1. Infrastructure Sabotage
Certain threat actors deploy malware that are specifically crafted to destroy or sabotage computer servers, the control systems or network of factory facilities. Different versions of wiper malware have been used in attacks against the oil industry. Most notoriously, the Stuxnet malware was launched exclusively to target the centrifuge in the uranium enrichment facility a nuclear power plant in Iran. Another example, a malware called Industroyer pushes payloads that affect industrial control systems (ICS) used in electric substations and can be used to target other critical infrastructures.
Companies in the oil and gas industry should be wary of these threats. An additional concern is the fact that specific malware is not always needed to successfully compromise a certain facility. Any remote access tool that would allow an attacker to gain access to a Human Machine Interface (HMI) for equipment would imply serious risks.
2. Espionage & Data Theft
Espionage and data theft are critical issues—companies rely on unique and exclusive intellectual property to maintain an advantage over competitors. In the oil and gas industries, information like test results, drilling techniques, new oil reserves and chemical composition of premium products are highly valuable. And, of course, what is highly valued becomes highly targeted.
There are certain tactics that threat actors use to try and compromise communications or find a way to maintain a presence in corporate networks for espionage purposes: DNS hijacking, attacking webmail and corporate VPN servers, or even scraping publicly available information for data.
Also, espionage and data theft may be the starting off point for more malicious actions. Reconnaissance is the first step of an attack—companies have to be wary and assume any signs of espionage are indicators of a more complex attack.
3. Ever-changing Malware
Different malware serve different purposes in a targeted attack: intrusion, data stealing, propagation, and more. To a threat actor, maintaining a presence in a victim’s system is crucial. They need to be able to continually give commands to their malware, and receive data. This type of stable and constant communication between the command and control (C&C) server and the malware is a priority, so attackers generally always update their malware to try stay ahead of security solutions that might affect it.
There are different malware cybercriminals use to infect victims, maintain persistence and communicate. For instance webshells—tiny files written in PHP, ASP, or Javascript—can be used to connect to a C&C server, steal information, download files on compromised servers and more. DNS tunneling is a method that exploits the DNS protocol to transmit data between malware and its controller. And even email and cloud services can be used as a communication channels.
Also, espionage and data theft may be the starting off point for more malicious actions. Reconnaissance is the first step of an attack—companies have to be wary and assume any signs of espionage are indicators of a more complex attack.
4. Ransomware
Ransomware can have a huge impact on daily operations, especially because of the connected nature of enterprise networks. Reconnaissance is necessary to successfully gain access to the network of a corporation —attackers have to scope out their targets to find the best entry point. Often they use spear-phishing emails specifically crafted for the enterprise or industry. Then one wrong click from an employee can potentially open up hundreds of devices to compromise. Once inside a network, the attacker will try to move laterally. He will carefully choose a moment to drop ransomware either on selected servers or massively across the network. The end goal is usually to render the company unable to operate normally or unable to recover lost data (for example, by tampering with the backup system), so that they are more likely to pay the ransom.
Cyber Security Recommendations:
Oil and gas facilities are critical infrastructures creating vital products for economies around the world. Protecting the supply chain is not simply a significant matter for enterprises involved in manufacturing the products but also for those who depend and consume the products.
- Make sure all data communications have integrity checks.
- Lock down and secure domain names.
- Use Domain Name System Security Extensions (DNSSEC).
- Keep all software up to date.
- Monitor for data leaks.
- Make full use of the security settings in cloud services.
- Train and keep employees aware of current threats.
Source: Trend Micro | Read the full paper, Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry to learn more about critical threats to the oil and gas industry, as well as securing your place at Cyber Security for Critical Assets Online Summit using code: OIL&GAS – To attend for FREE on October 6th-7th.
Find out more here: europe.cs4ca.com
