Oil and Gas Companies Targeted With Agent Tesla Malware

Oil and gas organizations have been targeted in recent spearphishing campaigns using the “Agent Tesla” spyware Trojan, security firm Bitdefender says. 

In one campaign, the attackers impersonated Egyptian state oil company Enppi (Engineering for Petroleum and Process Industries) to target organizations in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others.

In the second campaign, the adversary pretended to be a shipment company and leveraged legitimate information about a chemical/oil tanker to target victims in the Philippines. Specific to this attack was the use of industry jargon, which made the email seem authentic. 

As part of the first campaign, the attackers mimicked Enppi to request bids for equipment and materials, as part of the Rosetta Sharing Facilities Project, on behalf of gas company Burullus. The emails carried as attachments archives designed to drop Agent Tesla onto the victims’ machines. 

The malware was designed to collect credentials and various sensitive information and send all data back to a command and control (C&C) server at smtp[:]//smtp.yandex.com:587.

Bitdefender says it observed a spike in attacks on March 31, but the usual daily number of incidents remains below five. Malaysia, the MENA region, and the United States were affected the most in this campaign. 

The second campaign appears to have started on or around April 12, attempting to deliver Agent Tesla to shipment companies in the Philippines. 

The attacks impersonated a chemical/oil tanker, informing the recipient they should send the Estimated Port Disbursement Account (EPDA) for the shipping vessel, along with information about container flow management (referenced as “cfm” in the email).

Attacks targeting the oil and gas industry, Bitdefender notes, have been increasing in frequency since October 2019, peaking in February 2020. 

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

“With over 5,000 malicious reports from companies that operate in the energy industry, cybercriminals seem to have taken a keen interest in this vertical, perhaps as it has become more important and strategic after recent oil price fluctuations,” the security company says. 

What Bitdefender couldn’t provide for these attacks, however, was attribution to a specific threat actor. Responding to a SecurityWeek inquiry, Liviu Arsene, global cybersecurity researcher at Bitdefender, pointed out that attribution is rather difficult, despite the occurrence of similar attacks in the past. 

“In this recent campaign attribution is all the more difficult as it’s the first time we’ve seen the Agent Tesla spyware associated with a campaign on the energy sector, and that the infostealer itself is not something highly sophisticated, but something that can be purchased on underground forums and used by anyone in various other campaigns,” Arsene said. 

“This is part of a growing threat against industrial organizations, including oil and gas companies, that rely heavily on remote access to maintain their operations. This reliance is even more pronounced in the era of COVID-19. Financially motivated hackers are taking notice and engaging in targeted spearphishing campaigns to compromise the accounts of those with privileged access for the purposes of stealing data or extorting operations with ransomware,” Dave Weinstein, CSO at Claroty, said in an emailed comment. 

Related: Upstream Oil and Gas Companies Boosted Cybersecurity Spending in 201

Related: SWEED Hackers Target Manufacturing, Logistics Organizations

Related: Oil and Gas Sector in Middle East Hit by Serious Security Incidents