Connect with us

Hi, what are you looking for?



Oil and Gas Companies Targeted With Agent Tesla Malware

Oil and gas organizations have been targeted in recent spearphishing campaigns using the “Agent Tesla” spyware Trojan, security firm Bitdefender says. 

Oil and gas organizations have been targeted in recent spearphishing campaigns using the “Agent Tesla” spyware Trojan, security firm Bitdefender says. 

In one campaign, the attackers impersonated Egyptian state oil company Enppi (Engineering for Petroleum and Process Industries) to target organizations in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others.

In the second campaign, the adversary pretended to be a shipment company and leveraged legitimate information about a chemical/oil tanker to target victims in the Philippines. Specific to this attack was the use of industry jargon, which made the email seem authentic. 

As part of the first campaign, the attackers mimicked Enppi to request bids for equipment and materials, as part of the Rosetta Sharing Facilities Project, on behalf of gas company Burullus. The emails carried as attachments archives designed to drop Agent Tesla onto the victims’ machines. 

The malware was designed to collect credentials and various sensitive information and send all data back to a command and control (C&C) server at smtp[:]//

Bitdefender says it observed a spike in attacks on March 31, but the usual daily number of incidents remains below five. Malaysia, the MENA region, and the United States were affected the most in this campaign. 

The second campaign appears to have started on or around April 12, attempting to deliver Agent Tesla to shipment companies in the Philippines. 

Advertisement. Scroll to continue reading.

The attacks impersonated a chemical/oil tanker, informing the recipient they should send the Estimated Port Disbursement Account (EPDA) for the shipping vessel, along with information about container flow management (referenced as “cfm” in the email).

Attacks targeting the oil and gas industry, Bitdefender notes, have been increasing in frequency since October 2019, peaking in February 2020. 

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

“With over 5,000 malicious reports from companies that operate in the energy industry, cybercriminals seem to have taken a keen interest in this vertical, perhaps as it has become more important and strategic after recent oil price fluctuations,” the security company says

What Bitdefender couldn’t provide for these attacks, however, was attribution to a specific threat actor. Responding to a SecurityWeek inquiry, Liviu Arsene, global cybersecurity researcher at Bitdefender, pointed out that attribution is rather difficult, despite the occurrence of similar attacks in the past. 

“In this recent campaign attribution is all the more difficult as it’s the first time we’ve seen the Agent Tesla spyware associated with a campaign on the energy sector, and that the infostealer itself is not something highly sophisticated, but something that can be purchased on underground forums and used by anyone in various other campaigns,” Arsene said. 

“This is part of a growing threat against industrial organizations, including oil and gas companies, that rely heavily on remote access to maintain their operations. This reliance is even more pronounced in the era of COVID-19. Financially motivated hackers are taking notice and engaging in targeted spearphishing campaigns to compromise the accounts of those with privileged access for the purposes of stealing data or extorting operations with ransomware,” Dave Weinstein, CSO at Claroty, said in an emailed comment. 

Related: Upstream Oil and Gas Companies Boosted Cybersecurity Spending in 201

Related: SWEED Hackers Target Manufacturing, Logistics Organizations

Related: Oil and Gas Sector in Middle East Hit by Serious Security Incidents

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.