Cybersecurity and the energy sector: Interview

Cyber threat intelligence leader at IntSights, Paul Prudhomme, told NGW in a late August interview of the risks that companies and governments face as the relatively new phenomenon of cyberwarfare becomes more sophisticated.

There are two principal kinds of cyber-attacker that governments and corporations face: hostile states and those purely in it for the money. Their aims are different but they exploit the same vulnerabilities in the target's software.

Hostile states need to devote a lot of resources to discovering their enemy’s weak spots and this means accessing files that are supposed to be inaccessible to outsiders. Once inside, they might do nothing that betrays their presence, and this is time-consuming and hence beyond the reach of most private attackers.

But first they have to penetrate the system undetected. This can be easier than it should be owing to lax administrative controls and inertia, although the deeper the hacker goes the greater the chance of unknowingly tripping an internal alarm.

These attacks aim to conduct exploratory reconnaissance on Western utility networks and maintain access to them so that they have the ability to disrupt Western economies on demand, for example in the event of a war between Russia and NATO, Prudhomme said: "Once they are in a certain point of the network, hackers can rewrite code so that a predictable computer command backfires when activated. This is not for immediate pay-back, but rather for long-term storage until actual physical hostilities break out." 

Naming names

Iran and Russia pose the biggest threats to the oil and gas industry, as they themselves depend so heavily on revenues from oil and gas. Their objective is to try to maintain their market share, he said. "This explains Iran’s cyber attacks on Persian Gulf oil and gas companies every couple of years, as US sanctions on Iran have kept its oil off the market. This began in 2012 with attacks on Qatar's RasGas and Saudi Aramco. That is the overarching theme: 'you take our market share and we will wipe your computers'."

The attacks can also paralyse entire computer systems with tens of thousands of units by wiping their master boot records, rendering them fit for nothing. "Replacing them all costs money, time and efficiency. Thanks to the Gulf Cooperation Council's embargo on Qatar – now lifted – Iran and Qatar are on good terms. The state oil company of Bahrain was another of Iran’s victims in 2019, again owing to market share," he said.

However sometimes ransomware companies can target state producers as well, as happened to Saudi Aramco earlier in the summer. It said it was hit with a $50mn ransom demand in exchange for the destruction of Aramco data that had been taken from a contractor's network.

It is not only oil and gas companies and sometimes the state can be caught out intruding into an industry with incomplete information. This might mean it cannot exit without leaving a trail. This happened when Iranian attackers tried unsuccessfully to poison Israel’s water infrastructure.

Keeping knowledge secret is key as well in the longer-term: the satisfaction of boasting means that a particular trick cannot be repeated, such as the game-changing Stuxnet hacking attack on the Iran nuclear centrifuges which Washington then openly talked about.

China and North Korea make up the rest of the quartet of most active players in cyber-warfare. Russia has been focusing on utilities, the most severe being those in 2015 and 2016 that caused power outages. Ukraine is a critical target as Russia wants to bring it back into its sphere of influence. "US and the EU are also targets but in those cases the objective is not to break things as they did in Ukraine," he said.

Playing the long game is a very expensive and time-consuming process and is a main differentiator between states and criminal groups. For the latter, by contrast, opportunity is what matters and the target itself is unimportant. "They do not want to spend time for no reward. If they encounter too much resistance they can move on. States however can only acquire certain information from certain targets and these might be well defended," he said. 

Colonial hack

Ransomware gangs such as Darkside were able to do the damage they did to the Colonial pipeline system in the summer because the company did not take the necessary precautions to protect credentials in a data dump. In fact IntSights, a Rapid7 company, wrote two alerts for its oil and gas customers in December 2020 and February 2021 about Darkside targeting of the energy industry.

"The threat of data disclosure is now a standard feature of ransomware attacks. Data that ransomware operators disclose, or threaten to disclose, from compromised companies may include credentials and other data points that other attackers can use to plant the seeds for future compromises," it said.

Criminal gangs by contrast are not too particular about what they attack as long as it is not too much effort. That can be international oil companies, or their vendors, such as a Texan oilfield service company, who also have access to a certain amount of third-party data, depending on how stringent their cyber-security systems are.

The difficulty with criminal gangs is that they tend to operate beyond the reach of OECD law enforcement agencies so they can act with impunity. The Dark Side is a case in point, being in Russia. Crypto currency is their payment form of choice, such as bitcoin. "Bitcoin transactions are easy to track publicly on blockchain but the anonymity of bitcoin wallets – depending on how they were created – are better for evading law enforcement. Many actors have been gravitating toward other cryptocurrencies with greater privacy features, like Monero, but bitcoin is still 'the coin of the realm'," Prudhomme said. 

Most of the payment for the Colonial pipeline ransomware was allegedly recovered but it is very hard to see how that could be done. But explaining its capabilities could jeopardise the government’s ability to pull off a similar feat in the future.

Ransomeware operators are supposed to follow a certain code: failure to keep their word undermines the integrity of their “business model” and may damage the reputations of specific ransomware operators, but some of them break their word anyway, and they remain in business. 

They also know exactly how much of what sort of information to threaten to publish to show they are not bluffing. They also have large sums of money to use for bribes: an attempt by one gang to gain access to the Tesla computer network through a negotiable employee was raised from $0.5mn to $1mn. This also shows how much money they had hoped to make from the subsequent ransoming of data. 

Getting in

There are a number of ways in, apart from bribing a well-disposed insider to hand over information. Telecoms companies are a good source of data as so many codes, passwords and so on are sent unencrypted. 

But target companies can protect themselves in many ways. "As workers now return to their desks in growing numbers, many companies will forget to disable VPN access. This will be one way to enter a company network: whatever is not active needs to be disabled," Prudhomme says. "Everything that is left active just creates more surface area for the hacker to gain a purchase. Social media networks such as LinkedIn is another weak spot as these accounts are not normally supervised by the company management and employees typically include somewhere their work email address. This allows the deduction of email naming conventions."

Criminals can easily pose as someone else to intercept proprietary information or to send malware. And as employees tend to use office computer equipment for a lot of personal activity, organisations’ systems are naturally vulnerable unless strict measures are built into the architecture. These can include network segmentation, with firewalls preventing deeper penetration, he said.