threat brief

Energy Sector Threat Brief

THREAT BRIEF

Over the past several years, cybersecurity attacks targeting the energyindustry are growing globally. This Energy Sector Threat Brief exploresthem in greater detail.

July 2021

© 2019 LookingGlass Cyber Solutions, Inc. All rights reserved.

TABLE OF CONTENTS

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Victim Profi le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Adversary/Attacker Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 5

Top Energy Sector Threats and Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 6Cyber-Physical Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Other Risks and Vulnerabi l i t ies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Persistent Attack Vector:Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Request a Demo

Learn more about the solutions LookingGlass provides by scheduling a demo.

https://lookingglasscyber.com/contact/

EXECUTIVE SUMMARY

Cyber attacks targeting organizations in the energy sector are a growing global threat. Recent years have seen firms in sub-sectors like electricity generation and distribution, oil, and gas facing increasingly sophisticated attacks.

Although attacks in this sector mirror those in other industries, the stakes in the energy sector are significantly higher. In May 2021, a cyber attack hit Colonial Pipeline1, and though the attack targeted the company’s information technology (IT) systems, the company also powered down their operational technology (OT) systems as part of its incident response. This effectively shut down the largest refined products pipelines in the United States. A security analyst said that it showed that “core elements of our national infrastructure” continue to remain vulnerable to cyberattack2.

Threat actors have also stolen sensitive intellectual property and attempted to disrupt operations with ideologically motivated denial of service and “wiper” malware attacks. In February 2021, an unnamed natural-gas pipeline operator had to halt their operations and shut staff down for two days while systems were restored. Although the staff didn’t lose control of operations, the company admitted that they “didn’t have a plan in place” to respond to a cyberattack3. “This incident is just the latest example of the risk ransomware and other cyber threats can pose to industrial control systems, and of the importance of implementing cybersecurity measures to guard against this risk,” a CISA spokesperson said4. These attacks prove that despite years of threats, the energy sector still remains dangerously vulnerable to cyber attacks.

While not every cyber threat to the energy sector is foreseeable, there are many ways to prevent or mitigate cyber attacks. We know, for example, that the current trend of attacks on the energy industry are fueled by the high value of both the assets they control as well as the sector’s increasing integration of digital technologies. This includes a mix of IT and OT systems that are in place to drive efficiencies. Add to that the relatively low levels of cyber investment compared with sectors such as financial services and you have a recipe for damaging and costly attacks to the energy sector like those seen in recent years.

T H R E AT B R I E F

PAGE 3

1 https://www.npr.org/2021/05/08/995040240/cybersecurity-attack-shuts-down-a-top-u-s-gasoline-pipeline2 https://www.npr.org/2021/05/08/995040240/cybersecurity-attack-shuts-down-a-top-u-s-gasoline-pipeline3 https://www.npr.org/2021/05/08/995040240/cybersecurity-attack-shuts-down-a-top-u-s-gasoline-pipeline4 https://www.npr.org/2021/05/08/995040240/cybersecurity-attack-shuts-down-a-top-u-s-gasoline-pipeline



PAGE 4

5 https://www.reuters.com/article/us-italy-cyber-saipem/saipem-servers-suffer-cyber-attack-in-middle-east-idUSKBN1O92B16 https://www.us-cert.gov/ncas/alerts/TA18-074A 7 https://www.wsj.com/articles/russian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110

VICTIM PROFILE The energy sector comprises a broad range of firms involved in the production and distribution of energy including oil and gas exploration, production and refining, renewable energy development, electricity generation, transmission, and distribution as well as nuclear energy. Firms range in size from Fortune 50 global corporations to small businesses that employ a handful of people and service a specific region or market. Their businesses range from discovery and development of energy resources to power generation, transmission, and distribution, and they require a wide variety of technology and equipment to service different populations and customers.

As such, the energy sector supply chain has unique vulnerabilities:

Energy sector firms are spread across the globe and operate in every country. However, many are concentrated in the countries that make up the Gulf Cooperation Council (GCC), representing some of the world’s largest oil and natural gas producers. An uptick in cyber activity targeting GCC countries, including domestic energy firms and their suppliers often headquartered outside of the GCC has been observed.

