Taking advantage of the oil crisis ... professional pirates target the sector with an elaborate spying campaign

Hackers began a complex spying campaign that focused on energy companies in the United States, as the world's largest oil producers were holding a week-long meeting earlier this month to counter falling crude prices.

In this campaign, the hackers used a phishing tactic that works by receiving the victim's messages from a source that he deems reliable, so that the victim opens links attached to the message, which leads to installing malicious programs without the victim's knowledge, which often provides the hacker with information on the victim's machine.

The campaign focused on energy companies in the United States, and the goal was to install a Trojan horse to acquire their most sensitive communications and data.

This campaign was characterized by the fact that the emails sent were free of spelling and grammatical errors, unlike the one accepted in this type of phishing message. Emails also indicate that the sender was well versed in energy production work.

For example, a group of letters starting on March 31, claimed that it was from the Petroleum Engineering and Processing Industries Company, a real oil company based in Egypt, and the dispatcher called the victim to submit a quote for equipment and materials as part of a project known as the Rosetta Sharing Joint Facilities Project Facilities Project), on behalf of the Egyptian Petroleum Company Burullus, which is a joint gas project half of which is owned by another Egyptian oil company.

The email, which was sent to about 150 oil and gas companies and over the course of a week starting March 31, is attached to two files as conditions, forms, and bidding requests, but the truth is that these files are a disguise that hides malware behind them.

The number of people targeted in this campaign, which is considered relatively small, illustrates the elaborate design of this campaign. This is in contrast to many phishing campaigns that send tens of thousands of e-mail messages without discrimination.

"For a victim who works in the oil and gas industry and has knowledge of these projects, the email and information in it may appear convincing enough to open the attachments," researchers from Bitdefender security company wrote in a publication published Tuesday.

The most targeted companies were in Malaysia, the United States, Iran, South Africa, and Oman.

A second campaign began on April 12, with an email asking recipients to complete a document known as MT Sinar Maluku’s oil shipping costs port.

Strangely enough, this is the name of a real ship registered under the Indonesian flag. It left the port on April 12, and was expected to arrive at its destination two days later. The email was sent to 18 companies, including 15 freight companies in the Philippines.

Experts say, "This e-mail is another example of the attackers' mastery of the information necessary to catch the victim and make the e-mail appear legitimate."

The campaigns may be an attempt to obtain information about the current negotiations between Russia and Saudi Arabia and other oil producers suffering from an abundance of crude from the Corona pandemic.

This is not the first time that companies in the industry have been targeted, Bitdefender said. The security company has been tracking a series of cyber attacks on energy companies over the past year. Since October, the number has increased every month and reached its peak in February with more than 5,000 attacks.

The attached files install a malicious program that has a variety of capabilities that include "stealth and evasion techniques" that ultimately enable it to extract credentials, copy clipboard data, perform screenshots, capture contract records, and even collect credentials for a variety of installed applications ".