Oil & Gas Spearphishing Campaigns Carry Agent Tesla Spyware

As the oil market crashes, news comes that hackers have been targeting oil and gas companies with spearphishing campaigns loaded with Agent Tesla spyware. Bitdefender researchers say “this is the first documented instance where Agent Tesla has been associated with an attack against the oil and gas industry.”

The attacks appear to have centered on the recent OPEC+ deal as they targeted related companies in the U.S., Malaysia, Iran, South Africa, Turkey, Oman and The Philippines.

Bitdefender’s Liviu Arsene

“The date when we registered the spike seems to coincide with the same date when OPEC and other producers were supposed to extend a deal on oil output curbs. The fact that it drops the Tesla Agent infostealer suggests these campaigns could be more espionage-focused,” said Liviu Arsene, Global Cybersecurity Researcher for Bitdefender.

Arsene said that these threat actors might have some skin the game — perhaps some stakes in oil and gas prices or in future developments — especially since the niche targeted vertical dovetails with the ongoing oil crisis.

“In this sector, the links between the government and private sector are very strong and in many countries the government owns large parts of these companies. Even though private companies do not directly influence negotiations, they may deal with confidential information about the OPEC meeting,” Arsene said.

The spearfishing campaigns are exceptionally well done as they “reference legitimate and well-known companies, projects, processes, and vessels and use industry jargon and abbreviations,” according to a recent Bitdefender report.

“This seems to be an espionage campaign that involved having intimate knowledge of operational procedures and jargon used by the industry. This could be the result of knowledge acquired over time through other campaigns, which potentially led to getting access to this type of information,” said Arsene.

Using the Tesla Agent spyware seems to indicate an interest in collecting information specific to the targeted industry.

KnowBe4’s James McQuiggan

“The criminals are using a malware strain from six years ago, which downloads a keylogger onto the computer. This malware collects sensitive information,” said James McQuiggan, Security Awareness Advocate at KnowBe4.

The bottom line is that it is getting progressively harder to spot spearphishing emails given the immense amount of accurate details threat actors commonly use these days.

“If there’s one thing these highly focused spearphishing attacks have in common, it’s that attackers seem to leverage every piece of information, public or from past breaches, to surgically craft messages and emails that have a really high chance of tricking victims,” said Arsene.

Besides leveraging information, criminals are cleaning up their act to fool more people too.

“Gone are the days of phishing emails with misspellings, poor grammar and zip files. The criminal groups are becoming more and more sophisticated with understanding organizational procedures to socially engineer their way in via email,” said McQuiggan.

Given the rise in sophistication of phishing attacks, this is a good time for MSSPs to review their user training programs to ensure the ways of detecting spearphishing are up to date.

It is also prudent for MSSPs to increase protections for customers in verticals that haven’t been heavily targeted in the past but may be in the news now. Previous attack patterns and tactics may not be as prevalent in this new global pandemic paradigm.