In the final part of our series, we take a look at the APT33 case study and several recommendations from our team of experts.
Reading time: ( words)
The oil and gas industry continues to be a prime target for threat actors who want to disrupt the operation and wreak havoc. In part two, we discussed various threats that can affect an oil and gas company, including ransomware, DNS tunneling, and zero-day exploits. For the final installment in the series, we will look at the case study APT33, a group widely believed to be responsible for many spear phishing campaigns targeting the oil industry and its supply chain. We will also present several recommendations to better strengthen the cybersecurity framework of oil and gas companies.
APT33: a case study
The APT33 group is known for targeting the oil supply chain, the aviation industry, and military and defense companies. Our team has observed that the group has had limited success in infecting targets related to oil, the US military, and US national security. In 2019, we discovered that the group had infected a US company providing national security support services.
APT33 has also compromised oil companies in Europe and Asia. A major oil company with operations in the UK and India had concrete APT33-related infections in the fall of 2018. Some of the oil company’s IP addresses communicated with the C&C server times-sync.com, which hosted a self -so-called Powerton C&C server from October to December 2018, then again in 2019. A computer server in India belonging to a European oil company communicated with a Powerton C&C server used by APT33 for at least three weeks in November and December 2019. We also observed that a large UK-based company providing specialist services to oil refineries and petrochemical facilities was likely compromised by APT33 in the fall of 2018.
Read more: Obfuscated C&C APT33 used for narrow targeting
The most well-known APT33 infection technique uses social engineering via email. He’s been using the same type of decoy for several years: a spear-phishing email containing a job offer that may seem completely legitimate. There have been campaigns involving job offers in the oil and aviation industries.
The email contains a link to a malicious .hta file, which allegedly attempts to download a PowerShell script. This would then download additional malware from APT33 so that the group could gain persistence in the target network. Table 1 lists some of the campaigns that we were able to retrieve from feedback-based data from the Trend Micro™ Smart Protection Network™ infrastructure. Business names in campaigns are not necessarily targets in the campaign, but they are usually part of the social luring used in campaigns.
The job opening social engineering lures are used for a reason: some of the targets actually receive legitimate email notifications about job postings for the same companies used in the emails from harpooning. This means that APT33 has some knowledge of what its targets receive from legitimate sources.
APT33 is known to be linked to the destructive malware called StoneDrill and is possibly linked to attacks involving Shamoon, although we don’t have strong evidence for the latter.
In addition to APT33’s relatively aggressive attacks on the supply chain, we found that APT33 used multiple C&C domains, listed in Table 2, for small botnets consisting of around a dozen bots each. It seems that APT33 took special care to make tracking more difficult.
C&C domains are hosted on cloud-hosted proxies. These proxies relay URL requests from infected bots to the back-ends of shared web servers that can host thousands of legitimate domains. These back-ends are protected by special software that detects unusual polls from researchers. The back-ends report bot data to a dedicated aggregator and bot control server on a dedicated IP address. APT33 actors connect to these aggregators through a private VPN with exit nodes that change frequently. Through these VPN connections, APT33 actors issue commands and retrieve data from bots.
Regarding APT33, we were able to track private VPN exit nodes for over a year. We could link exit nodes with admin connections to servers controlled by APT33. It appears that these private VPN exit nodes are also used for reconnaissance of networks relevant to the oil industry supply chain. More concretely, we have seen IP addresses that we believe are under the control of APT33 doing reconnaissance on the networks of an oil exploration company in the Middle East, an oil company in the United States and military hospitals in the Middle East.
Table 2 shows a list of IP addresses that have been used by APT33. The IP addresses are likely to have been used longer than the time slots indicated in the table. The data can be used to determine if an organization was on APT33’s radar for, for example, reconnaissance or concrete compromises.
Here are some general tips that can help companies in the oil and gas industry combat threat actors:
- Perform data integrity checks
While there may not be an immediate need to encrypt all data communications at an oil and gas company, there is some merit in taking steps to ensure data integrity. For example, with respect to information from various sensors at oil production sites, the risk of tampering with oil production can be reduced by at least ensuring that all data communications are signed. This can greatly reduce the risk of man-in-the-middle attacks where sensor values could be changed or where a third party could modify commands or inject commands without permission.
- Implement DNSSEC
We have noticed that many oil and gas companies have not implemented Domain Name System Security Extensions (DNSSEC). DNSSEC means digitally signing the DNS records of a domain name on the authoritative name server with a private key. DNS resolvers can check whether DNS records are properly signed.
- Lock domain names
Domain names can potentially be taken over by a malicious actor, for example, through unauthorized modification of DNS settings. To avoid this, it’s important to only use a DNS service provider that requires two-factor authentication for any changes to the DNS settings of an organization’s domains.
- Monitor SSL certificates
For brand name protection and for early warning of possible future attacks, it is important to monitor newly created SSL certificates that have certain keywords in the Common Name field.
- Beware of business email compromises
Protection against Business Email Compromise (BEC) is possible through spam filtering, user training to spot suspicious emails, and AI techniques that will recognize the writing styles of individuals in the company.
- Require at least two-factor authentication for webmail
A webmail hostname can be hijacked from the DNS or hijacked due to a vulnerability in the webmail software. And webmail can also be attacked by credential phishing attacks; a well-prepared credential phishing attack can be quite convincing. The risk of using webmail can be significantly reduced by requiring two-factor authentication (preferably with a physical key) and corporate VPNs for webmail access.
- Organize employee training sessions for security awareness
It is important to have regular training sessions for all employees. These sessions may include awareness training on credential phishing, spear phishing, use of social media, data management, privacy policies, intellectual property protection, and physical security.
- Monitor data leaks
Watermarks make it easier to find leaked documents since the company can constantly monitor those specific marks. Some companies specialize in finding leaked data and compromised credentials; through active leak monitoring, potential damage to the business can be mitigated earlier.
- Keep VPN Software Updated
Several weaknesses in VPN software have been discovered in recent years.36,37 For various reasons, some companies do not update their VPN software immediately after patches are released. This is especially dangerous because APT actors start probing vulnerable VPN servers (including those of oil companies) as soon as a vulnerability becomes public.
- Check cloud service security settings
Cloud services can increase efficiency and reduce costs, but companies sometimes forget to effectively use all the security measures offered by cloud services. Some services help companies secure their cloud infrastructure.
To learn more about the digital threats facing the oil and gas industry, download our understanding study here.