Oil Industry Under Attack

Monday, May 18, 2015 @ 02:05 PM gHale

By Gregory Hale
A malicious and largely unknown targeted attack focused on oil tankers has been going on since August 2013, researchers said.

First discovered in January 2014, the ongoing attack on oil cargos began in August 2013, and its motive is to steal information and credentials for scamming oil brokers, said researchers at Panda Security.

Financial Institution Attacks Uncovered
Warding Off EU’s Sophisticated Attacks
Stealth Malware Turns Servers into Spambots
ICANN Investigating Attack

Despite suffering a comprise in this cyber attack, which Panda called “The Phantom Menace,” none of the dozens of affected companies have been willing to report the invasion and risk global attention for vulnerabilities in their IT security networks, the researchers said.

Panda Security issuing its report to draw attention to the attack and urge companies in every industry to take precautions against these increasingly sophisticated and insidious attacks.

Phantom Menace is one of the most unique attacks that PandaLabs discovered.

“Initially this looked like an average non-targeted attack,” said Luis Corrons, PandaLabs Technical Director and report author. “Once we dug deeper, though, it became clear that this was a systematic, targeted attack against a specific sector in the oil industry. We can limit the impact of this potentially catastrophic cyber attack, but only if the victimized companies are willing to come forward.”

Undetectable with AV
No antivirus engine was able to detect it when first triggered, primarily because the attackers used legitimate tools in conjunction with a number of self-made scripts to bypass any warnings that traditional AV software would detect.

Panda discovered it only when a secretary opened a nonspecific attachment to an email – a type of file that Panda Security would later identify among ten different companies in the oil and gas maritime transportation sector.

“One day while a secretary with more than 20 years of experience at (an unnamed oil company”, was checking her email as she did every Monday morning, she came across an email message with an attached document.

“The document appeared to be a PDF file of approximately 4MB in size, with information about the oil market. Nothing suspicious. Besides, the message in question had gone through every security filter in place. Neither the mail server antivirus nor the antivirus on her workstation had found anything anomalous in it.

“(The secretary) double-clicked the attachment. A blank PDF opened. ‘This must be a mistake. I hope they realize it and send us the correct file again,’ she thought, moving on to the next unread message.

“Meanwhile, 1,700 km away, an alarm was triggered. An unknown threat had just been detected and blocked when it tried to steal credentials from Susan’s computer and send them out.

“Today, most computer threats are designed to steal information from target systems, so this just looked like thousands of cases we examine in the laboratory every day. However, it caught our attention that no antivirus engine had been able to detect it, although this shouldn’t be so surprising if you take into consideration that every day over 250,000 new malware files are put in circulation. There was something really unique about this threat: it didn’t use any kind of malware. That’s why we decided to call it the ‘Phantom Menace.”

Attack Motives

While some may question the attack, it was able to make it through active AV scans.

“No malware ended up used in the attack, the hack makes use of legitimate tools and different scripts to perform the aforementioned actions.

“But, is this type of attack really effective? As mentioned before, no antivirus was capable of detecting it. Furthermore, its peculiarities seem to indicate that the proactive protection layers included in most antivirus solutions would not be able to detect its apparently harmless behavior.

“This was confirmed when we accessed the FTP server that the stolen data was sent to, and found that the oldest files dated back to August 2013. That is, the attack had been underway for almost six months completely undetected.

In most cases, identifying the source of a cyber-attack is tremendously challenging. Once discovered, however, The Phantom Menace had a telling weak spot: the FTP connection used to send out the stolen credentials. Through the FTP connection, PandaLabs was able to identify both an email address and name.

In short, Panda said the scam works like this: The scammer contacts a broker/middleman and offers them a large amount of BLCO (Bonny Light Crude Oil which has a very low sulfur content and makes it a highly desired grade for its low corrosiveness) one to two million barrels, at a very competitive price.

Panda goes on to say, “If the potential buyer is interested, they will ask for documentary evidence that the product exists (Proof of Product). There are different types of documents that can be provided: A quality certificate, a certificate of origin, a cargo manifest, or the letter of ATS (Authority to Sell) issued by the NNPC.

“To close the deal, the buyer must pay a significant amount of money — from $50,000 to $100,000 — in advance. However, once they pay the money they are met with the nasty surprise that there is no oil.

“The weakest link in the scam is the documentation that the scammer must provide to convince the buyer. Even though all of these documents can be forged, the fraudster runs the risk of being discovered by the broker.

“To make it more plausible, scammers attempt to use real documents so that if the broker wishes to check their legitimacy, they will see that they are real.

“However, how difficult is it to obtain these documents? It is very complicated. The only way to do it is from companies in the sector. Oil transportation companies, for example. This was just a theory, at that time we didn’t have any evidence to prove that that was the objective of those responsible for the ‘Phantom Menace’ attack.”

Panda Security stands ready to identify the individual to authorities, but without any credible reports being volunteered by the victims, the authorities are unable to launch their investigations or make any arrests. Panda Security hopes the release of its report will shed light on the potential damage of The Phantom Menace and encourage companies to take the necessary steps against the perpetrator.

Click here to download “Operation Oil Tanker: The Phantom Menace.”

Leave a Reply

You must be logged in to post a comment.