested materials and equipment, will actually drop the Agent Tesla spyware Trojan.
This is not the first time the oil and gas industry faced similar campaigns, as some ended up reported in 2017 and 2019, both using similarly constructed emails and delivering spyware such as the Remcos remote access Trojan.
However, these campaigns deliver the Agent Tesla spyware Trojan instead, and beyond just the oil and gas sector, they also target other energy verticals tagged as critical during the Coronavirus pandemic.
Analyzing the profile of the affected victims, they were in oil and gas, charcoal processing, hydraulic plants, manufacturers of raw materials, and transporters of large merchandise, Arsene said in the post.
Most of the reports seem to involve Malaysia, the MENA region, and the United States. The United States and Iran are among the top oil-producing countries in the world, which could hint at why oil and gas spearphishing campaigns might targeting them, especially during a global oil price drop caused by the COVID-19 pandemic.
The Agent Tesla spyware Trojan has been around since 2014, but has undergone constant improvements and updates. It reportedly operates under a malware-as-a-service offering, with its developers offering various pricing tiers based on different licensing models, Arsene said in his post. Agent Tesla operators seem to have stayed in business for quite some time.
Some of its most known and popular capabilities involve stealth, persistence and security evasion techniques that ultimately enable it to extract credentials, copy clipboard data, perform screen captures, form-grabbing, and keylogging functionality, and even collect credentials for a variety of installed applications.