Two ways to inflate oil prices, or attacks on oil and gas as a means of influencing stock indices

In September 2019, the price of oil rose sharply due to an attack by drones at the enterprises of the state-owned corporation Saudi Aramco in Saudi Arabia, as a result of which 5% of the world’s oil reserves were destroyed and refineries were disabled. However, in order to stop the operation of an oil refinery (refinery), it is not necessary to physically destroy it, because according to Trend Micro Research “Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry” a well-planned cyberattack can cause quite comparable damage. In this post, we’ll talk about how the infrastructure of oil and gas enterprises works and which cyber attacks pose the greatest threat to it.

How is the infrastructure of the oil and gas company

The oil and gas company’s production chain includes many processes – from exploring new fields and selling gasoline poured into the car’s tank, to gas, which is used to prepare meals for city dwellers. All these processes can be divided into three parts:

  • exploration and production;
  • transportation and storage;
  • processing and implementation.

A typical oil company has in its “farm” production sites for producing oil from wells, tank farms for temporary storage of raw materials and a transportation system for delivering crude oil to refineries. Depending on the location of the well, transportation can take place through the pipeline, on trains or oil tankers.

After processing at the refinery, finished products are accumulated in the tank farms of enterprises and then shipped to consumers.

A typical gas production company is structured similarly, but its infrastructure also includes compressor stations that compress the produced gas for transportation to a separator unit, which in turn separates gas into various hydrocarbon components.

The most important task in the entire production chain is to monitor and control everything that matters to safety, productivity and quality. Since the wells can be located in remote areas with extreme weather, remote control of equipment at the facility is organized – using valves, pumps, hydraulics and pneumatics, emergency stop and fire extinguishing systems.

For such systems, their availability is crucial, because often monitoring and control data are transmitted in the clear, and integrity checks are not performed. This creates a lot of opportunities for attackers who can send commands to actuators, replace sensors, and even stop the operation of a well or an entire oil refinery.

The variety of infrastructure components of oil and gas companies creates virtually inexhaustible opportunities for attacks. Consider the most dangerous of them.

Infrastructure sabotage

Having penetrated the enterprise’s network with the help of a phishing email or exploiting an unsecured vulnerability, attackers will be able to take the following actions that could harm or even stop the work of any production site:

  • modify the settings of the automated control system;
  • delete or block data without which the company’s work is impossible;
  • falsify sensors to disable equipment.

Such attacks can be carried out either manually or with the help of malware similar to the Shamoon / Disttrack viper, which attacked several oil and gas companies in 2012. The largest among them was the already mentioned company Saudi Aramco. As a result of the attack over 30 thousand computers and servers were disabled for 10 days.

A Shamoon attack on Saudi Aramco was organized by hacktivists of the previously unknown Cutting Sword of Justice to punish the company for “atrocities in Syria, Bahrain, Yemen, Lebanon and Egypt.”

In December 2018, Shamoon attacked the Italian oil company SaipemHaving cleaned up 300 servers and about 100 computers in the Middle East, India, Scotland and Italy. In the same month it became known Petrofac Infrastructure Infection Malware.

Insider threats

Unlike an external attacker, an insider does not need to study the structure of the company’s internal network for months. With this information, an insider can do much more damage to the business of a company than any external attacker.

For example, an insider may:

  • Modify data to create problems or allow unauthorized access to them;
  • delete or encrypt data on corporate servers, in the project’s public folders, or anywhere that it reaches;
  • to steal the intellectual property of the company and transfer it to competitors;
  • organize the leak of confidential corporate documents by transferring them to third parties or even publishing them on the Internet.

DNS interception

This type of attack is used by the most advanced hacker groups. Having gained access to managing domain records, an attacker can, for example, change the address of a corporate mail or web server to a server controlled by him. The result may be the theft of corporate credentials, the interception of e-mail messages and the conduct of “watering hole” attacks, during which malware is installed on the computers of visitors to a fraudulent site.

