With the cost of fuel hitting a new historic low, experts fear that this may be the beginning of a crisis unlike the world has ever seen before. Some believe that the coronavirus pandemic will have the same long-lasting effects on the global economy as the Second World War.

Despite the gallon hitting the $0.88 mark (according to the latest estimates), this brings little comfort to people living under Government-imposed lockdown. While Russia and Saudi Arabia are calling a truce on the so-called “price tussle”, in a bid to stabilize the rapidly declining market, malicious actors have declared total war on the oil industry.

In a relatively short timeframe, two massive spearphishing campaigns have been identified.

Cybersecurity researchers analyzing the incident stated that the multi-pronged attacks registered in late March and early April may have been used to gain sufficient momesntum to conduct a larger and more devastating incursion.

The data made available so far reveals an unprecedented level of guile and cunningness, as the emails used during the said attacks are virtually free of errors that one would expect to find in spearphishing content.

Furthermore, the latest attacks, which targeted employees working in the oil and energy industry, are, no doubt, the advent of a new era of cyberaggression. Regrettably, the detection and mitigation methodology employed so far may prove to be useless against this new type of e-threat.

In this article, we are going to take a closer look at the two spearphishing attempts targeting the oil and energy industry. Moreover, we will also analyze occurrences, dispersal patterns, and discuss spearphishing-countering methods.

Case Study 

ENPPI and the Rosetta Sharing Facilities Project

Some background information: on the 10th of April, Russia and the OPEC+ alliance (Organization of the Petroleum Exporting Countries) has reached an agreement with G20 to address the rising oil prices and prevent what could very well be a financial catastrophe.

Ever since the World Health Organization declared the state of pandemic, the gas prices have plummeted, reaching an all-time historic low, even surpassing the one registered in 2002 (54.8 cents/gallon).

Major global events of this nature often attract opportunists and, of course, malicious actors willing to take the proverbial leap of faith, armed with the knowledge that organizations are now more vulnerable than ever before.

On the 31st  of March, a massive spearphishing attempt has been detected. According to the cyber-investigators, the campaign targeted high-value targets working with or at some major Philippines-based shipping companies.

The purpose of these high-profile spearphishing attacks was to deploy Agent Tesla-spun spyware, an infamous MaaS (Malware-as-a-Service) on the victims’ machines, to extract valuable information that could later be sold on the dark web.

The incident report reveals that the hackers behind this attack posed as ENPPI (Engineering for Petroleum and Process Industries, the Egyptian state-held oil company, to send fraudulent emails on behalf of Burullus, a legitimate, government-owned deep-sea drilling, and natural gas production.

The set of emails officially invited the targets to submit a firm bid for various materials and equipment, as part of the Rosetta Sharing Facilities Project.

The said emails themselves showcase an unprecedented level of guile – the message body was without spelling errors and even contained real data about the companies and the project. Enclosed in the email body were two zip-type attachments that were rigged to deliver the malicious Agent Tesla spyware Trojan payloads once the user opened them.

Taking a closer look at the attachments, the unpacked archives contain two types of executables – one entitled “BURULLUS “EPC WORKS FOR ROSETTA SHARING FACILITIES PROJECT.exe”, while the other one was named “WEIR OIL & GAS PROJECT NO. 4621-422-298-01-20.exe”.

Both were engineered to deploy malicious payload. Interestingly enough, further research reveals that the second executable was crafted specifically for this spearphishing attempt. The first one has been used in other schemes targeting high-profile targets from the oil and energy industry.

Case study

MT. Sinar Maluku spearphishing

The second spearphishing campaign took place just two days after the OPEC+ – G20 summit. Cybersecurity investigators were in awe when discovering that the emails involved in this spearphishing attempt contained real and auditable data.

From a chronological standpoint, the first spearphishing attempt has been registered on the 12th of April, when a high-profile employee of a Philippines-based oil company received an ‘official’ email regarding a pending EPDA (Estimated Port Disbursement Account).

The recipient was to send the said document for Mt. Sinar Maluku, a real chemical/oil tanker, bound for Belawan. Moreover, the sender had reportedly asked for additional information regarding tanker ops such as the CFM (Container Flow Information).

The email contains a viral payload similar to the one used during the March spearphishing attack (Agent Tesla spyware). Attached to the email was a WinRAR archive which carried a Tesla-infected executable.

Pre-COVID Spearphishing Attacks in the Oil/Energy Industry

The coronavirus pandemic might as well be the advantage hackers were seeking to conduct spearphishing attacks, but the oil and energy industry has been affected long before the COVID outbreak. Here are the most notable events of pre-COVID spearphishing.

  • In 2019, LYCEUM, a malicious group has disseminated countless spear-phishing emails to high-profile targets in the oil ad gas industry. The emails in question contained a malicious .xlsm file, which was rigged with an Auto-run macro to deploy DanBot. The malware was used to capture keystrokes, monitor network traffic, and steal credentials.
  • In a report drafted in 2017, cybersecurity researchers revealed that hackers managed to tap into the power grid ops of several European- and US-based power facilities. The unauthorized access led to a chain of events, culminating with the group effectively shutting off the electricity to an entire neighborhood.
  • In 2018, a report drafted by Aon showed that a spearphishing attack led to a hydroelectric dam contractor losing control over the floodgate mechanisms. The malicious actors maintained their grip on the dam for more than 10 days until the contractor managed to purge the malware from all systems.
Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® Threat Prevention - Endpoint

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Countering Spearphishing attempts

With the threatscape shifting once again, the need for better tactics grows direr. Below, you will find a list of actionable countermeasures you can start implementing right away.

Continuous cybersecurity education

Education is key to preventing any type of cyberattack. When receiving emails that purportedly come from a legitimate source, one must ask himself if the actions suggested in the mail’s body could compromise the company’s security.

For instance, in the case of the two spearphishing attack, the best approach would have been to analyze the attachments before opening them. If they are true, documents, why should they have a .exe extension? Moreover, when receiving such requests, you should confirm them with your case manager or your CEO.

Upgrade your cyber-defenses

Agent Tesla and other MaaSs need C&C servers to operate. The best way to counter this is DNS traffic filtering. More specifically, you will need a solution that effectively blocks the malicious connection to the server before sanitizing your device.

Heimdal™ Threat Prevention, Heimdal™ Security’s response to second-generation malware can root out the malicious packets hidden within a transmission and sever the connection to the Command & Control servers the hackers use to steal data from compromised devices.

Download and execute suspicious attachments in a controlled environment

To ensure that the attachments found inside an email are legit, it’s recommended to execute them in a secure environment to see how they behave. This piece of info comes with a warning label: please do not make this attempt before informing your system administrator.

More than that, ensure that the ‘sandboxing’ environment is isolated from the rest of the network before proceeding. The easiest way to do this is by installing a virtual machine on a dedicated server.

There are plenty of tools out there that can help you set up a VM; I personally use Oracle’s VM VirtualBox for this sort of task. Be sure to install a cybersecurity solution on the VM to gauge the malware’s behavior.

Finally, connect to the Internet, open your email agent, and open the attachments. You should also ask your sysadmins for some help in analyzing the behavior of the attachments’ contents after they are opened.


The latest spearphishing attacks on the oil industry may very well be the harbingers of something more ominous. Shoring up our cyber-defense is vital in countering such sophisticated threats. COVID-19 has offset the balance, which is bound to attract even more malicious actors.

Leave a Reply

Your email address will not be published. Required fields are marked *