Hackers are using old tactics while strengthening their arsenal of cyber-espionage tools, presenting a persistent threat to the oil and gas industry.

They are creating destructive code and putting it into legitimate software as well as referencing upcoming corporate functions in emails and utilizing other ways to gain access to SCADA devices, extract usernames and passwords, steal data and communicate with command and control services, according to a cybersecurity expert speaking on the topic during an SPE webinar this week.

“Business creates value, which attracts threat. The reason why we are getting attacked cyber wise and every other way is because we are involved in business that creates value,” Betsy Woudenberg, CEO of Intelligence Arts, said of the energy industry. “Value attracts people that want to take that value, and that is where a threat comes from. … We have adversaries looking for an advantage in energy markets, looking for new energy technology and looking for SCADA to execute new technology.”

Among the examples described were China attacks against Marathon Oil, Exxon Mobil and ConocoPhillips in 2008 when oil and gas exploration and auction data were taken; the Shady RAT attack with about 70 global targets from 2006 to 2011 when similar data as well as negotiation plans, SCADA configurations, designs and schematics were swiped; and the Night Dragon attack aimed at global energy companies in Greece, Kazakhstan, Taiwan and the U.S. from late December to early 2011, among others.

Using the cyberattacks on Marathon, Exxon Mobil and ConocoPhillips as examples, she looked at what was happening at that time in China. The country was purchasing LNG on the open market for the first time as it moved away from coal-fired electricity plants to more LNG plants.

“While the attack was going on, China was working with ConocoPhillips, was politically irritated with Exxon over some Vietnamese deals and was trying to buy some Angolan property from Marathon. Those, to me, are motivating factors for why they would be interested in hacking these companies,” Woudenberg said.

She later added that China also was having problems with hydrate blockages on the West-East pipeline at the time of cyberattacks on a gas pipeline company and others.

“My theory is that this information was taken to help support China’s engineering of these pipelines,” she said, speaking to the value that cyber thieves crave.

“But it’s not just China,” she said adding that the Shamoon and Op Cleaver attacks out of Iran are believed to be politically motivated.

A team of Russian hackers with the code name Dragonfly (also known as Energetic Bear) are believed to be behind malware called Havex that was unleashed mainly in Europe and in the U.S. Initial thoughts were that the attack aimed to take down power infrastructure, but the target was actually biotechnology and pharmaceutical companies—with energy industry victims as collateral damage, she said.

Although the energy industry was not the target, Woudenberg said Havex is a big deal because it has built into the malware SCADA-specific control system functionality, meaning it “identifiesSCADA devices and software in the target’s network and sends the information to the Dragonfly team.” The code was embedded into legitimate software installers, followed with methodsWoudenberg called “special sauce” that hunted for Windows computers that interacted with SCADA devices and burrowed into the SCADA network itself.

The hunting method involved running port scans to find computers likely to have proprietary information, making them good targets for industrial espionage. The other method, she explained, involved Havex malware burrowing into the open platform communications (OPC) servers and querying them to find out what data were available. This means that the people who built Havex knew what an OPC layer was, spent the time to figure out how to use it, made the special code to communicate with the OPC layers and valued that information to figure out a target, she said, adding, “That to me is a big deal about Havex.”

But there are ways individuals and companies can work to protect themselves against cyberattacks.

Woudenberg suggests people make themselves a bad target for spear phishing—a tactic that uses an email that appears to be from a known source but really is not—by not making so much information public.

“Some of the most successful campaigns that we’ve seen have used internal company documents. They’ve referred to real-life events. They’ve referred to upcoming corporate events to get attention—very, very clever human social engineering,” she said. “What we can do, what we must do, is recognize how much information there is out there about us that they can use. … Reduce how much you broadcast about yourself and your interests.”

She added that individuals also can set boundaries concerning information such as “where you are, what you are doing and who you are talking to,” make conscious decisions about those boundaries and maintain them.

Businesses should support a healthy security culture with everyone accepting personal responsibility, providing and accepting feedback, educating yourself and others, and speaking up when issues arise, Woudenberg continued.

“Think beyond your job and your company alone and look at your industry and the world itself,” she said before turning to the threat landscape. This includes criminals, vindictive insiders, ideological extremists, ethno-nationalist hackers, rogue corporations and nation-states.

“Within these six categories, there is a myriad of bad actors out there, each of which has their motivation and capabilities. You, your company and your industry fall into those motivations, and their capabilities determine whether they are actual threats to you. That is your threat landscape, and you need to learn what those are,” she said. “So as you move through your job in the world and you come into proximity with these guys, you are ready, more ready, to face what they are going to bring against you.”

Companies also should demand better security from vendors and others in the supply chain and learn from partners or competitors that have been hacked. She also suggested companies make better risk decisions.

“Company management is asked to think in terms of risk, but engineers are asked to think in terms of actions and consequences. … Both of those perspectives are needed to make these decisions, but all too often it’s leaning to the left to company management to make choices without being totally informed,” she said.

To contribute,

  • Recognize threats relevant to the company and industry;
  • Develop scenarios that illustrate the consequences of cyber and control system events;
  • Audit systems and processes to find vulnerabilities, including people, processes and systems, and quantify the costs and financial damages; and then
  • Become an expert to help management decide among trade-offs, she said in the presentation.

“Risk is a difficult thing to manage. What makes it better is better information,” she said.

Contact the author, Velda Addison, at vaddison@hartenergy.com.