Hackers Target Oil and Gas Industry Ahead of Crucial OPEC Meeting 

April 27, 2020 by Alessandro Mascellino

Hackers have impersonated an Egyptian oil contractor and a shipping company to try and spread malware in several countries ahead of an international oil producers meeting.

The malicious actors used a known malware called Agent Tesla, and given the timing and nature of the attacks, they noticed how they might have been aimed at discovering the outcome of the OPEC meeting ahead of official sources.

The attacks were discovered by internet security company BitDefender, which last Tuesday noticed a rapid increase in phishing attempts from hackers impersonating the Egyptian oil company Enppi and an international shipping company.


How Did the Hacking Occur?

Agent Tesla first appeared on the web in 2014. It has since been sold as legitimate software but the fact the program is only sold through untraceable Bitcoin cryptocurrency tells a different story.

The malware, which offers various features designed to help it remain undetected on host computers, collects victims’ information by recording keystrokes and user interactions.

According to BitDefender, spear phishing campaigns utilizing software like Agent Tesla usually target large numbers of victims. This one, however, seemed to be targeting specifically the oil & gas sector, which the Romanian antivirus company deemed rather unusual.

The phishing attempts reproduced Enppi’s email format and invited the recipient to submit a bid for equipment and materials regarding an existing project called Rosetta Sharing Facilities on behalf of well-known gas company Burullus.

A legit email by its look, the message’s attachments allegedly illustrating requested materials and equipment were in reality rigged with the Agent Tesla malware. As for the second campaign targeting the oil industry ahead of the OPEC meeting, the hackers impersonated a shipping company and targeted some firms based in the Philippines between April 12 and 13.


A Crucial Time for Security

Because of their high economic value, the oil & gas industry has been targeted by hackers several times in the past few years. The most notorious cases were reported in 2017 and 2019; in both occurrences, hackers used similar email formats and delivered spyware such as the Remote Administration Tool (RAT) Remcos Trojan.


oil and gas refinery

Oil and gas facility with oil storage tanks. 


Remcos is a powerful tool that potentially gives an attacker full control over a victim’s machine, and the fact it can be embedded and executed via an Office document makes it particularly dangerous. These last campaigns, however, tried to deliver the Agent Tesla spyware instead of Remcos, which has not been reported before.

Moreover, BitDefender noticed how these attempts targeted companies not only in the oil & gas sector but also other energy companies that have been considered key actors in the international panorama during the Coronavirus emergency.


Oil Prices Dropping Significantly

Due to the pandemic lowering global oil demand, both oil and gas industries have also been under substantial pressure in the past few weeks, with oil prices per barrel dropping by more than half to the lowest since 2002.

Due to these emergency circumstances, tensions have mounted between large oil firms, and a disruptive dispute between Russia and Saudi Arabia only ended with an agreement at the recent meeting between the OPEC alliance and the G20 nations. The event was designed to agree on slashing oil production output and balance prices to face the disruptions caused by COVID-19 together.

Given the extreme delicacy and impactful outcome of the event, it comes to no surprise that the recent Agent Tesla phishing attempts are seen as particularly dangerous. Moreover, the nature of the malware itself could make it difficult to identify the malicious actors behind the attacks.

Since its creation in 2014, more than 6,300 (anonymous) customers have purchased one of Agent Tesla’s subscription hacking options, making it a pretty long list to check.


What do you think about these attacks and are you taking steps to protect your company from hacking attempts?