File-Borne Attacks: Spearphishing Campaigns Target the Oil & Gas Industries

June 30, 2020

In recent months, there has been a significant uptick in malicious campaigns directed at companies within healthcare, financial services, critical infrastructure, among others. In fact, research indicates that hacking and phishing attacks rose over six-times their typical level in March. According to government intelligence agencies, the trend still continues today.  

One illustrative example is the Agent Tesla info-stealer malware payloads. These payloads have been used to target the oil and gas industry through spearphishing campaigns by impersonating shipment companies and engineering contractors. While these attacks aren’t incredibly sophisticated, it’s their excellent timing – striking while resources are strained by risk of attack – and the highly targeted nature that makes them stand out. 

How Did the Threat Actors Target the Oil and Gas Industry?

Spearphishing differs from traditional phishing attacks because the threat actors narrowly  target specific individuals or entities with tailored content relevant to their industry, as opposed to more indiscriminate phishing attacks that cast a wide net. Ultimately, these threat actors craft their campaigns to mimic trusted sources that the involved parties would typically engage with. When receiving these communications, even the most security-conscious employees may believe that they are being sent a legitimate document.

In the case of recent attacks against oil and gas companies, threat actors were able to impersonate both an engineering contractor within an Egyptian state oil company, ENPPI (Engineering for Petroleum and Process Industries), and a shipping company. Both of these campaigns disguised the emails to appear legitimate by using industry jargon, including accurate information and descriptions about the companies being targeted, sourced from publicly-available information. 

In this instance, recipients were invited to submit a bid for equipment and materials for a project, with supposed archived information listing necessary equipment and materials within a .zip file. This led unsuspecting users to download the malicious attachments, designed to drop the Agent Tesla spyware Trojan when opened. This Agent Tesla malware payload, which unleashed info-stealer upon opening, then infected the recipients to harvest credentials and sensitive information that was then exfiltrated to their command and control servers.

While these spearphishing attacks were not as sophisticated as others that have previously targeted energy companies, the timing of the campaign indicates that the attacker’s motives were advanced. These phishing campaigns were active before and during the week where the OPEC+ alliance and the Group of 20 nations cut the global petroleum output. It is highly likely that, through the deployed spyware, attackers were able to exfiltrate information on how specific countries planned to address the issue. 

Mitigating File-Borne Attack Risk from Zipped File Attachments

By deploying Positive Selection technology, enterprises can neutralize all malicious code from any document–even zipped or password-protected files–in microseconds, without compromising file functionality. This enables recipients to open documents from any sender or any source – without slowing business operations or compromising security.

Further, businesses using Votiro’s Secure File Gateway technology receive additional protection compared to other anti-virus solutions. With Positive Selection, users are protected from unknown and zero-day attacks – while other anti-virus solutions must rely on a database of known signatures, limiting the scope of preventable breaches.    

Using this technology, Votiro’s Secure File Gateway solution is able to sanitize malicious files before they infiltrate an employee’s inbox, so they don’t fall victim to these types of spearphishing attacks on the rise. 

Learn more about how to secure your email gateway here