krunja - stock.adobe.com
The report revealed that Dragos recently discovered a new activity group targeting this industry, bringing the total number of ICS-targeting activity groups that the security firm tracks to nine, five of which directly target oil and gas organisations.
As adversaries that target ICS environments improve their capabilities, it is easier for them to execute difficult attacks that cause operational disruptions or environmental damage, said the report.
“Due to the political and economic impact, and direct effect on civilian lives and infrastructure, the oil and gas industry has a high risk for ICS-targeted destruction and disruption campaigns originating from a cyber attack,” the report said.
Dragos assesses that state-associated actors will increasingly target oil and gas and related industries to further their political, economic and national security goals.
The report highlighted active supply chain compromises by activity groups targeting original equipment manufacturers (OEMs), third-party suppliers and telecommunications providers as a significant threat.
Oil and gas companies need to understand the behaviours and capabilities of activity groups targeting electricity utilities, the report said, because these adversaries may shift or expand targeting to include other energy sectors.
Cyber security visibility in oil and gas operational environments remains severely lacking, the report warned, allowing intrusions to dwell longer and cyber root cause analysis after an incident to remain elusive.
The report warned that the energy infrastructure of all countries is at risk, and companies and utilities are facing global adversaries.
“Cyber attacks are an increasing means to project power in the energy domain,” it said. “Traditional oil, natural gas, electricity and others can no longer be viewed as separate sectors to protect, but rather as a single interconnected infrastructure.”
The report also detailed the activities of a new group targeting ICS-related entities detected by Dragos, dubbed “Hexane”, which been observed targeting oil and gas companies in the Middle East.
Read more about ICS security
- Siemens issued a security alert about the company’s Simatic S7-1500 programmable logic controllers (PLCs) after security researchers reported “serious vulnerabilities” that exposed industrial processes to denial-of-service (DoS) attacks.
- Cyber attackers specialising in industrial control systems are fast, efficient and able to move between IT and OT environments, a study has revealed.
- Cyber threat to industrial control systems highest yet.
- Airbus is helping to drive the cyber security market for industrial control systems used throughout industry, including many providers of critical national infrastructure.
Unlike other activity groups tracked by Dragos, the security firm said Hexane is also targeting telecommunication providers in the greater Middle East, Central Asia and Africa, potentially as a stepping stone to network-focused man in the middle (MitM) attacks.
Hexane’s intrusion activity includes malicious documents that drop malware to establish footholds for follow-on activity.
Although the group appears to have been operational since at least mid-2018, Dragos researchers found that its activity accelerated in early to mid-2019. This timeline, targeting and increased operations coincide with an escalation of tensions within the Middle East, a current area of political and military conflict, the researchers said.
Hexane’s telecommunications targeting appears to follow a trend demonstrated by other activity groups, the researchers said, noting that ICS adversaries are increasingly targeting third-party organisations along the supply chains of potential targets.
For instance, in 2018, Dragos identified the activity group Xenotime targeting several industrial OEMs and hardware and software suppliers. By compromising devices, firmware or telecommunications networks used by targets within ICS, malicious activity could potentially enter the victim’s environment through a trusted supplier, bypassing much of the entity’s security stack, said the report.
Although Hexane demonstrates similarities to the activity groups in targeting ICS largely in the oil and gas industries, and some of the behaviours and recently observed tactics, techniques and procedures (TTPs) are similar, the report said the collection of Hexane behaviours, tools and victimology makes it a unique entity.
However, Dragos has assessed with “moderate confidence” that Hexane does not currently possess the access or the capability to disrupt ICS networks.