Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Connect Directly

Phishers Start to Exploit Oil Industry Amid COVID-19 Woes

While a massive flood of attacks has yet to materialize, cybersecurity experts say this could be the calm before the storm.

The oil and gas industry has been taking a beating as severe as any other hit hard by the COVID-19 shutdown. Tanker ships loaded with crude idle in the ocean, traders struggle to store what has already been pumped, and last week prices per barrel plummeted into negative sums. With all that going on, the industry is ripe for hackers to exploit.

In some cases, that's already happening, says Tom Murphy, CTO at network security provider Nuspire. Phishing and spear-phishing attacks are on the rise against Nuspire's oil and gas clients, he says, and hackers are getting more sophisticated in avoiding detection.

"Normally in an attack you'd see poor grammar. But they're getting better at that. Attacks are becoming more complex because so many people are working from home and are outside of their employers' firewalls," he says. Other tactics target employees and consumers eager for a discount in financially difficult times, such as prepurchasing gas at low prices or signing up for gas discounts.

Murphy is already seeing a 10% to 15% increase in the number of attacks targeting Nuspire customers, wihch include oil and gas consumers and companies, he says.

Similarly, Phil Neray, vice president of IoT and industrial cybersecurity at CyberX, says phishers are utilizing legitimate-looking requests for proposals and requests for quotes in their attacks, sometimes wrapped up as ZIP files, to take advantage of the target's desire to make (or save) money.

"When businesses are hurting, we should expect cybercriminals to send more of these phishing emails — especially if people aren't remembering their cybersecurity training," he says.

Calm Before the Storm
While a massive flood of attacks against oil and gas companies has yet to materialize, potentially because of the very problems that the industry is facing — consumers aren't using as much oil and gas as they were just a few months ago, so companies are not making as much money from their products — Murphy and other cybersecurity experts say this could be the calm before the storm as the industry lays off or furloughs employees, including those protecting the industrial control systems that drive the business.

Prior to the global shutdown, experts were predicting a worse year for oil and gas cybersecurity. More than half of the 1,726 cybersecurity professionals employed at power companies said their companies suffered at least one shutdown or lost operational data at least once per year because of cybersecurity incidents, according to a joint Siemens and Ponemon Institute report published in October 2019. One-quarter of respondents said their companies were impacted by cyberattacks from nation-state affiliated hackers. Meanwhile, only 31% said they were ready to face a breach, 54% said they expected an attack on their infrastructure in the following year, and 56% said a lack of skilled personnel made it difficult to keep operational technology secure.

That data supports findings by industrial cybersecurity company Dragos, which revealed at least five hacker groups were specifically targeting oil and gas companies in an August 2019 report. (At the time of the report, nine groups in total were focusing on the energy industry.)

Joe Slowik, a principal adversary hunter at Dragos, says ransomware is less attractive now because companies just don't have the ability to pay the way they did a few months ago. But getting access to corporate networks never gets old, he says.

"Because of the unique nature of the industry, irrespective of the financial motive, it's going to be an intelligence target of interest and could wind up disrupting them in catastrophic ways. Just because money went away doesn't mean attacks will be," Slowik says. "With companies hurting as badly as they are and employees working from home and security budgets getting cut, it would be a good time to attack.”

An organization's ability to withstand these attacks depends on how resilient its cybersecurity posture was before the shutdown, and may further be dependent on how many members of its cybersecurity and IT operations teams it can retain through likely organizational upheaval, says Jeremy Kennelly, an analysis manager at Mandiant Threat Intelligence who worked in the oil and gas business for more than six years. Many of the security challenges faced by oil and gas companies are at least partially caused by the complexity of the organizations themselves, and oil and gas companies may need a better understanding of who their contractors and subcontractors are in order to better protect their networks from hackers, he says.

"There are potentially hundreds or thousands of sites and contractors at each one accessing networks," Kennelly says. "But you may not even know who all of your workforce is. How do you educate people that you don't even know? It could take 30 minutes just to find a subcontractor's name, let alone an email address or phone number."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "5 Ways to Prove Security's Worth in the Age of COVID-19"

Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/30/2020 | 12:41:46 PM
I would posit that due to COVID19 that there are many industries getting hammered by new types of phishing campaigns.

It would be great to see a graph that depicts the data of phishing campaigns per quarter so we could map them against 2019 to see the discrepancy of malicious attempts during a year of a pandemic versus a year without one.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...