Executive Summary
In the past few years, the energy sector has seen numerous cyber attacks that could have been avoided had the proper security measures been in place. One of the most popular energy attacks is the attack on Colonial Pipeline. In May 2021, the threat actor, DarkSide, launched a ransomware supply-chain attack that would end up becoming one of the largest in U.S. history.
The threat actor gained access to Colonial Pipeline’s virtual private network (VPN) account due to a single compromised password. The account that was compromised allowed employees to remotely access the company’s computer network. At the time of the attack, the account wasn’t in use but could still be used to access the fuel company’s network. The energy company ended up paying DarkSide $4.4 million in ransom.
If Colonial Pipeline practiced cyber security best practices by taking inventory of dormant VPN accounts and using multi-factor authentication, their breach could have been avoided. Threat actors want to maximize their profits and will go after critical services if it means a big pay day.
However, without the services that our daily lives depend on, the wellbeing of millions of people is threatened.
Unfortunately, the technology within the energy sector is outdated because it was not built with digital transformation in mind. Therefore, legacy equipment often cannot be patched or upgraded. It’s important for organizations within the sector to consistently implement cyber security best practices to keep their operations running efficiently. Let’s take a look at the top five cyber threats within the energy sector and why energy organizations need cyber security best practices to keep their cyber environments safe.
A supply chain attack happens when threat actors access an organization’s network via a third-party vendor or supplier. Access can be gained through viruses or malicious software, giving the attacker keys to sensitive information, customer records, and payment information. Because a supply chain can be large in scope, the attack itself can be difficult to trace.
As previously stated, the attack on Colonial Pipeline was one of the largest supply-chain attacks in U.S. history. A virtual private network (VPN) account was compromised because the organization didn’t take inventory of dormant VPN accounts, and there was no multifactor authentication for the account user.
After the ransomware attack, researchers discovered that the password for the account was inside a batch of leaked passwords on the dark web. It’s suspected that the Colonial Pipeline employee probably re-used that password on another previously hacked account. Currently, it is not known how DarkSide obtained the correct username and password.
As a result of the attack, Colonial Pipeline had to shut down the fuel pipeline, leaving gas stations, businesses, and households without fuel. Additionally, the news of a cyber attack made its rounds and people started panic buying which resulted in gas shortages along the east coast. DarkSide stole about 100 gigabytes of data from the company and threatened to leak it if they refused to pay a ransom.
In March 2022, the United States Department of Justice unsealed indictments detailing alleged Russian government hackers’ efforts to compromise and control critical infrastructure across the globe via supply chain attacks. One of those attacks was to include at least one nuclear power plant. The campaign was allegedly spearheaded by three officers from Russia’s Federal Security Service (FSB).
From 2012 to 2014, the officers worked on a project named “Dragonfly.” The project involved a supply chain attack that targeted updates of industrial control systems and supervisory control and data acquisition systems (ICS and SCADA). This resulted in legitimate updates to the software being infected with Havex (malware). The malware allowed the threat actors to create backdoors and scan networks for additional targets. Seventeen thousand devices were infected in the U.S. and poisoning the SCADA apps could have disrupted the U.S. power supply and even nuclear plants.
Incomplete integration of systems is a major challenge for the energy sector. Typically, an energy organization’s cyber threat landscape includes OT (Operational Technology) and IT (Information Technology) architectures, a mixture of legacy and modern technology, and systems that were acquired during mergers or acquisitions. In order to integrate the right tools into control, transmission, generations, distribution, and field networks while remaining compliant, energy organizations will need to have custom solutions with open standards and APIs to help with streamlining.
If there is a mixture of legacy and modern equipment, it means that some systems won’t be able to be patched or hardened. Legacy equipment is one of the main challenges of the energy sector. OT networks are usually built on equipment that is over 15 years old, and those old networks are becoming more connected. Due to the convergence of IT and OT environments there are challenges with security.
Operational Technology networks that were in place 15 to 20 years ago were not originally built for internet connectivity. While IT technologies can be patched and updated as needed, OT networks often cannot be shut down. This leaves the systems sitting on networks for months to years waiting for maintenance downtime so security updates can be made. Most large OT environments will have scheduled downtime at least once per year. The systems generally cost millions of dollars if they don’t take downtime and reliability seriously. In some cases, it has been the general IT staff that do not take security of corporate systems as seriously as they should. The lack of totality leads to breaches, and this is what took place in the case of Colonial Pipeline.
In March 2019, a cyber attack impacted a U.S. power grid organization. For ten hours, attackers repeatedly caused firewalls to reboot. Although the attack didn’t cause a disruption in the electric power supply, the incident occurred due to a known firewall vulnerability that went unpatched. After investigating, a power grid operator stated that they failed to apply firmware updates to the firewalls that were compromised.
According to the grid operator, the entity lacked a proper firmware review process to vet security updates before being deployed. While they were actively trying to standardize the process, the procedure was not ready in time – resulting in a holdup of firmware updates that had not been reviewed or deployed. The incident left security holes open on the company’s network.
