Due to the high value of its supply chain, commodities, transactions, and intellectual property, the oil and gas industry is an ideal target for socially-engineered email attacks. Oil producers, brokers, and transporters must learn how to use preventative measures to mitigate the risks of falling prey to a spear phishing attack.

1. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 1
Protecting
THE OIL & GAS
INDUSTRY
FROM EMAIL THREATS

2. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 1
Abstract: Given the oil and gas industry’s critical nature, valuable intellectual
property and high-value transactions, the threat of cyber-attacks is very real. It is
vitally important that the oil and gas industry better protect their organizations
from modern day email threats by implementing advanced email management
and threat protection technologies. The investment required for preventative
measures is dwarfed by the risk of a security breach.
According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT),
the energy sector, including oil and gas, is facing a significant rise in cyber attacks (Galea, 2015). There are a
number of reasons that this industry is an ideal target for attack: Oil and gas pipelines are part of a country’s critical
infrastructure, and they are an ideal target for those looking to cause disruptions in critical services for political or
military motives; The industry is highly competitive, as both private enterprise and countries engage in aggressive
market share tactics, often with global implications; Intellectual property is highly-valued, making it an attractive
target for cyber-espionage. Finally, the sheer value of the oil and gas industry’s commodities make it an especially
lucrative target. With producer and broker transactions ranging in the millions, one carefully crafted attack can lead
to a payout that could support the hacker’s operations for months, or even years.
Spear phishing attacks are socially engineered emails that try to trick employees into triggering network breaches,
conducting fraudulent wire transfers, or even aiding in corporate espionage. Regardless of motivation, the high
volume of business communications conducted via email within this industry give hackers quite the window of
opportunity to intercept sensitive information through the use of spear phishing, including log-in credentials,
reserve records, order forms, broker correspondences, and other documents which can then later be used to
defraud unsuspecting industry professionals.

3. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 2
This white paper describes spear phishing attacks that have occurred in various sectors of oil and gas, along with
recommendations on how the industry can boost their cyber security and specifically adopt new preventative
measures to protect against these and other email-borne threats.
1. Government Warnings: Critical Infrastructure Disruption
Politically-motivated hacker groups sometimes target state-owned facilities by breaching a point within the supply
chain in order to hinder the nation’s ability to obtain, transport, and store energy resources. Other rogue political
groups use phishing attacks to gain access to privileged information to pose as corporate decision makers in order
to delude, debunk, or destroy a nation’s oil and gas industry. A data breach at any point in an energy supply chain,
or within a bureaucratic organization, can cause severe damage to infrastructure, put public safety in jeopardy, or
even sway the balance of international negotiations.
For instance, new evidence showed that a Turkish pipeline explosion that occurred in 2008 was caused by hackers
who injected malware into the system through the pipeline’s wireless network. The pipeline was thought to be one
of the most secure in the world, but hackers were able to successfully destroy the pipeline by injecting malware
(Brocklehurts, 2014). Although the malware used in this attack wasn’t delivered via email, it does provide a stark
warning about the physical damages that could be inflicted via cyber-attack.
United States
In April of 2012, the Industrial Control Systems - Cyber Emergency Response Team (ICS – CERT), issued a statement
in their monthly report regarding their investigation of a year-long campaign to try to infiltrate multiple natural gas
pipelines. ICS-CERT analysis found that the malware used and artifacts associated with these cyber-attacks were
tied to a single spear phishing campaign, from a single source or group, and had been attempting to disrupt the

4. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 3
control systems of the pipelines (ICS, 2012). Approximately 200,000 miles of these natural gas pipelines are
responsible for over 25 percent of the nation’s energy supply, and so threats to this infrastructure are taken
very seriously by the federal government.
Norway
In August of 2014, Norway’s national security authority (Nasjonal Sikkerhetsmyndighet – NSM) stated that 250 oil
sector organizations may have been breached by hacker groups while 50 of those organizations had confirmed
data breaches. All of the breaches were reported to be the result of targeted spear phishing attacks in 2011
(Leyden, 2014). When asked to comment on the largest breach in Norwegian history, NSM Director Kjetil Nilsen
told a local publication that, “The ability to attack [networks] is increasing and there is great interest for our data”.
The main source or method of the 2014 attacks remains unclear, but apparently this type of attack has happened
to Norwegian oil companies before. Three years ago, hacker groups used spear phishing emails to obtain industrial
drawings, contracts, as well as log-in credentials (Ibid).
2. Loziak Trojan: Corporate Espionage
Corporations in highly competitive industries may have incentives to obtain sensitive trade information about their
competitors in order to gain a strategic advantage. In March of 2015, Symantec reported that hackers have been
targeting energy industry workers with malicious spear phishing emails. The campaign primarily targeted OPEC,
specifically the UAE, Kuwait, and Saudi Arabia, but has also affected the United States, UK, and Uganda. The
intended targets and method of attack made those at Symantec believe that industrial espionage was the motive.
Stating that “whoever is behind these attacks may have a strategic interest in the affairs of the companies affected”
(Hacket, 2015). The Trojan used in the attack, Loziak, was able to masquerade as an Excel spreadsheet, in order to

5. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 4
spread strains of malware designed to observe and report device data. Once downloaded, the malware would steal
sensitive information such as system configuration data and send it back to its source. The configuration data told
the source whether or not the infected device was a valuable target. If the hackers decided that the device was
worth targeting, they would then forward additional malware to that targeted device in order to strip it of more
information. In this case, the Loziak Trojan was followed by Back.door.cyberat and Trojan.Zbot.
Once the Loziak Trojan was able to infect, inspect, and transmit data, it opened up new backdoors on the system in
case additional breaches were needed in the future. In order to repair the damage done, administrators would
have to patch each new backdoor in order to limit future exploits (Hacket, 2015).
3. The Phantom Menace: Fraud
Targeted attacks impacting oil and gas organizations usually focus on the big-ticket transactions inherent to the
industry, and seek to capitalize on their efforts by deluding the victims into sending them large deposits for oil
orders. Panda Security, a leading computer software company in Spain, investigated a targeted attack that
employed or used a fake .pdf containing compressed files, encryption instructions, and files designed to affect the
registry of the device each time the system restarted (Operation Oil Tanker, 2015) . The file, later referred to as the
Phantom Menace, was a self-extracting executable file capable of bypassing the latest malware behavior filters and
leaking sensitive personnel information and corporate resources in a text file back to the original sender. This
attack was very troubling because of its ability to remove traces of its actions from the registry, allowing it to do the
damage and leave little to no clues. With the sensitive information and resources in hand, hackers were easily able
to pose as legitimate oil producers who were offering extremely competitive oil prices­—prices that seemed
especially attractive given Saudi Arabia’s dominance of the market at that time. The Phantom Menace hackers used
the order forms and business insights to craft an illusion that they were, in fact, a legitimate oil producer. The oil

6. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 5
brokers were then prompted to pay an “advance fee” in order to finalize their crude and refined orders. However,
once the advance fee or deposit was sent, neither their oil nor their contact to the oil producer could
ever be found.
Even if oil brokers, producers, and distributors use antivirus, anti-malware, and the necessary endpoint protections,
they are still vulnerable to socially engineered attacks via email. The human component of receiving and opening a
seemingly harmless email can leave an entire organization’s resources and strategies open to prying eyes. Those at
Panda Security said that for those in the oil and gas industry:
“It is important to understand that our defense systems must adapt
to the level of attack received, and so it is necessary to implement
new protection strategies that give organizations total control and
visibility over their networks.”
The most concerning fact to the antivirus research community and those at Panda Security, was not only that the
Phantom Menace was able to avoid detection, but also that it was able to extract all the information it needed
without utilizing any malware. The only point of prevention hinged on the ability of the user to somehow know that
the senders were impostors. However, there are few security solutions available to comprehensively protect
against a socially engineered attack like the Phantom Menace.

7. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 6
Email Protection Solutions
Phishing attacks against oil and gas can have various motives, from committing espionage and fraud to causing
critical infrastructure and supply chain disruptions. Though there may not be a single silver-bullet solution to
secure an organization’s network from all of these potential motives, protecting the organization from targeted
attacks is not impossible, and it doesn’t have to cost a fortune.
Investing in an advanced security architecture now may save a corporation from targeted attacks in the future. As
the risks associated with not investing in one can lead to losses in revenue, market share, and reputation, the costs
of recovery far outweigh the initial investment in preventative measures.
In order to combat the growing challenges of protecting against orchestrated email scams, oil and gas
professionals should look for email security systems that use advanced threat detection and prevention, and are
equipped to detect spear phishing scams. Traditional email security products are typically not designed to detect
and block spear phishing attacks, and most spam filtering products rely on prior detection and black lists in order
to flag an email as spam. Also, many spear phishing attacks make use of unknown threats or zero-day
vulnerabilities that not all anti-malware engines will be able to detect. Organizations can improve their email threat
protection by taking the following precautions:
Use Multiple Anti-malware Engines: Multi-scanning leverages the power of the different detection algorithms
and heuristics of multiple engines, therefore increasing detection of both known and unknown threats, as well as
protecting against attacks designed to circumvent particular antivirus engines. In addition, since anti-malware
vendors address different threats at different times, using multiple scan engines will help detect new outbreaks
much faster. It is important to distinguish between multi-scanning and simply using multiple antivirus engines.

8. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 7
When using multi-scanning technology, performance is greatly enhanced and potential conflicts between different
engines are avoided.
Sanitize Email Attachments: Many spear phishing emails include malicious Word or PDF attachments, so as a
precautionary measure it is highly recommended to sanitize incoming email attachments in order to remove any
embedded threats that may go undetected by antivirus engines.
Set Attachment Limits: By blocking potentially dangerous email attachment types such as .exe files and scripts, it
is more difficult for malware to spread. It is also important to verify the attachment file type so that .exe files that
are renamed as .txt files do not get through the company’s filters.
Enforce an Email Content Policy: With user-based email content policies, such as keyword and attachment
filtering, organizations can ensure that no confidential content or intellectual property is sent out through email.
Implement an SFT Server: A secure file transfer server allows an organization to easily send and receive large
and confidential files ensuring trackable, instant, and secure delivery. By encrypting files and implementing user
authentication, the interception of potentially valuable information can be prevented.
Utilize Advanced Threat Detection and Prevention: Ultimately, organizations need to make sure their email
security system is backed by powerful anti-malware engines, as the performance of the email security program will
hinge on the engine’s ability to detect, prevent, sanitize, or quarantine the suspicious email or attachment.
Scan Running Processes on Endpoints: If email-born threats have already entered your network, scanning
running processes and DLLs on both in-network and remote endpoints helps to identify malware before it spreads.

9. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 8
By having these added layers of security incorporated into the organization’s email security infrastructure, those in
the oil and gas industry can better protect themselves from targeted email attacks, and not risk losing millions to
fraud, or having to conduct costly image campaigns.
About OPSWAT
OPSWAT is a San Francisco-based software company that provides solutions to secure and manage IT
infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks,
and helps organizations protect against spear phishing and other email threats. OPSWAT’s intuitive applications
and comprehensive development kits are deployed by SMB, enterprise, and OEM customers to more than 100
million endpoints worldwide.
Policy Patrol Security for Exchange protects an organization’s email traffic from known and unknown threats and
provides organizations with advanced features for blocking spear phishing and unwanted emails, detecting and
preventing viruses and other email-borne threats, as well as enforcing email content policy.
It offers effective spam & phishing protection, using technologies such as greylisting, anti-phishing block lists,
DNSBL, Bayesian filtering, recipient verification and Sender Policy Framework (SPF) to block unwanted emails and
detect spoofed emails.
Using Metascan®, Policy Patrol also allows organizations to quickly scan email attachments with multiple antivirus
engines, detecting and blocking advanced malware threats in emails. By using antivirus engines from vendors like
Symantec, ESET, McAfee, and many others, Metascan technology increases detection rates for all types of malware
without the hassle of licensing and maintaining multiple antivirus engines. Engines integrated into Metascan are
optimized to scan simultaneously for fast, high performance scanning. In addition to malware scanning, Metascan

10. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 9
can also perform email attachment file sanitization and file type checking, preventing zero-day and targeted
attacks. Policy Patrol Security for Exchange includes Metascan with 1, 4, or 8 anti-malware engines, with the option
to add more anti-malware engines.
OPSWAT Gears enables organizations to directly assess and manage the endpoint security posture of their devices
through a unified view of mobile and PC endpoints, and their applications/security issues. Administrators can to
take rapid action to remediate issues on non-compliant devices and improve endpoint security.
Additionally, Gears utilizes OPSWAT’s Metascan Online technology to scan running processes and DLLs for both
in-network and remote devices with 40+ commercial anti-malware engines. This way Gears can help identify threats
that were not detected by the installed antivirus software.
References
Brocklehurst, K. (2015, February 1). Cyberterrorists Attack on Critical Infrastructure Could Be Imminent.
Retrieved September 23, 2015, from http://www.tripwire.com/state-of-security/security-data-protection/
security-controls/cyberterrorists-attack-on-critical-infrastructure-could-be-imminent/
Galea, D. (2015, March 31). How the Energy Industry can Survive Targeted Attacks.
Retrieved September 25, 2015, from https://www.opswat.com/blog/how-energy-industry-can-survive-
targeted-attacks
Hundreds of Norwegian Energy Companies Hit by Cyberattacks. (2014, August 28).
Retrieved September 1, 2015, from http://www.scmagazineuk.com/hundreds-of-norwegian-energy-
companies-hit-by-cyber-attacks/article/368539/

11. PROTECTING THE OIL & GAS INDUSTRY FROM EMAIL THREATS | PAGE 10
ICS-Cert. Malware infections in the Control Environment. (2012, December 10).
Retrieved September 1, 2015, from https://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monthly_Monitor_
Oct-Dec2012_2.pdf
Leyden, J. (2014, August 27). Major cyber-attack hits Norwegian oil industry.
Retrieved September 1, 2015, from http://www.theregister.co.uk/2014/08/27/nowegian_oil_hack_campaign/
Corrons, L. (2015, May 19). Operation “Oil Tanker” - The Phantom Menace.
Retrieved September 1, 2015, from http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-
tanker-en.pdf

12. http://www.opswat.com
Disclaimer. © 2015. OPSWAT, Inc. (“OPSWAT”). All rights reserved. All product and company names herein may be trademarks of their respective owners.
The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied,
including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. OPSWAT is not liable for any damages,
including any consequential damages, of any kind that may result from the use of this document. Though reasonable effort has been made to ensure the accuracy of
the data provided, OPSWAT makes no claim, promise or guarantee about the completeness, accuracy and adequacy of information and is not responsible for misprints,
out-of-date information, or errors. OPSWAT makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of
any information contained in this document.
If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.