To intercept DNS, hackers can attack not the owner, but the domain name registrar. Having compromised the credentials for the domain management system, they get the opportunity to make any changes to the domains controlled by the registrar.

For example, if you replace the legitimate DNS servers of the registrar with your own, you can easily redirect employees and customers of the company to phishing resources, giving their address instead of the original one. The danger of such an interception is that a high-quality fake can for a long time transmit to the attackers the credentials of network users and the contents of corporate correspondence, without causing any suspicion.

There are even cases when besides DNS attackers gain control of company SSL certificates, which made it possible to decrypt VPN and mail traffic.

Webmail attacks and corporate VPN servers

Webmail and secured connection to the corporate network via VPN are useful tools for employees working remotely. However, these services increase the attack surface, creating additional opportunities for attackers.

Having hacked a webmail host, criminals can study correspondence and infiltrate it to steal secret information, or use the information from letters for BEC attacks or introduce malware to sabotage the infrastructure.

No less dangerous are attacks on corporate VPN servers. In December 2019, cybercriminals mass exploited the vulnerability CVE-2019-11510 in Pulse Connect Secure and Pulse Police Secure VPN solutions. Through it, they penetrated the infrastructure of companies using vulnerable VPN services, and stole credentials to access financial information. Attempts were made to withdraw from the accounts of several tens of millions of dollars.

Data leaks

Confidential company documents can be made publicly available for various reasons. Many leaks occur due to oversight as a result of incorrect configuration of information systems or due to the low level of literacy of employees working with these documents.


  • Storage of documents in a public folder on a web server;
  • Storage of documents on a public file server without proper access control;
  • Backing up files to a public insecure server;
  • Placing a database with classified information in the public domain.

To search for leaked documents, special tools are not needed; quite enough features that Google has. Searching for secret documents and vulnerabilities using Google search operators – dorking – allows you to detect secret documents of companies that, for some reason or other, were included in the search index.

An oil company confidential document found through Google Dorks. Source: Trend Micro

The problem with leaked documents is that they often contain information that competitors can legally use against the company, damage long-term projects or simply create image risks.

The laboratory report for the oil company, which we discovered in the public domain, contains information about the exact location of the oil slick with the indication of the vessel that allowed the pollution. Obviously, such information is confidential and the company hardly wanted to allow it to be publicly available.

Recommendations for oil and gas companies

Given the complexity of the IT landscape of the oil and gas industry, there is no way to provide absolute protection against cyber threats, but the number of successful attacks can be significantly reduced. To do this, you must:

  1. implement encryption of the traffic of sensors and control systems – although at first glance it may seem that this is not necessary, the adoption of this measure will reduce the risk of attacks such as “people in the middle” and exclude the possibility of substituting commands or information from sensors;
  2. Switch to using DNSSEC to protect against DNS interception attacks.
  3. use two-factor authentication to manage the DNS settings at the registrar and access to webmail;
  4. monitor the generated SSL certificates for the content of keywords associated with the company in these certificates – for example, the presence of a company’s trademark in the Common Name field of a certificate created by unauthorized persons indicates its potentially malicious purpose.
  5. Track confidential document leaks using search queries like Google Dorks. To facilitate this task, all important documents need to incorporate watermarks.


Cyber ​​attacks on the oil and gas sector can be used as a tool to influence stock quotes along with attacks in the real world, which means that unscrupulous stock speculators can use the services of cybercriminals to inflate the cost of oil and gas and get extra profit.

The effectiveness of such attacks may turn out to be significantly higher than using other tools, for example, stealing funds from the company’s accounts by compromising business correspondence, since it is almost impossible to prove the relationship between a cyber attack and profit from the sale of up-priced futures.

With these factors in mind, organizing cybersecurity is becoming a critical task to ensure the stability of both the oil and gas sector and the global hydrocarbon market.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *