Weeks before US oil contract prices went negative, a spear-phishing crew went after oil firms. What did they get?
Who wants to know about their biz plans? Someone determined
As American crude oil crashed on Monday, leading to the bizarre situation of a negative futures contract price, our attention was drawn to a spear-phishing campaign against organizations involved in global oil production.
The folks at Bitdefender today detailed a targeted espionage mission against oil and energy companies around the world. The phishing peaked on March 31, just before a planned OPEC meeting of oil-producing nations, many of which were targeted, we're told.
The lure itself appeared rather unremarkable: targets in various businesses were sent spear-phishing emails containing Windows spyware dubbed Agent Tesla disguised as an attached report or form. If opened, Agent Tesla would execute and use a Yandex mail server – smtp.yandex.com – to receive commands from its masters and reply with stolen data, presumably via email messages. These commands told the software nasty what to collect, such as password key-presses, clipboard contents, and so on, which were duly sent to whoever was behind the phishing campaign.
What is unique, in this case, is the very specific group of companies targeted, Bitdefender said. Certain key oil-producing organizations across the world were sent emails from seemingly one of their own: Egyptian oil and gas engineering firm Enppi.
"The impersonated engineering contractor (Enppi - Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others," the Bitdefender Labs team said.
A second, much smaller spear-phishing operation, impersonated a Philippines-based shipping company, targeted oil and gas companies in that country.
The who and where of those targets are key to understanding the seriousness of the attack and how it tied into current events. Each of the targeted companies are in countries that are major stakeholders in the global oil market.
Google: We've blocked 126 million COVID-19 phishing scams in the past weekREAD MORE
Following plummeting oil demand, and economic instability, amid the coronavirus pandemic, OPEC has cut production of the fossil fuel, forcing energy companies and their buyers and suppliers around the world to scramble and adapt. As supply outstrips demand, unwanted barrels of oil are piling up, forcing prices so low, some distributors are paying people to take them away.
This, it seems, is what the attackers are after; details on the strategies oil and energy companies are following to deal with the cuts.
"While the spear phishing attacks on oil and gas could be part of a business email compromise scam, the fact that it drops the Tesla Agent info-stealer suggests these campaigns could be more espionage focused," Bitdefender senior e-threat analyst Liviu Arsene told The Register.
"Threat actors that might have some stakes in oil and gas prices or developments may be responsible, especially when considering the niche targeted vertical and the ongoing oil crisis."
In other words, someone, possibly a private energy company, or a state-backed hacking group, or even a combination of the two, wants to keep tabs on how companies are dealing with the oil crisis so that they can react or even get ahead of the markets.
While the infrastructure, particularly the use of an ordinary Yandex server, could cause some speculation on the attackers being Russian, Arsene cautions not to read into the host too much, as it is fairly common for malware operators to use legit, busy services around the world to communicate.
"It's not uncommon for attackers to abuse legitimate services, such as email services or social networking platforms, for command and control," Arsene explained to El Reg.
"Communication between the victim and the attacker would go through a legitimate service, making it seem legitimate to security tools. Hackers also prefer locations where jurisdiction from law enforcement is difficult and needs an extended number of approvals to get to the server."
Admins are advised to make sure users are protected from the Agent Tesla trojan (as it has been around since 2014, most antivirus software should detect it) and, if applicable, Bitdefender has provided a list of file hashes to block and indicators of compromise in its above-linked report. ®