But attacks are not limited to the Middle East. In 2018, the U.S. Department of Homeland Security (DHS) and FBI warned about incursions by hacking groups with links to the Russian government that have targeted energy and other critical infrastructure firms in the U.S.6 Currently, no fewer than five hacking groups are believed to have the capability to attack and compromise energy sector industrial control systems. Their targets range from North America and Western Europe to the former Soviet republics, the Middle East and Israel. While there have been few documented cyber attacks on U.S. energy sector firms, reports from DHS suggest that “hundreds” of attacks on U.S. electric utilities may have given Russia-linked groups the ability to disrupt the operation of the U.S. grid.7


• Power Generation: Power plants and other other power generation facilities are vulnerable to ransomware and disruption of service attacks. Much of the vulnerability is due to the age of the facilities and the fact that they were designed without cyber threat protection in mind.

• Energy Transmission and Distribution: Transmission and distribution of energy can occur over vast physical distances that complicate cyber risk and vulnerabilities. Disruption in substations can lead to local and regional power loss. Grid systems that deliver energy can be attacked through multiple vectors — either onsite or via remote services.

• Network: The advent and proliferation of consumer Internet of Things (IoT) through smart meters and electric vehicle charging opens up a wider attack surface across the sector. These vulnerabilities can lead to theft of customer information and disruption of service.

8 https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/9 https://www.wired.com/story/russian-hackers-attack-ukraine/10 https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html

Threat actors targeting the energy sector are as diverse as the organizations they aim to penetrate. Additionally, groups targeting energy industry firms are likely to pursue a range of objectives. Among the most aggressive are: State-sponsored or state-affiliated “advanced threat” actors (APTs)LookingGlass and other organizations have observed attacks on energy sector firms connected to known-APT groups from nation-states including Russia, Iran, China, and North Korea. These attacks might be extensions of foreign policy directives seeking to punish perceived adversaries or may focus on the theft of sensitive information to further domestic interests.

In 2017, Russian APT group DragonFly 2.0 hacked and compromised U.S. and European energy companies, giving the threat actors enough control of power grids that blackouts could have been induced8. In more than 20 cases, DragonFly 2.0 gained access to interfaces that energy engineers could use to issue commands to equipment directly supplying energy to homes and businesses. Though APT attacks were carried out on Ukranian power grids in 2015 and 2016 causing blackouts, this kind of attack has not yet been seen in the U.S.9

For nation-state actors, attacks on energy firms may be part of a long-range strategy to obtain a foothold on critical infrastructure of a potential adversary or to be a target in a cyber or kinetic conflict in the future. Increasingly, nation-backed attacks on energy firms are motivated by the drive for economic development. As activities like energy exploration and development come to rely more on advanced technologies and analysis tools, domestic economies stand to benefit if key players can obtain the fruits of expensive research and devel-opment (R&D) from competing nations via espionage or intellectual property theft. Additionally, stolen data may help domestic firms negotiate business deals on more favorable terms.

Cyber criminal groupsBoth IT and OT networks are highly visible targets for cyber criminal groups interested in stealing sensitive data or conducting disruptive attacks designed to extract payment from targeted firm(s), such as denial of service and ransomware attacks.

The Colonial Pipeline attack mentioned above is a classic example of a ransomware attack. As a result of this ransomware attack, Colonial was forced to shut down one of the nation’s largest fuel pipelines. They were only able to get their system up and running after paying the cyber criminal group Darkside $4.4 million in Bitcoin (though some of this payment was partially recovered by the FBI)10.

For cyber criminal groups, financial gain is almost always the motivation for cyber attacks. This may come through the theft and resale of valuable data, including usernames and passwords for IT assets (file servers, Microsoft Exchange Server) on the victim network. Proprietary data such as customer information or R&D might also be exfiltrated and offered for sale on the black market.

ADVERSARY/ATTACKER PROFILES



PAGE 6

There is also money to be made from disruption of facility operations via ransomware, botnets, or denial of service attacks, like the attack on CPC Corp, Taiwan’s state owned-energy company that took place in the spring of 2020. Given the importance of availability in the energy sector and the high cost of down time, firms are often motivated to pay steep ransoms to see the return of affected systems.

Hacktivists and ideologically motivated hackersThe close association of some energy sector organizations with national governments in countries like the United Arab Emirates and Saudi Arabia make them targets of hacktivist groups interested in sending a political message. Additionally, energy firms may be the target of environmental or grassroots groups opposing energy exploration and development in specific locations.

While hacktivists often pose threats that are less sophisticated than other threat actors, they can still disrupt operations and energy systems. Hacktivists are more likely than APTs to use DDoS attacks. However, often these publicly available attacks can be as devastating to energy entities as cybercriminal or APT attacks11.

For hacktivists and ideologically motivated actors, disruption of business operations or damage to the corpo-rate brand is often the goal. Website defacements, social media compromises, denial of service attacks or — at the high end — cyber attacks intended to disrupt the operation of a key facility or the corporate network are the most common tools of hacktivists targeting the energy sector.

