PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 1

Protecting

THE OIL & GASINDUSTRY

FROM EMAIL THREATS

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 1

Abstract: Given the oil and gas industry’s critical nature, valuable intellectual

property and high-value transactions, the threat of cyber-attacks is very real. It is

vitally important that the oil and gas industry better protect their organizations

from modern day email threats by implementing advanced email management

and threat protection technologies. The investment required for preventative

measures is dwarfed by the risk of a security breach.

According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT),

the energy sector, including oil and gas, is facing a significant rise in cyber attacks (Galea, 2015). There are a

number of reasons that this industry is an ideal target for attack: Oil and gas pipelines are part of a country’s critical

infrastructure, and they are an ideal target for those looking to cause disruptions in critical services for political or

military motives; The industry is highly competitive, as both private enterprise and countries engage in aggressive

market share tactics, often with global implications; Intellectual property is highly-valued, making it an attractive

target for cyber-espionage. Finally, the sheer value of the oil and gas industry’s commodities make it an especially

lucrative target. With producer and broker transactions ranging in the millions, one carefully crafted attack can lead

to a payout that could support the hacker’s operations for months, or even years.

Spear phishing attacks are socially engineered emails that try to trick employees into triggering network breaches,

conducting fraudulent wire transfers, or even aiding in corporate espionage. Regardless of motivation, the high

volume of business communications conducted via email within this industry give hackers quite the window of

opportunity to intercept sensitive information through the use of spear phishing, including log-in credentials,

reserve records, order forms, broker correspondences, and other documents which can then later be used to

defraud unsuspecting industry professionals.

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 2

This white paper describes spear phishing attacks that have occurred in various sectors of oil and gas, along with

recommendations on how the industry can boost their cyber security and specifically adopt new preventative

measures to protect against these and other email-borne threats.

1. Government Warnings: Critical Infrastructure Disruption

Politically-motivated hacker groups sometimes target state-owned facilities by breaching a point within the supply

chain in order to hinder the nation’s ability to obtain, transport, and store energy resources. Other rogue political

groups use phishing attacks to gain access to privileged information to pose as corporate decision makers in order

to delude, debunk, or destroy a nation’s oil and gas industry. A data breach at any point in an energy supply chain,

or within a bureaucratic organization, can cause severe damage to infrastructure, put public safety in jeopardy, or

even sway the balance of international negotiations.

For instance, new evidence showed that a Turkish pipeline explosion that occurred in 2008 was caused by hackers

who injected malware into the system through the pipeline’s wireless network. The pipeline was thought to be one

of the most secure in the world, but hackers were able to successfully destroy the pipeline by injecting malware

(Brocklehurts, 2014). Although the malware used in this attack wasn’t delivered via email, it does provide a stark

warning about the physical damages that could be inflicted via cyber-attack.

United States

In April of 2012, the Industrial Control Systems - Cyber Emergency Response Team (ICS – CERT), issued a statement

in their monthly report regarding their investigation of a year-long campaign to try to infiltrate multiple natural gas

pipelines. ICS-CERT analysis found that the malware used and artifacts associated with these cyber-attacks were

tied to a single spear phishing campaign, from a single source or group, and had been attempting to disrupt the

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 3

control systems of the pipelines (ICS, 2012). Approximately 200,000 miles of these natural gas pipelines are

responsible for over 25 percent of the nation’s energy supply, and so threats to this infrastructure are taken

very seriously by the federal government.

Norway

In August of 2014, Norway’s national security authority (Nasjonal Sikkerhetsmyndighet – NSM) stated that 250 oil

sector organizations may have been breached by hacker groups while 50 of those organizations had confirmed

data breaches. All of the breaches were reported to be the result of targeted spear phishing attacks in 2011

(Leyden, 2014). When asked to comment on the largest breach in Norwegian history, NSM Director Kjetil Nilsen

told a local publication that, “The ability to attack [networks] is increasing and there is great interest for our data”.

The main source or method of the 2014 attacks remains unclear, but apparently this type of attack has happened

to Norwegian oil companies before. Three years ago, hacker groups used spear phishing emails to obtain industrial

drawings, contracts, as well as log-in credentials (Ibid).

2. Loziak Trojan: Corporate Espionage

Corporations in highly competitive industries may have incentives to obtain sensitive trade information about their

competitors in order to gain a strategic advantage. In March of 2015, Symantec reported that hackers have been

targeting energy industry workers with malicious spear phishing emails. The campaign primarily targeted OPEC,

specifically the UAE, Kuwait, and Saudi Arabia, but has also affected the United States, UK, and Uganda. The

intended targets and method of attack made those at Symantec believe that industrial espionage was the motive.

