Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry

We break down the digital attacks against the oil and gas industry and its supply chain.

Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry Download Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry

Mining, transportation, refining, distribution—the oil and gas industry has a widespread and complicated production chain that can be difficult to comprehensively defend. Risks come from all sides: extreme weather can affect transportation, politics (global and local) can impact production, and physical attacks on infrastructure can actually threaten worker safety and even impact the world’s oil supply. With all these concrete risks, seemingly intangible cyberattacks may seem less urgent.

However, as facility automation and connectivity between networks grow and the use of cloud services increases, oil and gas companies are becoming more and more exposed to cybersecurity-related threats.

The typical infrastructure of oil and gas enterprises

The typical infrastructure of oil and gas enterprises

Throughout this process, constant monitoring is crucial. There must be strict visibility on temperature, pressure, chemical composition and possible leaks. Onsite production equipment, as well as safety instrumented systems (SIS), and emergency stop systems are vital, and they are usually monitored and controlled remotely. All of these connected systems can potentially be compromised by an attacker.

Oil and gas companies have little incentive to encrypt data flowing from sensors, however lack of data communication integrity checks leaves open the possibility of sabotage attacks on oil wells and refineries by bad actors.



Threats to the oil and gas industry

Infrastructure sabotage

Certain threat actors deploy malware that are specifically crafted to destroy or sabotage computer servers, the control systems or network of factory facilities. Different versions of wiper malware have been used in attacks against the oil industry. Most notoriously, the Stuxnet malware was launched exclusively to target the centrifuge in the uranium enrichment facility a nuclear power plant in Iran. Another example, a malware called Industroyer pushes payloads that affect industrial control systems (ICS) used in electric substations and can be used to target other critical infrastructures.

Companies in the oil and gas industry should be wary of these threats. An additional concern is the fact that specific malware is not always needed to successfully compromise a certain facility. Any remote access tool that would allow an attacker to gain access to a Human Machine Interface (HMI) for equipment would imply serious risks.

Espionage and data theft

Espionage and data theft are critical issues—companies rely on unique and exclusive intellectual property to maintain an advantage over competitors. In the oil and gas industries, information like test results, drilling techniques, new oil reserves and chemical composition of premium products are highly valuable. And, of course, what is highly valued becomes highly targeted.

There are certain tactics that threat actors use to try and compromise communications or find a way to maintain a presence in corporate networks for espionage purposes: DNS hijacking, attacking webmail and corporate VPN servers, or even scraping publicly available information for data.

Also, espionage and data theft may be the starting off point for more malicious actions. Reconnaissance is the first step of an attack—companies have to be wary and assume any signs of espionage are indicators of a more complex attack.

Ever-changing malware

Different malware serve different purposes in a targeted attack: intrusion, data stealing, propagation, and more. To a threat actor, maintaining a presence in a victim’s system is crucial. They need to be able to continually give commands to their malware, and receive data. This type of stable and constant communication between the command and control (C&C) server and the malware is a priority, so attackers generally always update their malware to try stay ahead of security solutions that might affect it.

There are different malware cybercriminals use to infect victims, maintain persistence and communicate. For instance webshells—tiny files written in PHP, ASP, or Javascript—can be used to connect to a C&C server, steal information, download files on compromised servers and more. DNS tunneling is a method that exploits the DNS protocol to transmit data between malware and its controller. And even email and cloud services can be used as a communication channels.

Also, espionage and data theft may be the starting off point for more malicious actions. Reconnaissance is the first step of an attack—companies have to be wary and assume any signs of espionage are indicators of a more complex attack.

Ransomware

Ransomware can have a huge impact on daily operations, especially because of the connected nature of enterprise networks. Reconnaissance is necessary to successfully gain access to the network of a corporation —attackers have to scope out their targets to find the best entry point. Often they use spear-phishing emails specifically crafted for the enterprise or industry. Then one wrong click from an employee can potentially open up hundreds of devices to compromise. Once inside a network, the attacker will try to move laterally. He will carefully choose a moment to drop ransomware either on selected servers or massively across the network. The end goal is usually to render the company unable to operate normally or unable to recover lost data (for example, by tampering with the backup system), so that they are more likely to pay the ransom.

Security recommendations

Oil and gas facilities are critical infrastructures creating vital products for economies around the world. Protecting the supply chain is not simply a significant matter for enterprises involved in manufacturing the products but also for those who depend and consume the products.

  1. Make sure all data communications have integrity checks.
  2. Lock down and secure domain names.
  3. Use Domain Name System Security Extensions (DNSSEC).
  4. Keep all software up to date.
  5. Monitor for data leaks.
  6. Make full use of the security settings in cloud services.
  7. Train and keep employees aware of current threats.

A part of this research detailing the activities of the APT33 threat actor group was published on November 13, 2019 in the article More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting.

Read the full paper, Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry to learn more about critical threats to the oil and gas industry.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.