The Russia-Ukraine war has posed threats to the oil and gas industry. Our team even uncovered several alleged attacks perpetrated by various groups during a March 2022 research. In part one, we exhibit how a typical oil and gas company works and why it can be susceptible to cyberattacks. We also explain different threats that can disrupt its operation.
In part two, let’s continue identifying threats that pose great risk to an oil and gas company.
Ransomware remains a serious threat to oil and gas companies. Targeting individuals using ransomware is fairly easy for cybercriminals, even for those with a lower level of computer knowledge. The easiest business model consists of subscribing to ransomware-as-a-service (RaaS) offers on underground cybercrime marketplaces.18 Any fraudster can buy such a service and start delivering ransomware to thousands of individuals’ computers by using exploit kits or spam emails.
During our research, we found that a U.S. oil and natural gas company was hit by ransomware, infecting three computers and its cloud backups. The computers that were targeted contained essential data for the company, and the estimated total loss was more than US$30 million. While we do not have additional details on this case, we believe the attackers did plan this attack carefully and were able to target a few strategic computers rather than hitting the company with a massive infection.
Read more: Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Various kinds of malware serve different purposes, functioning and communicating between the infected computers and the C&C servers. Compromising and planting malware inside a target network is just the initial stage for attackers. Yet for several reasons, these actions can be detected after a while or even just deleted automatically by any antivirus or security solution.
To avoid being kicked off from the network when the only available access is via their malware, attackers generally choose to regularly update their malware. And if possible, they use different malware families so that they have more than one way to access the compromised network.
Threat actors sometimes utilize webshells to ease their operations. They can use webshells to:
- Download or upload files to the compromised web server;
- Run other tools (such as credential stealers);
- Maintain persistence on the compromised infrastructure;
- Bounce to other servers and move on with more compromises; or
- Steal information.
Cookies are small files sent from web servers and stored in the browser of an internet user. They serve different legitimate purposes, such as allowing a browser to know if the user is logged in or not (as in the case of authentication cookies) or storing stateful information (like items in shopping carts).
Some variants of the backdoor BKDR64_RGDOOR22 used cookies23 to handle communications between the malware and its C&C server. They used the string “RGSESSIONID=” followed by encrypted content. Careful cookie field monitoring in HTTP traffic can help detect this kind of activity.
- DNS tunnelling
The most common way for malware to communicate with its C&C server is by using HTTP or HTTPS protocol. However, some attackers allow their malware to communicate via DNS tunnelling. In this content, DNS tunnelling exploits the DNS protocol to transmit data between the malware and its controller, via DNS queries and response packets.
The DNS client software (the malware) sends data, generally encoded in some ways, prepended as the hostname of the DNS query.
- Email as communication channel
An APT attacker might want to use this method mostly for two reasons: email services, especially external online services, might be less monitored than other services in the compromised network, and it might provide an additional level of anonymity depending on the email service provider that is used.
- Zero-day exploits
More often than not, attackers use known exploits and only use zero-day exploits when really necessary. It doesn’t take much effort to compromise most networks, gain access and exfiltrate information with standard malware and tools.
The Stuxnet case is a solid and interesting example of zero-day exploits, using four different types. No other known attack has been seen exploiting so many unpatched and unknown vulnerabilities — it has shown an extraordinary level of sophistication.
Two years before Stuxnet, another malware from the Equation group27 was using two of the four zero-day exploits that Stuxnet used. The Equation group targeted many different sectors, including oil and gas, energy, and nuclear research. It showed advanced technical capabilities, including infecting the hard drive firmware of several major hard drive manufacturers, which had seemed impossible without the firmware source code.
- Mobile phone malware
There has been an increase in the use of mobile phone malware in recent years. It is typically used for cybercrime, but can also be utilized for espionage.
The Reaper threat actor has developed Android malware, which we detect as AndroidOS_KevDroid. This malware has several functionalities, including starting a video or audio recording, downloading the address book from the compromised phone, fetching specific files, and reading SMS messages and other information from the phone.
The MuddyWater APT group29 has used several variants of Android malware (AndroidOS_Mudwater.HRX, AndroidOS_HiddenApp.SAB, AndroidOS_Androrat.AXM, and .AXMA) posing as legitimate applications. These malware variants can completely take control of an Android phone, spread infecting links via SMS, and steal contacts, SMS messages, screenshots, and call logs.
Bluetooth can also be exploited by threat actors. And one of the most interesting recent discoveries in this regard is the USB Bluetooth Harvester.30 It is very uncommon, but it highlights the need for organizations to stay up to date on threat actor developments.
- Cloud services
Attackers can use legitimate cloud services to render the traffic between malware and the C&C server undetectable. For example, the Slub malware has been used for APT attacks. While it hasn’t affected the industry just yet, it bears mentioning as it use Git Hub (a software development platform), and Slack (a messaging service), for C&C communication can easily be copied by other threat actors.
In the final installation of our series, we’ll look at APT33—a group generally considered responsible for many spear-phishing campaigns targeting the oil industry and its supply chain. We’ll also discuss recommendations that oil and gas companies can utilize to further improve their cybersecurity.
To learn more about digital threats that the oil and gas industry face, download our comprehend research here.