The Oil and Natural Gas (ONG) sector continues to be an attractive target for cybercriminals seeking to exploit industrial control systems (ICS) environments. Last year, Colonial Pipeline – one of the largest oil pipeline operators in the United States, made headlines when a ransomware attack hit it. The breach impacted the company’s digital systems, shutting them down for several days.
As Colonial Pipeline provides around 45 percent of fuel supply to the US East Coast, the attack resulted in unprecedented disruptions in the country. The hack was then deemed a national security threat, impacting consumers, airlines, and mass transportation.
This is only one example of how a successful cyber-attack could compromise critical infrastructure and services or cause widespread harm. Over the years, cybersecurity has emerged as a significant challenge for the commodities industries and markets, with increasingly sophisticated adversaries seeking to steal data and impede the flow of resources.
The ONG industry plays a vital role in the global economy, with many nations depending on it for their prosperity and growth. The Gulf Cooperation Council (GCC), comprised of some of the fastest-growing nations in the Middle East, including Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates (UAE), have become prime cyber-attack targets due to their oil-fueled economies. Furthermore, the GCC has increasingly embraced digitalisation as its respective nations seek to modernise their societies to achieve economic diversity.
As the number of attacks against ICS increases, adversaries with a specific interest in oil and gas companies remain active and are evolving their tactics. Catastrophic cyber-attacks against ONG facilities can occur at any of the three major stages of operations: upstream, midstream, or downstream.
Vulnerabilities in ICS devices and services can be easily weaponised and pose significant risks that could reverberate across supply chains. This makes it pertinent for ONG asset owners and operators in the GCC to be aware of these threats. A loss of view or control over their operations may cause safety concerns and put operational environments and workers’ lives at risk.
Beware of new activity groups
ICS adversary groups that focus on ONG and the energy sector pose the most risk to the GCC regional ONG industry. Organisations in the region need to understand the behaviours and capabilities of the activity groups that target OT systems, as they can potentially pursue a broader range of targets to expand their access into additional OT/ICS environments. They actively and specifically target internet-exposed assets, remote access, and insecure vendor or third-party access, introducing severe risk to the operations environment.
Dragos, a global cybersecurity firm focused on ICS/operational technology (OT) environments, identified ten activity groups that GCC ONG firms need to be wary of. Firstly, there’s Parisite which targets utilities, aerospace, and ONG entities. Its geographic target includes the GCC along with North America and Europe. Parisite uses open-source tools to compromise infrastructure and leverages known virtual private network (VPN) vulnerabilities for initial access. Dragos intelligence revealed that Parisite is the initial access group that enables further operations for Magnallium.
Another group is Xenotime, behind the TRISIS attack that disrupted an ONG facility in Saudi Arabia in August of 2017. It interacts with Triconex safety controllers and represents an escalation of ICS attacks due to its potential catastrophic capabilities and consequences. In 2018, Xenotime also wreaked havoc in other markets, including North America, Asia Pacific, Europe, and Australia. In February 2020, Dragos learned of an incident at an ONG facility outside the GCC. While this overlapped with Xenotime, there was not enough data to attribute the incident to an activity group.
There’s also Magnallium, a group which targets energy and aerospace entities since at least 2013, according to Dragos. Initially, the group targeted an aircraft holding company and ONG firms based in Saudi Arabia but soon expanded to attack entities in Europe and North America. Dragos found that Magnallium lacks an ICS-specific capability, and the Group remains focused on initial IT intrusions.
Another is Chrysene, which emerged from an espionage campaign that first gained attention after the destructive Shamoon cyber-attack in 2012 that impacted Saudi Aramco. The activity group targets the petrochemical, ONG, and electric generation sectors. The group has shifted its targets beyond its initial focus on the Gulf Region, and the group remains active and evolved in more than one area.
Hexane targets ONG and telecommunications in the GCC, Africa, and Southwest Asia. Dragos identified this group in May of 2019. It drops malicious document files containing malware on victim machines, from which it can proceed to further its goals in the target network.
Moreover, there’s Wassonite which targets electric generation, nuclear energy, manufacturing, ONG and research entities in the GCC, India, and likely South Korea and Japan. It relies on DTrack malware, credential capture tools, and system tools for lateral movement. Wassonite has operated since at least 2018.
Then there’s Raspite, a group that aims at electric utilities in the US and government entities in the GCC. Dragos has identified additional victims in Saudi Arabia, Japan, and Western Europe but has not identified new Raspite activity since mid-2018.
Meanwhile, Dragos has also identified activity groups such as Dymalloy, Electrum and Allanite, which have notably targeted various ICS/OT environments but have not been observed in the GCC.
Rising vulnerabilities in ONG infrastructure
As of September 2021, Dragos researchers assessed and validated 3640 vulnerabilities impacting industrial equipment found in energy environments. According to Dragos’ findings, ransomware remains a preeminent threat to IT and OT environments. Between 2018 and 2021, the number of ransomware attacks on ICS entities increased by over 500 percent, according to Dragos research, with five percent of attacks impacting ONG entities. Such attacks can disrupt operations and lead to financial loss and reputational damage.
ONG companies face vulnerabilities such as Intellectual Property (IP) theft and insider threats. Stolen data and intellectual property theft provide insights on how to impact or disrupt industrial operations. This could facilitate economic espionage and poses a strategic threat to the global economy and sector stability. Beyond IP theft, insider threats can also cause damaging consequences, including operational losses, environmental harm, reputational effects, and even physical destruction. Although this behaviour can be challenging to detect, there are several steps an organisation can take to prevent insider attacks, including ensuring robust network segmentation and ensuring proper restrictions for employee and contractor access.
Taking control: Navigating the evolving ICS threat landscape
Another risk is third-party and supply-chain compromises. Increasingly, adversaries target industries using this method of attack as, according to Dragos, it is difficult to defend against. This attack vector preys upon implicit trust between companies and suppliers or supporting entities. To address this, organisations should adopt a ‘zero trust’ mentality with vendors and supply chain managed devices that have direct access to OT environments or credentials to access OT environments from RDP or VPN connections.
Organisations should also be on the lookout for indicators of compromise that could enable an adversary to gather intelligence to tailor a potential attack at a later stage. Utilising ICS-specific threat intelligence can inform and guide proactive decision-making and ensure defence-in-depth methodologies are implemented across IT and OT.
It is also essential to remember that while digital transformation is beneficial for enumerable reasons, it can also pose risks for organisations. This is because the expanded connectivity across ICS increases vulnerabilities and makes the IT environment a potential attack vector in the OT environment.
Lastly, ONG firms should also be wary of political and economic threats. Dragos does not attribute activity groups to individuals or states; however, it highlights the impacts and implications of state-associated operations against ICS entities, including GCC ONG firms.
Taking action
There are many ways for ICS operators to improve cyber defence and implement simple, effective controls and security measures to manage vulnerabilities and mitigate threats. Dragos recommends that ONG companies and other organisations using ICS take several steps to defend against these attacks, such as developing incident response plans, segmenting networks to prevent lateral movement, and collecting logs in ICS environments to improve visibility.
Ultimately, while there’s no silver bullet for any cyber-attacks, organisations can better defend their systems by taking a proactive approach and implementing precautionary measures to prevent any breaches from succeeding in the first place.