For more than a decade, LookingGlass has maintained external attack surface and threat intelligence collections for several critical infrastructure sectors, including the energy sector (as defined by the U.S. Department of Homeland Security). This enables us to provide situational awareness and see trends across sectors over time. Our team analyzed:

• Threats and vulnerabilities available from threat feeds and open-source intelligence (OSINT) reports• Data across the deep, dark web (DDW)• APT and cyber criminal group campaigns that target the energy sector

Cyber threats targeting the energy sector are varied, but the primary threat to the energy sector, like most sectors, is ransomware. According to a comprehensive review of ransomware attacks by sector, the energy sector is less likely to be attacked than other sectors but is more likely to pay the extortion fee. This is likely due to the criticality of the sector combined with significant legacy networks and pressure to restore services quickly.

Other threats can include commodity malicious software that is used to gain and maintain access to compromised systems and networks, and specialized hacking tools and platforms that target industrial control and supervisory control and data acquisition (SCADA) systems that are commonly used by firms in the energy sector.

TOP ENERGY SECTOR THREATS AND ATTACKS

11 Eduard Kovacs, “DDOS attacks more likely to hit critical infrastructure than APTs: Europol,” Security Week, September 27, 2017, securityweek.com.

Ransomware


By leveraging LookingGlass solutions, our analyst team was able to identify the following trends:

LookingGlass’s review of DDW data also revealed 15 incidents of leaked data as a result of ransomware attacks in the energy sector. The groups we saw on the DDW often use “double extortion” tactics. Double extortion is the act of releasing stolen data when a victim fails to pay the extortion fee. Below are the actor groups, number of energy sector organizations with leaked data, and the energy company’s country association:

• 36% of energy companies were the victim of ransomware attacks; this is lower than the global average of slightly lower than 40%.

• Of energy companies that fell victim to ransomware, 66% had sufficient encryption to prevent an attack and 25% were able to halt the attack. The overall success rate was the second highest of surveyed criti-cal infrastructure sectors, coming in behind only local governments.

• 43% of energy company victims paid the ransomware fee; this is the highest of surveyed sectors and well above the global average of 32%.

*No longer active due to law enforcement action



PAGE 8

Increasingly, energy sector firms are encountering targeted threats designed specifically for ICS and SCADA systems that run in operational settings. Stuxnet was among the first and best known of these and dates to 2009 or earlier. This threat targeted programmable logic controllers (PLCs) made by Siemens and used to operate an industrial Uranium enrichment facility at Iran’s Natanz nuclear complex south of Tehran12. Malware such as BlackEnergy is thought to have originated as early as 2007, but was repurposed in 2014 to begin targeting electric power distribution facilities and other targeted industries (including media) in Ukraine13, starting in 2015 and 201614.

Recent years have seen a steady rise in threats to OT environments including ICS and SCADA systems. In 2017, for example, a new family of malicious software dubbed “Triton” or “Trisis” was discovered targeting ICS systems made by Schneider Electric and deployed at a refinery in Saudi Arabia15. That malicious software leveraged a previously unknown (zero day) vulnerability in Schneider’s Triconex firmware to install a remote access trojan that disabled safety features built into the software16.

LookingGlass continues to see threats such as Stuxnet, Ponyloader, and Mirai — as well as malware C2 nodes — operating on energy sector infrastructure. Of note, in 2021, cyber-physical threats gained additional promi-nence in the U.S. with the Bruce T. Haddock Water Treatment Plant compromise. Located in Oldsmar, Florida, the plant was breached, with attackers modifying chemical levels in the water. The attack was identified by an employee, who actually observed odd mouse/cursor movement on their screen but dismissed it because supervisors had the ability to remotely connect to and control machines throughout the plant. The employee later saw the unsafe chemical levels in the water and sounded an alarm, leading to the cyber investigation. Though not an energy sector organization, as a similar critical infrastructure sector with ICS and OT networks, it reinvigorated attention to cyber-physical security concerns.

