Security researchers uncovered a highly targeted espionage operation aimed at oil and gas sector in which threat actors attempt to deliver Agent Tesla info-stealer malware via spearphishing attacks impersonating shipment companies and engineering contractors.
Bitdefender researchers say these campaigns are noteworthy because this is the first time when Agent Tesla has been deployed as part of attacks targeting the oil & gas industries.
The first campaign was spotted at the end of March, just before a planned OPEC meeting of oil-producing nations, which suggests motivation and interest in knowing how specific countries plan to address the issue.
The spearphishing email used in this campaign was disguised as a message from Egyptian state oil company ENPPI (Engineering for Petroleum and Process Industries), an engineering contractor with experience in both onshore and offshore oil and gas projects.
"The second campaign, impersonating the shipment company, used legitimate information about a chemical/oil tanker, plus industry jargon, to make the email believable when targeting victims from the Philippines," the researchers said.
The first campaign was aimed at companies from Malaysia, Iran, and the United States, countries in which the oil & gas industry plays a significant role. The second campaign has started on April 12 and targeted only a handful of shipping companies based in the Philippines over the course of two days.
“While the number of reports may be low, the construction of the messages and the jargon used do show the attackers have a clear understanding of their victim’s profile and use relevant language and information to seem believable and trick the victim into opening the rigged attachment,” the report continues.
In both cases, the spearphishing email contained an attachment contaminated with Agent Tesla spyware which is able to collect personal information from the victim’s machine, steal data from the victim’s clipboard, log keystrokes, capture screenshots and access the victim’s webcam.
The researchers also observed an increase in malware reports targeting the energy industry in early 2020.
“Starting October 2019, the global evolution of cyberattacks on the energy industry has steadily increased on a monthly basis, peaking in February 2020. With over 5,000 malicious reports from companies that operate in the energy industry, cybercriminals seem to have taken a keen interest in this vertical, perhaps as it has become more important and strategic after recent oil price fluctuations,” Bitdefender said.
“In terms of countries targeted by cyberattacks on companies that operate in the energy industry, the United States and the United Kingdom by far take the lead, with Ukraine coming in a distant third.”