Critical Infrastructure Security, Threat Management, Ransomware

Oil and gas sector lags behind other industries in gathering dark web intel

Colonial Pipeline

Twenty-seven percent of CISOs at oil and gas companies say that dark web activity has no impact on their company — and this comes at a time when it's common for threat actors to hold auctions on the dark web to sell access to compromised VPNs at energy firms, according to new research posted May 16 by Searchlight Cyber.

While 72% of oil and gas companies are already gathering dark web intelligence to protect their companies from cyberattacks, the Searchlight Cyber researchers say they are still behind many other leading industries, such as financial services at 85%, manufacturing’s 83% and transportation at 81%.

The researchers said energy companies may not have historically considered themselves the primary target for financially motivated cyberattacks from the dark web, but the cybersecurity landscape has changed dramatically over the past few years. Cybercriminals are no longer just focusing on banks and insurance companies, they are increasingly targeting enterprises in industries such as healthcare, oil and gas (think Colonial Pipeline), and manufacturing.

These trends make dark web intelligence more vital than ever, researchers said. Here are some of the leading findings in the report:

  • The predominant activity observed against the energy industry on the dark web are the auctions for initial access to energy companies that routinely take place on dark web forums.
  • Threat actors often use the terms “start,” “step,” and “blitz,” which indicate the start price, the increments of the bids and a “buy-it-now” or "blitz" price.
  • Searchlight Cyber found activity all over the world, including in the United States, Canada, the United Kingdom, France, Italy, and Indonesia.
  • While the dark web forum Exploit has been the most popular for these activities, the researchers also found these activities on RaidForums and BreachForums.
  • In one of the examples outlined in the report, bidding started at $1,500 and bids are placed increments of $500. However, if somebody wanted to purchase the access outright they could do so at the “blitz” price of $2,500. Asking prices do vary, sometimes they are as low as $20 and range up to $2,500.
  • The sale of compromised VPNs is especially common, which the researchers say indicates that security teams should put their efforts into protecting.

“Some readers may recognize that a compromised VPN is the exact technique that the ransomware gang DarkSide used to breach Colonial Pipeline in the infamous 2021 attack,” said Ian Garratt, a threat intelligence analyst from Searchlight Cyber and author of the report. “In that case, the oil pipeline was forced to shut for several days to reduce the risk of the ransomware attack spreading to the operational network, prompting the U.S. president to declare a state of emergency.”

Ransomware threat actors are going after any industry that generates significant profits, and energy companies certainly fall into that category, said Phil Neray, vice president of cyber defense strategy at CardinalOps. Neray said they tend to have weaker security controls because of the high number of remote access connections that can be exploited via weak or stolen credentials, or VPN vulnerabilities.

The Colonial Pipeline attack via a compromised VPN resulted in a ransomware payout of $4.4 million, plus a proposed fine of nearly $1M from federal regulators, said Neray.

“Preventing breaches starts with having the right detections in the SOC, and as described in the report, organizations should use MITRE ATT&CK to build a threat-informed defense based on detecting TTPs commonly used by adversaries targeting their industries," Neray said.

Ani Chaudhuri, chief executive officer at Dasera, added that while the report shines a light on an important sector, it’s disconcerting that 27% of energy industry CISOs do not recognize the impact dark web activity can have on their organizations. Chaudhuri said cybercriminals are indiscriminate in their targets: no industry, no matter how niche or specialized, is exempt from their reach.

“The auctioning of initial access to corporate networks on dark web forums should serve as a wake-up call to all energy sector companies, regardless of their size or location,” said Chaudhuri. “The reality is the energy industry is not merely a collection of companies. It represents the backbone of global infrastructure, and a breach in this sector could have far-reaching and devastating consequences.”

Andrew Barratt, vice president at Coalfire, said the auctioning of critical infrastructure gives us insight into the perceived value of these entities on the black market. Barratt said rather than just a relatively low ticket (some initial access is sold for under $1,000) there’s potentially an expectation that nation-state actors pick up these critical infrastructure items for leverage in the future. 

“It’s not uncommon for companies to use threat intelligence feeds that show the initial access brokers pricing, and where they can determine they are at risk will acquire the vulnerable access just to shut it off,” explained Barratt.

Mike Parkin, senior technical engineer at Vulcan Cyber, pointed out that the energy sector is not a new target for cybercriminal attack, which this report reinforces. However, it also shows just how advanced the cybercrime ecosystem has become: between crime-as-a-service offerings, brokers selling access to compromised targets, botnets, and cryptomining farms, they are showing the diversity and maturity we expect from legitimate commercial organizations. 

“Having this additional information can be helpful for an organization to understand what sort of adversaries they may face, but the truth is anyone can be a target,” said Parkin. “Ultimately, the standard precautions we should all be taking — up-to-date patches, secure configurations, and educating users — applies regardless of where we expect an attack to originate.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.