Striking cyberattack aimed to short-circuit global oil accord

A spectacular cyberattack against the world's largest oil companies was thwarted at the last moment, says cybersecurity firm Bitdefender, which claims to have halted the attack. "It was a very sophisticated attack and was enormously difficult to discover," says security specialist.
Photo: Bloomberg/Bloomberg
Photo: Bloomberg/Bloomberg

That the global oil industry is intimately tied to geopolitics and interests is hardly news. Recently, however, this was further emphasized in a new and insidious way, when a major subterfuge campaign struck a series of oil companies ahead of the historic OPEC+ meeting.

Cybersecurity firm Bitdefender reports having blocked a long sequence of attacks that, according to the company's security specialists, were aimed at gaining access to information about a series of oil nations.

On March 31 – two weeks ahead of OPEC's meeting and on the same day of the hitherto OPEC deal's expiry – Bitdefender uncovered a campaign designed to get a hold of information from the oil sector.

This entailed a so-called spear fishing attack, where the perpetrators had attached spyware in order to steal information from recipients. This concerned passwords, login information, browser search histories etc. The spyware was a so-called "Agent Tesla", and had the targets activated the malware, data would have been sent directly back to the hackers.

"It was a very sophisticated attack and was enormously difficult to discover," Bitdefender Security Specialist Liviu Arsene tells EnergyWatch.

But what was it that made this campaign special? Doesn't this sort of thing happen all the time?

"There are two reasons that we're so sharply focused on this right now. Firstly, the content was so well written. There weren't any spelling mistakes, and it even used oil and gas jargon and information that seemed legitimate. Furthermore, it's because the attacks were so targeted and were aimed a limited number of recipients, as far as we can see," Arsene says.

In the email, the sender assumed the identity of Egypt's state-owned oil company ENPPI and presented interest in bidding on a real project on behalf of gas company Burullus.

Meant to expore nations' behavior

The OPEC meeting on April 12 was followed with enormous interest and ended up landing on a solution, with each of world's largest oil countries agreeing to cut output quotas by 10 percent.

Bitdefender says it's certain that the cyber campaign was a part of pre-meeting espionage:

"Everything indicates that the attacks sought to explore what other countries were doing to manage the falling price of oil and how they weighed their options for reducing production," Arsene says.

The number of companies attacked remains uncertain. However, according to Bitdefender, around 100 emails were sent to oil and gas companies, which the cybersecutiy firm has as customers, on March 31.

Arsene is not able to say anything about companies that employ other security firms, and he thereby doesn't know whether other oil and gas outfits might have been deceived to divulge information in connection with the campaign.

State sponsorship uncertain

Most of the attacks had targets in the US and the UK – two of the real big players in the industry. Moreover, parties in Malaysia, Iran, South Africa, Oman and Turkey were are also targeted by the attacks.

"I'm not certain if it had state sponsorship or whether a well-known cybergroup was behind it. But when we put all the pieces together, we're  quite certain that this was about someone having an interest in compromising these companies," he says.

Arsene says the campaign differed from others in the sense that utilized malware was not especially sophisticated and could be purchased on the dark web, which is to say the part of the Internet that's not indexed by search engines.

The sophisticated part of the attack, rather, was the language, the content and the plot itself. That's also why it's so difficult to find out who was behind the attack.

Recent recurrence

The same is true of a similar attack Bitdefender registered as recently as April 12 and 13. These attacks also used the Agent Tesla spyware and targeted a series of shipping companies in the Philippines, also pretending to be another maritime business.

Here, hackers attempted to gain information on the tanker ship Sinar Maluku, which was out at sea at the time of the attack.

"This confirms that the whoever is behind these attacks has done their homework very, very well. They know the industry and know how to formulate themselves. The focus has to a high degree moved toward content, and that makes it harder to fight," he says.

Even though the oil industry is a vulnerable target, cybercriminals are currently aiming broadly at the global energy sector.

In late March, EnergyWatch reported that Bitdefender had noted a 500-percent increase in cyberattacks attempted to exploit the corona crisis. 

English Edit: Daniel Frank Christensen

Oil company attacked by ransomware 

Hackers spy on Danish power and utility companies

US: Russian hackers accessed European and US power plants

Share article

Sign up for our newsletter

Stay ahead of development by receiving our newsletter on the latest sector knowledge.

Newsletter terms

Front page now

Further reading