The energy sector faces great risk of ransomware attacks by ransomware gangs and nation-state threat actors. Not only can a ransomware attack disrupt the operation of an energy organization, but it can also be costly to remediate. A ransomware attack on an energy provider’s systems could be catastrophic for populations. Likewise, not having an incident response plan in place could be damaging to the organization’s reputation.
In August 2022, the ransomware gang Ragnar Locker claimed responsibility for attacking Greece’s largest natural gas supplier, DESFA. The attack impacted the availability of some of DESFA’s systems, and the attackers allegedly stole and published over 360 GB of data. Ragnar Locker has been on the Federal Bureau of Investigation’s (FBI) radar since the gang breached over fifty organizations within ten critical infrastructure sectors.
Ragnar Locker is known for using the double extortion tactic, which involves threat actors exfiltrating sensitive data, then triggering the encryption attack, and ultimately threatening to leak the data if the demanded ransom isn’t paid. To avoid prevention and detection, the threat actor frequently changes their obfuscation techniques.
Ragnar Locker deletes shadow copies and disables antivirus countermeasures, followed by using a PowerShell script to move from one company network to another. Before the ransomware is deployed, Ragnar Locker steals files and uploads them to servers before publishing them – this is done just in case their victim refuses to pay the demanded ransom. Obfuscation techniques protect the ransomware code, and those techniques include adding junk code in addition to encryption.
Ragnar Locker’s attack on DESFA makes this the second time a large pipeline company has been hit by ransomware in recent years. The increase in ransomware attacks across the energy sector prompted the U.S., the UK, and the Australian authorities to issue a joint warning regarding ransomware attacks on critical infrastructure. In 2021, 14 out of 16 U.S. critical infrastructure sectors were hit by ransomware.
As the energy sector tries to upgrade older and outdated infrastructure to take advantage of emerging technologies, identity and access management has become an issue. The new technology, devices, and systems connected to utilities’ grid networks needs protection from threat actors.
Controlling access to networked resources such as information technology, equipment, ICS, and networked resources is crucial. Often, IAM systems exist in silos, and their employees who manage them lack ways to coordinate access to devices and facilities in those silos. Lack of IAM systems results in inefficiency and security risks.
For example, there is an engineer in New Hampshire who has access to several remote terminal units connected to the company’s network. She then gets a new opportunity in California and quits her job. However, once she leaves, the energy company she worked for realizes there is no centralized IAM system in place to manage her access to various facilities and systems - making it cumbersome and time consuming to try and manage her access. To help prevent this scenario from occurring, IAM best practices would ensure the right person/entities would have the appropriate level of access for the right resources.
Not only will proper IAM processes keep cyber environments safe, but these processes will also help energy organizations build toward a Zero Trust model and will help secure both traditional networks and cloud-based architectures. Due to retirements, promotions, and resignations, some energy organizations have shifted the responsibility of IAM away from IT departments to human resources. Human resources has a better overview of employee information, and giving them authority over IAM ensures quick adjustments, thus closing vulnerabilities.
Mobile phishing attacks are probably the last thing you expected to make this list, yet mobile phishing attacks targeting employees in the energy sector rose by 161% during the second half of 2020 and the first half of 2021. Outdated and vulnerable devices are an issue for all sectors, but the energy sector is the most targeted.
According to a report published by Lookout, there was a 44% increase in mobile phone devices connecting to energy organizations over the course of 12 months between 2020 and 2021. In the sector, partners and employees are using mobile devices to connect to OT, sensitive information, and industrial control systems. Although the mobile devices increase productivity, they contain a lot of personal and work apps leaving the devices extremely vulnerable to cyber attacks.
Since the COVID-19 pandemic, many people work from home and use personal mobile devices or tablets. The employees use VPNs (Virtual Private Networks) to access their corporate networks making them easy targets for attackers who use phishing techniques to steal VPN credentials. The attacks involve the threat actor employing SMS, email, login pages, and phishing apps on fake corporate websites. The credentials they steal help them gain access to an organization’s internal network which in turn can be used for lateral movement.
Once the threat actor is in the network, they can locate vulnerable systems and launch attacks against flawed industrial control systems. Attackers know that industrial control systems can carry unidentified flaws for several years before they are noticed and fixed. Lookout’s report stated that unmanaged mobile devices in the industry increased 41% in 2021, meaning organizations are losing control and visibility over how the mobile devices are used.
Lookout’s report also stated that 56% of Android users in the energy sector were exposed to vulnerabilities due to running out-of-date versions of Android’s operating system. iOS users were much less affected, benefiting from automated software updates by default. Securing mobile endpoints that employees use can keep phishing attacks and mobile app threats at bay.
In February 2021, Npower, a gas and electricity company, had to permanently withdraw its mobile app after threat actors used it to access their customers’ personal information (last four digits of bank accounts and sort codes). The attackers accessed the customer accounts using login data from another website, leaving customers open to fraud.
In August 2022, North Korean APT group Lazarus (APT38) began attacking the energy sector by exploiting VMWare Horizon servers to access the networks of energy providers in Japan, the U.S, and Canada. The group is known for cyber espionage and has been responsible for hundreds of sophisticated cyber attacks.
