Norway’s Oil Companies Targets of Largest Coordinated Attack
Nearly 300 Norwegian companies in the oil and energy industry have been warned by state authorities about the largest coordinated hacker attack reported in the country. This warning comes after reports of 50 oil companies hacked, including Statoil, the largest oil company in the country, according to the national security authority, NSM (Nasjonal Sikkerhetsmyndighet) and reported in NewsInEnglish.no.
The NSM reported the attacks are being conducted via well-researched phishing campaigns, that is, emails directed at certain employees with key privileges and functions within the companies, such as system operators. If the email attachments are opened by employees, attackers can execute a program and scan their network for security holes; after finding one, attackers can set up malware.
After installing malware, attackers can use a keylogger to log keyboard strokes and credentials that allow them to continue to effectively work their way through the network. There’s no intel on the current state of Norway’s security profile, but with 50 companies already hit, in addition to their largest, it isn’t looking too good.
In addition to oil companies, other critical infrastructure companies are increasingly becoming targets of remote hackers. A recent Symantec blog reported that a certain group of Russian attackers are now attacking power plants, energy grid operators, gas companies and industrial equipment manufacturers, with most targets located in Spain, the U.S. and across Europe.
Back in 2012, Crowdstrike researchers observed attacks originating from the same Russian group targeting over 1,000 organizations in 84+ countries. According to the NYTimes.com, their tactics also included the average phishing email and watering hole attacks. Instead of attacking their company network directly, attackers identified the websites the users frequented most often and compromised them. That way, when visited, the users would unknowingly download malware.
Symantec’s report published in July, Dragonfly: Cyberespionage Attacks Against Energy Suppliers revealed that the hacker group continues to use email spear phishing campaigns and watering hole attacks, the same tactics used year over year to breach critical infrastructure companies. In order to get through to larger clients, Symantec reports that the Russian attackers have found a way in by targeting their suppliers that tend to be smaller and less secure.
Once they got credentials to get their foot in the door, they then used two main pieces of Remote Access Tool (RAT) malware to extract data, Backdoor.Oldrea and Trojan.Karagany (custom malware). Oldrea allows the attackers to collect system information, including lists of files, programs and root of available drives; plus Outlook contact data and VPN config files. It’s packaged up and encrypted before its sent to the attackers’ remote command and control (C&C) server.
This custom malware also features a basic control panel that lets the attackers download compressed versions of stolen data per each individual. Their research found that most of the victims were infected with Oldrea, and only 5 percent infected with Karagany, an open-source malware.
While basic security awareness may help employees identify phishing emails and avoid clicking on malicious attachments, using two-factor authentication can stop attackers from moving deeper into your network, and from using stolen passwords as their means. By using your smartphone as your method of secondary authentication, remote attackers like the Russians can’t exploit stolen credentials to steal your data; which is of particular importance when it comes to protecting the critical infrastructure that can take down a nation.
Find out more about other attacks on the critical infrastructure industry in:
Protecting Against Critical Infrastructure Attacks: Nuclear & Otherwise