Under attack

Protecting the oil and gas industry from email threats. By Doug Rangi

A recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), states that the energy sector, including oil and gas, is facing a significant rise in cyber attacks. There are numerous reasons why this industry is an ideal target for attack: Oil and gas pipelines are part of a country’s critical infrastructure; the highly competitive nature of the industry, as both private enterprise and countries engage in aggressive market share tactics; and the presence of highlyvalued intellectual property. Finally, the sheer value of the oil and gas industry’s commodities make it a lucrative target.

The high volume of email communications within this industry give hackers windows of opportunity to intercept sensitive information using spear phishing, including log-in credentials, order forms, and other documents which can then be used to defraud industry professionals. Below are examples of spear phishing attacks that occurred in various oil and gas sectors.

Government Warnings: Critical Infrastructure Disruption
Politically motivated hacker groups sometimes target state-owned facilities to hinder a nation’s ability to obtain, transport, and store energy resources. Other rogue political groups use phishing attacks to access privileged information to debunk or destroy a nation’s oil and gas industry. A data breach in an energy supply chain can cause severe damage to infrastructure, put public safety in jeopardy, or even sway the balance of international negotiations.

In 2012 ICS – CERT issued a statement regarding their investigation of a year-long campaign to try to infiltrate multiple natural gas pipelines. Their analysis found that the malware used in these cyber-attacks was tied to a single spear phishing campaign and had been attempting to disrupt the control systems of the pipelines (ICS, 2012).

Loziak Trojan: Corporate Espionage
Corporations in highly competitive industries may have incentives to obtain sensitive trade information about their competitors to gain a strategic advantage. In 2015, Symantec reported on hackers targeting energy industry workers with spear phishing emails. The campaign primarily targeted the UAE, Kuwait, and Saudi Arabia, but also affected the United States, UK, and Uganda. The Trojan used in the attack, Loziak, masqueraded as an Excel spreadsheet, spreading malware designed to observe and report device data.

The Phantom Menace: Fraud
Targeted attacks impacting oil and gas organisations usually focus on the big-ticket transactions inherent to the industry. Panda Security, a leading computer software company in Spain, investigated a targeted attack that employed a fake .pdf containing compressed files and encryption instructions, designed to affect the device each time the system restarted (Operation Oil Tanker, 2015). The file, referred to as ‘Phantom Menace’, bypassed the latest malware filters and leaked personnel information and corporate resources to the original sender. This attack was troubling due to its ability to remove traces of its actions from the registry, allowing it to do the damage and leave very little clues.

Email protection solutions
Phishing attacks against oil and gas can have various motives, from committing espionage and fraud to causing critical infrastructure and supply chain disruptions. Though there may not be a single silver-bullet solution to securing a network, protecting the organisation from targeted attacks is not impossible. As the risks associated with not investing in advanced security architecture can lead to losses in revenue, market share, and reputation, the costs of recovery far outweigh the initial investment in preventative measures.

In order to combat the growing challenges of protecting against attacks, oil and gas professionals should look for email security systems that use advanced threat detection and prevention. With many spear phishing attacks making use of zero-day vulnerabilities that not all anti-malware engines will be able to detect, organisations can improve their email threat protection by taking the following precautions:

Use multiple anti-malware engines:
Multi-scanning leverages the power of the different detection algorithms and heuristics of multiple engines, therefore increasing detection of both known and unknown threats, as well as protecting against attacks designed to circumvent particular antivirus engines.

Sanitise email attachments:
Many spear phishing emails include malicious Word or PDF attachments, so it is recommended to sanitise incoming attachments in order to remove any embedded threats that may go undetected by antivirus engines.

Set attachment limits:
By blocking potentially dangerous email attachment types such as .exe files and scripts, it is more difficult for malware to spread. It is also important to verify the attachment file type so that .exe files that are renamed as .txt files do not get through the company’s filters.

Enforce an email content policy:
With user-based email content policies, such as keyword and attachment filtering, organisations can ensure that no confidential content or intellectual property is sent out through email.

Implement an SFT server:
A secure file transfer server allows an organisation to easily send and receive large and confidential files ensuring trackable, instant, and secure delivery. By encrypting files and implementing user authentication, the interception of potentially valuable information can be prevented.

Utilise advanced threat detection and prevention:
Ultimately, organisations need to make sure their email security system is backed by powerful anti-malware engines, as the performance of the email security programme will hinge on the engine’s ability to detect, prevent, sanitise, or quarantine the suspicious email or attachment.

Scan running processes on endpoints:
If email-born threats have already entered your network, scanning running processes and DLLs on both in-network and remote endpoints helps to identify malware before it spreads.

By having these added layers of security incorporated into the organisation’s email security infrastructure, those in the oil and gas industry can better protect themselves from targeted email attacks, and not risk losing millions to fraud, or having to conduct costly image campaigns.

OPSWAT
Doug Rangi an Associate at OPSWAT, a San Francisco-based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and helps organisations protect against zero-day attacks by using multiple anti-malware engine scanning and document sanitisation. OPSWAT’s intuitive applications and comprehensive development kits are deployed by SMB, enterprise and OEM customers to more than 100 million endpoints worldwide.

For further information please visit: opswat.com