Stating that “whoever is behind these attacks may have a strategic interest in the affairs of the companies affected”

(Hacket, 2015). The Trojan used in the attack, Loziak, was able to masquerade as an Excel spreadsheet, in order to

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 4

spread strains of malware designed to observe and report device data. Once downloaded, the malware would steal

sensitive information such as system configuration data and send it back to its source. The configuration data told

the source whether or not the infected device was a valuable target. If the hackers decided that the device was

worth targeting, they would then forward additional malware to that targeted device in order to strip it of more

information. In this case, the Loziak Trojan was followed by Back.door.cyberat and Trojan.Zbot.

Once the Loziak Trojan was able to infect, inspect, and transmit data, it opened up new backdoors on the system in

case additional breaches were needed in the future. In order to repair the damage done, administrators would

have to patch each new backdoor in order to limit future exploits (Hacket, 2015).

3. The Phantom Menace: Fraud

Targeted attacks impacting oil and gas organizations usually focus on the big-ticket transactions inherent to the

industry, and seek to capitalize on their efforts by deluding the victims into sending them large deposits for oil

orders. Panda Security, a leading computer software company in Spain, investigated a targeted attack that

employed or used a fake .pdf containing compressed files, encryption instructions, and files designed to affect the

registry of the device each time the system restarted (Operation Oil Tanker, 2015) . The file, later referred to as the

Phantom Menace, was a self-extracting executable file capable of bypassing the latest malware behavior filters and

leaking sensitive personnel information and corporate resources in a text file back to the original sender. This

attack was very troubling because of its ability to remove traces of its actions from the registry, allowing it to do the

damage and leave little to no clues. With the sensitive information and resources in hand, hackers were easily able

to pose as legitimate oil producers who were offering extremely competitive oil prices —prices that seemed

especially attractive given Saudi Arabia’s dominance of the market at that time. The Phantom Menace hackers used

the order forms and business insights to craft an illusion that they were, in fact, a legitimate oil producer. The oil

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 5

brokers were then prompted to pay an “advance fee” in order to finalize their crude and refined orders. However,

once the advance fee or deposit was sent, neither their oil nor their contact to the oil producer could

ever be found.

Even if oil brokers, producers, and distributors use antivirus, anti-malware, and the necessary endpoint protections,

they are still vulnerable to socially engineered attacks via email. The human component of receiving and opening a

seemingly harmless email can leave an entire organization’s resources and strategies open to prying eyes. Those at

Panda Security said that for those in the oil and gas industry:

“It is important to understand that our defense systems must adapt

to the level of attack received, and so it is necessary to implement

new protection strategies that give organizations total control and

visibility over their networks.”

The most concerning fact to the antivirus research community and those at Panda Security, was not only that the

Phantom Menace was able to avoid detection, but also that it was able to extract all the information it needed

without utilizing any malware. The only point of prevention hinged on the ability of the user to somehow know that

the senders were impostors. However, there are few security solutions available to comprehensively protect

against a socially engineered attack like the Phantom Menace.

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 6

Email Protection Solutions

Phishing attacks against oil and gas can have various motives, from committing espionage and fraud to causing

critical infrastructure and supply chain disruptions. Though there may not be a single silver-bullet solution to

secure an organization’s network from all of these potential motives, protecting the organization from targeted

attacks is not impossible, and it doesn’t have to cost a fortune.

Investing in an advanced security architecture now may save a corporation from targeted attacks in the future. As

the risks associated with not investing in one can lead to losses in revenue, market share, and reputation, the costs

of recovery far outweigh the initial investment in preventative measures.

In order to combat the growing challenges of protecting against orchestrated email scams, oil and gas

professionals should look for email security systems that use advanced threat detection and prevention, and are

equipped to detect spear phishing scams. Traditional email security products are typically not designed to detect

and block spear phishing attacks, and most spam filtering products rely on prior detection and black lists in order

to flag an email as spam. Also, many spear phishing attacks make use of unknown threats or zero-day

vulnerabilities that not all anti-malware engines will be able to detect. Organizations can improve their email threat

protection by taking the following precautions:

Use Multiple Anti-malware Engines: Multi-scanning leverages the power of the different detection algorithms

and heuristics of multiple engines, therefore increasing detection of both known and unknown threats, as well as

protecting against attacks designed to circumvent particular antivirus engines. In addition, since anti-malware

vendors address different threats at different times, using multiple scan engines will help detect new outbreaks

much faster. It is important to distinguish between multi-scanning and simply using multiple antivirus engines.

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 7

When using multi-scanning technology, performance is greatly enhanced and potential conflicts between different

engines are avoided.

Sanitize Email Attachments: Many spear phishing emails include malicious Word or PDF attachments, so as a

precautionary measure it is highly recommended to sanitize incoming email attachments in order to remove any

embedded threats that may go undetected by antivirus engines.

Set Attachment Limits: By blocking potentially dangerous email attachment types such as .exe files and scripts, it

is more difficult for malware to spread. It is also important to verify the attachment file type so that .exe files that

are renamed as .txt files do not get through the company’s filters.