OTHER RISKS AND VULNERABILITIES

LookingGlass’s monitoring also highlighted several risky services and vulnerabilities in use across the energy sector, including:

12 https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/13 https://motherboard.vice.com/en_us/article/wnx5yz/the-malware-that-led-to-the-ukrainian-blackout14 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/updated-blackenergy-trojan-grows-more-powerful/15 https://www.eenews.net/stories/1060123327?wpisrc=nl_cybersecurity202&wpmm=116 https://www.schneider-electric.com/en/work/support/cybersecurity/security-notifications.jsp

Cyber Physical Threats


• Telnet default passwords• Trivial File Transfer Protocol (TFTP – port 69)• CVE-2018-10933 (libssh 0.6)• Apache 2.2

Upon further investigation, LookingGlass discovered a total of 3,200 verified vulnerabilities, including critical Microsoft Exchange Server vulnerabilities:

These specific zero-day vulnerabilities allow attackers to access on-premise Microsoft Exchange servers and email accounts, enabling the attackers to install additional malicious software that facilitates long-term, persistent access to an organization’s networks and systems. These vulnerabilities were being exploited by Hafnium, a Chinese APT group known for targeting U.S. organizations17. Though patches were released for these vulnerabilities, it appears that many energy sector organizations are still grappling with them.

Persistent Attack Vector: Password Management Finally, though perhaps unsurprisingly, poor password security practices, and weak passwords in particular, are a persistent, serious and mostly avoidable problem for the energy sector. A 2020 study by PreciseSecurity found that weak passwords were the cause of 30% of ransomware attacks in 201918. Weak passwords were only part of the problem as LookingGlass researchers monitored billions of compromised credentials and found in data dumps across the surface and dark web.

In our analysis of the Colonial Pipeline attack, for example, LookingGlass found 430 compromised credentials for the organization in various data dumps — and 83% of the passwords were considered weak by authentication best practices (i.e., password123, admin, etc.) Forensic analysis and incident response, after Colonial Pipeline paid the ransom, shows that the initial attack vector into the organization was through a compromised credential.

For our review of 2021 threats to the energy sector, LookingGlass selected a sample of 5 sector organiza-tions to see if they had exposed or compromised credentials across the surface and dark web, and we limited the date range of those exposed credentials to breaches from 2020 to mid-2021. LookingGlass found 1,729 unique instances of compromised credentials across those 5 energy sector organizations. Further analysis showed that:

17 https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ 18 https://www.securitymagazine.com/articles/91572-weak-passwords-caused-30-of-ransomware-infections-in-2019

• More than 90% of those compromised credentials had weak (12 characters of less) passwords, which are easily guessed using brute-force methods

• Many of these passwords were the person’s name, the word “password”, appended “123” to the word “password” or to a common name (e.g., bob123, sally123).

• The organization’s name or domain name was used in 9% of the passwords; and for one organization in particular, 55 passwords found on the DDW included the organization’s name

• Multiple examples of possible shared passwords (i.e., same password, different usernames)• Many compromised credentials were the same over extended periods of time, meaning that the same

password for an account was found in multiple dumps over a period of three years.

• CVE-2021-26855• CVE-2021-27065• CVE-2021-26858• CVE-2021-26857



PAGE 10

CONCLUSION

A rarity only a decade ago, attacks targeting energy sector firms are now happening with growing frequencyacross Europe and North America. Between the Colonial Pipeline ransomware attack and the cyber-physicalFlorida water treatment plant hack, the energy sector is likely to remain a high-value and easy target fornation-state actors and cyber criminal groups.

In order to protect against these myriad threats, organizations in the energy sector need to employ amultifaceted approach. This includes reviewing and leveraging an “outside-in” view, such as external attacksurface monitoring to see which services and vulnerabilities are being exposed on the internet, such as the Microsoft Exchange zero days and default Telnet passwords. This can help energy sector organizations develop mitigations and support threat hunting efforts. More foundationally, organizations should regularly look for compromised credentials for the organization to institute better cyber hygiene.

LookingGlass develops cybersecurity solutions that empower organizations to meet their missions with tailored, actionable threat intelligence and threat mitigation capabilities that move at machine speed. For more than a decade, the most advanced organizations in the world have trusted LookingGlass to help them protect financial systems, ensure telecommunications are cyber-resilient, and safeguard national security interests. Rooted in operationalizing threat intelligence, LookingGlass solutions help reduce the time to detect and respond to incidents, enable cyber investigations, optimize threat hunt operations, and improve analyst productivity and efficiency. By linking the risks and vulnerabilities from an organization’s external attack surface to customized threat actor models, LookingGlass provides a more accurate view of cyber risk and enables systematic definition and deployment of mitigations to defend against the threats that matter. For energy sector organizations interested in understanding their external attack surface, including the risks and vulnerabilities specific to them, contact us at [email protected].

ABOUT LOOKINGGLASS


mailto:info%40lookingglasscyber.com?subject=

threat brief

Documents