Lazarus is a state-backed threat actor and was recently seen using phishing emails to trick deBridge Finance employees into launching malware that collects information from Windows systems and allows the delivery of additional malicious code. Between February and January 2022, the group targeted energy organizations by leveraging the VMWare Horizon vulnerabilities for initial access. After gaining access, the group uses a custom malware family like “YamaBot” and “VSingle”, and “MagicRAT” to search for a steal data from devices.
In April 2022, Lazarus used social engineering to trick victims into downloading Trojanized cryptocurrency applications on Windows or macOS operating systems. According to CISA, Lazarus used the applications to gain access to their victims’ computer, propagate malware across their network, and steal private keys – activities that enabled follow-on activities that initiate fraudulent blockchain transactions. The group has also been associated with other North Korean threat actors that have been extremely visible lately (NOBELIUM, H0ly Gh0st, and Kimsuky).
In addition to Lazarus, the ransomware gang BlackCat (ALPHV) recently took responsibility for an attack on Italy’s energy agency “Gestore dei Servizi Energetici SpA” (GSE). The company promotes and supports renewable energy sources across Italy. The attack took place at the beginning of September 2022, forcing GSE to shut down their systems and website to stop the attackers from gaining access to data.
BlackCat stole 700 GB worth of data from GSE, and the threat actors claim the data is sensitive (contracts, reports, project information, and accounting documents). The attack came on the heels of another security incident involving Eni SpA – the largest energy company in Italy.
Additionally, in July 2022, BlackCat attacked a natural gas pipeline and electricity network operator in central Europe called Creos Luxembourg S.A.
Active since at least November 2021, BlackCat is a RaaS (Ransomware-as-a-Service) gang whose ransomware is written in the Rust programming language. The ransomware programming language is compiled for both Windows and Linux. The sample below is one of several BlackCat executables compiled in early November 2021.
Image 1: BlackCat Executable
Source: Avertium's Cyber Threat Intelligence Team
In the above image, we see not only the key work cargo, but also “.rs” file extensions being referenced. Cargo is the built-in package manager for Rust, and “.rs” is the file extension used for rust packages and source code. Unfortunately, the most useful strings, that refences IP addresses or file content and commands, are encrypted or obfuscated, and are not easily parsed out. However, we can still see some of the API calls this program makes, which gives some hints about the functionality of the program.
Image 2: BlackCat API Calls
Source: Avertium's Cyber Threat Intelligence Team
During successful execution of the ransomware, a Y: and Z: drive are both added to the host. While nothing is visible to the end user on the Y: drive, the Z: drive contains just one visible file. That file is the ransom note, which informs the victim that information has been stolen, and instructs them on how to start recovery.
Image 3: Ransom Note File
Source: Avertium's Cyber Threat Intelligence Team
Image 4: Ransom Note
Source: Avertium's Cyber Threat Intelligence Team
No one can imagine what an entire day would be like without the products and services we use. The energy sector is a critical part of society and connects all critical infrastructure sectors. The U.S. economy cannot function without the energy sector. A cyber attack on energy would mean loss of electricity, gas, and oil, which then disables emergency services and even communication networks. This would leave the U.S. extremely vulnerable without the necessary resources to aid in a time of crisis.
Fortunately, all hope is not lost, and the energy sector can keep cyber threats to a minimum if they implement basic best practices for the sector:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium offers the following services to keep your organization safe:
To prevent ransomware attacks, phishing attacks , IAM Inefficiencies, supply chain attacks, and attacks via unpatched software, Avertium and the FBI recommend that you do the following:
BlackCat
Lazarus
Lazarus
BlackCat
Dealing with cyber threats in the energy sector: Are we on the right path? - Help Net Security
End of Year Recap for 2021 (avertium.com)
As hackers take aim at energy companies, mobile phishing surges - SiliconANGLEg
lookout-energy-tr-us.pdf (bfldr.com)
es-idam-nist-sp1800-2a-draft.pdf
BlackCat ransomware claims attack on European gas pipeline (bleepingcomputer.com)
Npower withdraws mobile app after hackers steal personal details | RWE npower | The Guardian
Mobile phishing attacks targeting energy sector surge by 161% (bleepingcomputer.com)
US reveals Russian supply chain attack on energy sector • The Register
The Top 5 Cyber Threats Within the Manufacturing Industry (avertium.com)
2021 Trends show increased globalised threat of ransomware.pdf (ncsc.gov.uk)
gh-150-wp-energy-sector-cybersecurity-challenges.pdf (guidehouse.com)
Is the Energy Sector Paving the Way or Lagging Behind? - Security Boulevard
Cyber-security incident at US power grid entity linked to unpatched firewalls | ZDNET
Ragnar Locker Ransomware: Everything You Need To Know (Attacks & Analysis) (avertium.com)
Why Energy and Utility Companies Must Beef Up Identity Access Management | BizTech Magazine
161% surge in mobile phishing pushes energy industry to its limits | IT PRO
North Korean Lazarus hackers take aim at U.S. energy providers (bleepingcomputer.com)
BlackCat ransomware claims attack on Italian energy agency (bleepingcomputer.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.