Enforce an Email Content Policy: With user-based email content policies, such as keyword and attachment

filtering, organizations can ensure that no confidential content or intellectual property is sent out through email.

Implement an SFT Server: A secure file transfer server allows an organization to easily send and receive large

and confidential files ensuring trackable, instant, and secure delivery. By encrypting files and implementing user

authentication, the interception of potentially valuable information can be prevented.

Utilize Advanced Threat Detection and Prevention: Ultimately, organizations need to make sure their email

security system is backed by powerful anti-malware engines, as the performance of the email security program will

hinge on the engine’s ability to detect, prevent, sanitize, or quarantine the suspicious email or attachment.

Scan Running Processes on Endpoints: If email-born threats have already entered your network, scanning

running processes and DLLs on both in-network and remote endpoints helps to identify malware before it spreads.

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 8

By having these added layers of security incorporated into the organization’s email security infrastructure, those in

the oil and gas industry can better protect themselves from targeted email attacks, and not risk losing millions to

fraud, or having to conduct costly image campaigns.

About OPSWAT

OPSWAT is a San Francisco-based software company that provides solutions to secure and manage IT

infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks,

and helps organizations protect against spear phishing and other email threats. OPSWAT’s intuitive applications

and comprehensive development kits are deployed by SMB, enterprise, and OEM customers to more than 100

million endpoints worldwide.

Policy Patrol Security for Exchange protects an organization’s email traffic from known and unknown threats and

provides organizations with advanced features for blocking spear phishing and unwanted emails, detecting and

preventing viruses and other email-borne threats, as well as enforcing email content policy.

It offers effective spam & phishing protection, using technologies such as greylisting, anti-phishing block lists,

DNSBL, Bayesian filtering, recipient verification and Sender Policy Framework (SPF) to block unwanted emails and

detect spoofed emails.

Using Metascan®, Policy Patrol also allows organizations to quickly scan email attachments with multiple antivirus

engines, detecting and blocking advanced malware threats in emails. By using antivirus engines from vendors like

Symantec, ESET, McAfee, and many others, Metascan technology increases detection rates for all types of malware

without the hassle of licensing and maintaining multiple antivirus engines. Engines integrated into Metascan are

optimized to scan simultaneously for fast, high performance scanning. In addition to malware scanning, Metascan

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 9

can also perform email attachment file sanitization and file type checking, preventing zero-day and targeted

attacks. Policy Patrol Security for Exchange includes Metascan with 1, 4, or 8 anti-malware engines, with the option

to add more anti-malware engines.

OPSWAT Gears enables organizations to directly assess and manage the endpoint security posture of their devices

through a unified view of mobile and PC endpoints, and their applications/security issues. Administrators can to

take rapid action to remediate issues on non-compliant devices and improve endpoint security.

Additionally, Gears utilizes OPSWAT’s Metascan Online technology to scan running processes and DLLs for both

in-network and remote devices with 40+ commercial anti-malware engines. This way Gears can help identify threats

that were not detected by the installed antivirus software.

References

Brocklehurst, K. (2015, February 1). Cyberterrorists Attack on Critical Infrastructure Could Be Imminent.

Retrieved September 23, 2015, from http://www.tripwire.com/state-of-security/security-data-protection/

security-controls/cyberterrorists-attack-on-critical-infrastructure-could-be-imminent/

Galea, D. (2015, March 31). How the Energy Industry can Survive Targeted Attacks.

Retrieved September 25, 2015, from https://www.opswat.com/blog/how-energy-industry-can-survive-

targeted-attacks

Hundreds of Norwegian Energy Companies Hit by Cyberattacks. (2014, August 28).

Retrieved September 1, 2015, from http://www.scmagazineuk.com/hundreds-of-norwegian-energy-

companies-hit-by-cyber-attacks/article/368539/

PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 10

ICS-Cert. Malware infections in the Control Environment. (2012, December 10).

Retrieved September 1, 2015, from https://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monthly_Monitor_

Oct-Dec2012_2.pdf

Leyden, J. (2014, August 27). Major cyber-attack hits Norwegian oil industry.

Retrieved September 1, 2015, from http://www.theregister.co.uk/2014/08/27/nowegian_oil_hack_campaign/

Corrons, L. (2015, May 19). Operation “Oil Tanker” - The Phantom Menace.

Retrieved September 1, 2015, from http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-

tanker-en.pdf

http://www.opswat.com

Disclaimer. © 2015. OPSWAT, Inc. (“OPSWAT”). All rights reserved. All product and company names herein may be trademarks of their respective owners.

The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied,

including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. OPSWAT is not liable for any damages,

including any consequential damages, of any kind that may result from the use of this document. Though reasonable effort has been made to ensure the accuracy of

the data provided, OPSWAT makes no claim, promise or guarantee about the completeness, accuracy and adequacy of information and is not responsible for misprints,

out-of-date information, or errors. OPSWAT makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of

any information contained in this document.

If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.