State-sponsored attacks pose new threats to oil and gas industry in Middle East

(Image credit: Future)

Oil and gas industry and its supply chain face increased risk from advanced threat groups (APTs) or state-sponsored attacks as they continue to build out digitally-connected infrastructure.

While these attacks are not always sophisticated, they are often targeted and impact production, which can cause real-world damage.

However, as facility automation and connectivity between networks grow and the use of cloud services increases, oil and gas companies are becoming more and more exposed to cybersecurity-related threats.

“Industrial cybersecurity is not hopeless. We sometimes forget that in complex environments with appropriate security controls, the attacker is the one who has to get everything right,” said Bill Malik, vice-president of infrastructure strategies for Trend Micro.

Oil and gas companies typically run sprawling operations with sites in hard-to-reach locations. Remote monitoring for performance, quality control and safety is therefore essential, but with bandwidth limitations and the focus on availability, communications are often left unencrypted.

 “Industrial control systems (ICS) manufacturers and integrators are beginning to understand the value of a comprehensive, layered approach to information security. As the IIoT (industrial internet of things) market consolidates, enterprises will have a clearer choice identifying superior, well-integrated and proven technology to protect their systems,” Malik said.

He added that certain threat actors deploy malware that is specifically crafted to destroy or sabotage computer servers, the control systems or network of factory facilities.

Different versions of malware

Different versions of wiper malware have been used in attacks against the oil and gas industry.

The first was Stuxnet, known to have developed by the US and Israel to sabotage Iran’s nuclear ambitions while the second one was the Iranian malware known as Shamoon 1, in 2012, which reportedly destroyed thousands of computers at Saudi Aramco and Qatar’s RasGas. Shamoon 2 made similar attacks in 2016 and 2017 while Shamoon 3 made a new wave of attacks against targets in the Middle East oil and gas plants in December 2018.

State-sponsored or APT groups such as APT33, APT34, APT35 and APT39 are from Iran and their victims span every sector and extended well beyond regional conflicts in the Middle East.

Security solutions provider FireEye had said that Russia and Iran are looking to conduct disruptive cyber-attacks on OT [operational technology] targets in the Middle East in a bid to disrupt industrial production. OT consists of machinery equipment, assets monitoring systems and industrial control systems.

Malik said that the oil and gas industry should be wary of these threats.

Furthermore, he said that oil and gas companies have increasingly come under the scrutiny of advanced threat groups which usually attack military and defence organisations with geopolitical agendas.

Evan Kohlmann, Founder and Chief Innovation Officer at US-based business risk intelligence firm Flashpoint, said that hacktivists are selling access to Scada, ICS (industrial control infrastructure) and IoT systems from any country in the dark web and holders of these vulnerabilities can easily create a lot of critical infrastructure problems for a country.

Today, he said that industrial control infrastructure is seen as a big part of the growth of a country and has become a significant target for attackers.

Most of these systems are used in electricity infrastructure, water and wastewater systems, oil and natural gas, transportation, chemicals, pharmaceuticals, paper and pulp, food and dispersed products (cars, aerospace and durable goods).

Financially-motivated ransomware

Moreover, Malik said that the sector is also at risk from attacks designed to steal sensitive information and financially-motivated ransomware. Also, espionage and data theft may be the starting off point for more malicious actions. Reconnaissance is the first step of an attack—companies have to be wary and assume any signs of espionage are indicators of a more complex attack,” he said.

Trend Micro said that carefully planned and well-executed ransomware attacks can cost millions of dollars in damages and downtime and there is a wealth of tools and techniques readily available for attackers in cybercriminal underground forums, including DNS hijacking, phishing of VPN and webmail services, zero-day exploits, web shells, mobile malware and more.

Defensive strategies to mitigate threats

  • Domain name security, like two-factor authentication for changes to DNS settings
  • Data integrity checks
  • Implementing Domain Name System Security Extensions
  • SSL certificate monitoring
  • Two-factor authentication for webmail
  • Improved employee training
  • Comprehensive risk assessment of cloud services