Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Troubled Oil and Gas Industry Under Siege From Spyware; Novel Spear Phishing Attacks Thought to Be Espionage-Driven

Friday, May 8, 2020

Categories: ASCF News Emerging Threats Cyber Security Energy Independence

Comments: 0

The global oil and gas industry would have had a tough year even if the coronavirus had never surfaced; overproduction by the United States and a price war between Russia and Saudi Arabia might well have driven prices to record lows in 2020 anyway. But with the added complication of a halt to the majority of travel due to a pandemic, a barrel of oil briefly had a negative value in April as supply overwhelmed storage capacity. Oil price fluctuations continue but as we have seen with other industries, hackers don’t give anyone a break during hard times and pounce on whatever opportunities are available. The oil and gas industry is currently fending off a major spyware campaign, notable for its use of highly targeted spear phishing attacks, during one of the toughest periods in its history.

The use of novel tools and the type of information that is being sought also indicates that sophisticated advanced persistent threat (APT) groups backed by a nation-state are the culprits, and that espionage is behind the sudden interest in this vertical. The hackers seem to want to know in advance what countries in the OPEC alliance and the Group of 20 nations are planning.

Spear phishing attacks focused on the oil and gas industry

This sophisticated campaign of spyware directed at the oil and gas industry is being tracked and reported on by Romanian cybersecurity firm BitDefender, led by senior analyst Liviu Arsene. The campaign is centered around impersonation of two well-known industry contractors that many international oil and gas industry companies regularly work with.

The attackers impersonate either Engineering for Petroleum and Process Industries (ENPPI), a major engineering contractor based in Egypt that has been in business for decades, or a shipping company whose identity has been kept private. The attacks that spoof ENPPI have been directed at a variety of targets around the world, while the fake shipping company emails were sent to specific businesses in the Philippines.

The spear phishing attack emails that purport to come from ENPPI all use the same standard format. They invite the recipients to bid on equipment and materials from the “Rosetta Sharing Facilities Project” run by the major Egyptian gas company Burullus. This was an actual project that Burullus was involved with that was scheduled to be completed in late 2019. The BitDefender researchers mention that these spear phishing attacks are not strictly limited to oil and gas industry companies; related industry energy organizations, such as hydraulic plants and manufacturers of raw materials, have also been targeted in connection with this campaign.

The emails include what appear to be .ZIP files containing related documents, but are actually disguised .EXE files that deliver the Agent Tesla spyware when run. This spyware has been around since at least 2014, but the use of it in a targeted phishing campaign against oil and gas industry targets is novel. Agent Tesla is something of an “all-in-one” espionage package; once installed on a target system it logs keystrokes, takes screenshots, harvests credentials from certain installed applications, and forwards anything copied to the system clipboard to the attacker’s email address.

This spyware has a history of being spread through Microsoft Word documents that contain malicious macros, and is available on the open market via various dark web forums and sites. The group behind it essentially licenses it as a “software as a service” model and makes continual updates to it.

The spear phishing attack emails directed at companies in the Philippines also try to trick recipients into installing Agent Tesla, but they do so by asking for a response to a query about the movements of a chemical oil tanker. BitDefender noted that activity spiked on March 31, but there have been at least a handful of these attack attempts each day since then.

A nation-state spyware campaign?

The focus on delivering spyware indicates that the attackers want a glimpse into the future of oil prices and strategic moves. Some oil and gas industry companies are entirely (or at least partially) government-owned, but even the ones that are entirely private enterprises still have close government ties and likely handle confidential information on a regular basis.

Though the spyware delivery technique is somewhat blunt and there are no zero-day elements or particularly sophisticated methods in use in these spear phishing attacks, the use of industry terms and methods of communications indicates that the attackers have a strong familiarity with this somewhat fenced-off world.

The timing also indicates that whoever is behind the spear phishing attacks is interested in learning how various nations intend to respond to the historic OPEC alliance deal that was reached in mid-April, in which the world’s biggest producers reached an agreement to cut output. The most frequently attacked countries include Malaysia, Iran and the United States.

Dave Weinstein, Chief Security Officer at Claroty, warns that targeted spear phishing attacks are not just an oil and gas industry or government concern. A wide variety of industries should expect to see increased attention and novel approaches as the world continues to grapple with the coronavirus pandemic: “This is part of a growing threat against industrial organizations, including oil and gas companies, that rely heavily on remote access to maintain their operations. This reliance is even more pronounced in the era of COVID-19. Financially motivated hackers are taking notice and engaging in targeted spear phishing campaigns to compromise the accounts of those with privileged access for the purposes of stealing data or extorting operations with ransomware. Organizations must monitor all of their remote connections during this time of heightened risk and implement strict authentication controls to prevent compromised accounts from gaining access to operational technology (OT) networks.”

Photo and Link: https://www.cpomagazine.com/cyber-security/troubled-oil-and-gas-industry-under-siege-from-spyware-novel-spear-phishing-attacks-thought-to-be-espionage-driven/

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.