💇🏼 🤟🏿 🐦 Two ways to inflate the price of oil, or Attacks on oil and gas as a means of influencing stock indices 👩‍🚒 🧒🏾 🤳🏽

2019 - Saudi Aramco , 5% . , (), , Trend Micro «Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry» . , .

The production chain of an oil and gas company includes many processes - from exploring new fields and selling gasoline poured into a car’s tank, to gas, which is used to prepare meals for city dwellers. All these processes can be divided into three parts:

exploration and production;
transportation and storage;
processing and implementation.

A typical oil company has in its “farm” production facilities for producing oil from wells, tank farms for temporary storage of raw materials and a transportation system for delivering crude oil to refineries. Depending on the location of the well, transportation may take place via pipelines, on trains or oil tankers.

After processing at the refinery, finished products are accumulated in the tank farms of enterprises and then shipped to consumers.

A typical gas production company is structured similarly, but its infrastructure also includes compressor stations that compress the produced gas for transportation to a separator unit, which in turn separates gas into various hydrocarbon components.

The most important task in the entire production chain is to monitor and control everything that matters to safety, productivity and quality. Since the wells can be located in remote areas with extreme weather, remote control of equipment at the facility is organized - using valves, pumps, hydraulics and pneumatics, emergency stop and fire extinguishing systems.

For such systems, their availability is crucial, because often the monitoring and control data are transmitted in the clear, and integrity checks are not performed. This creates a lot of opportunities for attackers who can send commands to actuators, replace sensors, and even stop the operation of a well or an entire oil refinery.

The variety of infrastructure components of oil and gas companies creates virtually inexhaustible opportunities for attacks. Consider the most dangerous of them.

Infrastructure sabotage

Having penetrated the enterprise’s network with the help of a phishing email or exploiting an open vulnerability, attackers will be able to carry out the following actions that could harm or even stop the operation of any production site:

modify the settings of the automated control system;
delete or block data without which the company’s work is impossible;
falsify sensors to disable equipment.

Such attacks can be carried out either manually or with the help of malware similar to the Shamoon / Disttrack viper, which attacked several oil and gas companies in 2012. The largest among them was the already mentioned company Saudi Aramco. As a result of the attack , more than 30 thousand computers and servers were disabled for 10 days .

The Shamoon attack on Saudi Aramco was organized by hacktivists of the previously unknown Cutting Sword of Justice to punish the company for “atrocities in Syria, Bahrain, Yemen, Lebanon and Egypt.”

In December 2018, Shamoon attacked the Italian oil company Saipem , stripping 300 servers and about 100 computers in the Middle East, India, Scotland and Italy. In the same month it became knownmalware infection by Petrofac’s infrastructure .

Insider threats

Unlike an external attacker, an insider does not need to study the structure of the company's internal network for months. With this information, an insider can do much more damage to a company's business than any external attacker.

For example, an insider may:

Modify data to create problems or open unauthorized access to them;
delete or encrypt data on corporate servers, in the project’s public folders, or anywhere that it reaches;
to steal the intellectual property of the company and transfer it to competitors;
organize the leak of confidential corporate documents by transferring them to third parties or even publishing them on the Internet.

DNS interception

This type of attack is used by the most advanced hacker groups. Having gained access to the management of domain records, an attacker can, for example, change the address of a corporate mail or web server to one controlled by him. The result may be theft of corporate credentials, the interception of e-mail messages and the conduct of “watering hole” attacks, during which malware is installed on the computers of visitors to a fraudulent website.

To intercept DNS, hackers can attack not the owner, but the domain name registrar. Having compromised the credentials for the domain management system, they get the opportunity to make any changes to the domains controlled by the registrar.

For example, if you replace the registrar’s legitimate DNS servers with your own, you can easily redirect employees and clients of the company to phishing resources by issuing their address instead of the original one. The danger of such an interception is that a high-quality fake can for a long time transmit to the attackers the credentials of network users and the contents of corporate correspondence, without causing any suspicion.

There are even cases when, in addition to DNS, attackers gained control over the SSL certificates of companies , which made it possible to decrypt VPN and mail traffic.

Webmail attacks and corporate VPN servers

Webmail and secured connection to the corporate network via VPN are useful tools for employees working remotely. However, these services increase the attack surface, creating additional opportunities for attackers.

Having hacked into a webmail host, criminals can study correspondence and infiltrate it to steal secret information, or use the information from letters for BEC attacks or introduce malware to sabotage the infrastructure.

No less dangerous are attacks on corporate VPN servers. In December 2019, cybercriminals massively exploited the vulnerability CVE-2019-11510in Pulse Connect Secure and Pulse Police Secure VPN solutions. Through it, they penetrated the infrastructure of companies using vulnerable VPN services, and stole credentials to access financial information. Attempts were made to withdraw from the accounts of several tens of millions of dollars.

Data leaks

Confidential company documents can be made publicly available for various reasons. Many leaks occur due to oversight as a result of incorrect configuration of information systems or due to the low level of literacy of employees working with these documents.

Examples:

Storage of documents in a public folder on a web server;
Storage of documents on a public file server without proper access control;
Backing up files to a public insecure server;
Placing a database with classified information in the public domain.

To search for leaked documents, special tools are not needed; there are quite enough opportunities that Google has. Searching for secret documents and vulnerabilities using Google search operators - dorking - allows you to find secret documents of companies that, for some reason or other, were included in the search index.

An oil company confidential document found through Google Dorks. Source: Trend Micro

The problem with leaked documents is that they often contain information that competitors can legally use against the company, damage long-term projects or simply create image risks.

The laboratory report for the oil company, which we discovered in the public domain, contains information about the exact location of the oil slick with the indication of the vessel that allowed the pollution. Obviously, such information is confidential and the company hardly wanted to allow it to be publicly available.

Recommendations for oil and gas companies

Given the complexity of the IT landscape of the oil and gas industry, there is no way to provide absolute protection against cyber threats, but the number of successful attacks can be significantly reduced. To do this, you must:

implement encryption of the traffic of sensors and control systems - although at first glance it may seem that this is not necessary, the adoption of this measure will reduce the risk of attacks such as "man in the middle" and exclude the possibility of substituting commands or information from sensors;
DNSSEC, DNS;
DNS -;
SSL- — , Common Name , , .
, Google Dorks. , .

Cyber attacks on the oil and gas sector can be used as a tool to influence stock quotes along with attacks in the real world, which means that unscrupulous stock market speculators can use the services of cybercriminals to inflate the cost of oil and gas and get extra profit.

The effectiveness of such attacks may turn out to be significantly higher than using other tools, for example, stealing funds from the company’s accounts by compromising business correspondence, since it is almost impossible to prove the relationship between a cyber attack and profit from the sale of up-priced futures.

With these factors in mind, organizing cybersecurity is becoming a critical task to ensure the stability of both the oil and gas sector and the global hydrocarbon market.