Two cyber campaigns have been identified that have been highly focused on particular parts of the oil and gas industry, using the same spyware Trojan, by security company Bitdefender.
The Romanian researchers highlighted two instances of the use of the malware. The first saw a spike of cases on March 31, impersonating tender documents from Egypt’s ENPPI.
This referenced a legitimate project, the Rosetta development, and company, Burullus. Bitdefender described the campaign as spear phishing, which involves targeting specific individuals in order to gain insider information.
The second campaign started on April 12 and targeted a handful of shipping companies based in the Philippines over two days.
The campaign was intended to deliver the Agent Tesla malware. Bitdefender said this was capable of keylogging and had not been associated with spear phishing campaigns in the oil and gas sector previously.
The ENPPI email had two attachments, referencing work on Rosetta and an oil and gas project for Weir. Telemetry work carried out by Bitdefender said this was the first time it had seen the Weir file used.
The number of reported attacks was fairly low, peaking at 107 on March 31, but Bitdefender noted the particular focus on oil and gas.
The second incident, focused on Filipino shipping, was even smaller but again displayed some knowledge of the sector. For instance, it cited a specific ship, the MT Sinar Maluku.
“This email serves as another example of the lengths to which attackers will go to get their facts straight, make the email seem legitimate, and specifically target a vertical,” the cybersecurity company said.
Cybercriminals have increased their interest in the oil and gas sector since October 2019, with the most attacks taking place in the US and UK, followed by Ukraine.
The timing of the attack, around the OPEC deals, “suggests motivation and interest in knowing how specific countries plan to address the issue”, Bitdefender speculated.