Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Defending the Energy Sector Against Cyber Threats: Insights from Trustwave SpiderLabs

It has always been clear, even before the Colonial Pipeline attack, that the energy sector is a prime target for not only criminal threat groups, but also nation-state actors. After all, halting fuel and energy supplies can quickly bring a region to a halt and thus require the highest level of cyber and physical security possible.

One of the best first steps an organization can take to protect itself is understanding its enemy and preferred attack methodology and applying that knowledge when implementing security measures, such as an offensive security program. Trustwave SpiderLabs has compiled a list of the primary attack groups that focus on the energy sector, along with their basic tactics, techniques, and procedures, as observed in the Trustwave Fusion platform.

The most common tactic used by attackers was credential access, which consists of techniques for stealing credentials like account names and passwords, accounting for over 37.7% of the incidents analyzed.

As a result of these tactics, Trustwave SpiderLabs has found dozens of energy sector victims listed on threat group data leak sites. Granted, these have to be taken with a grain of salt and not all attacks result in a financial gain for the attacker, but to date, ransomware has generated millions in payment with the research firm Chainanalysis reporting an overall total of $1.1 billion paid out in 2023 across all vertical markets.

 

Recent Energy Sector Attack Trends

Trustwave SpiderLabs has tracked an increasing number of attacks spanning the last three years. This suggests that ransomware threats are not only persisting, but potentially growing in frequency or at least more oil and gas industry victims are reporting incidents.

Many of the attacks taking place during this time period clustered from late 2022 and into 2023. This could indicate some synchronicity with the release of notable zero days such as Citrix, MOVEIt, and Accellion, which our researchers have tracked being used by various threat groups. This clustering could also indicate cyclic or seasonal patterns in ransomware campaigns, possibly aligned with industry financial cycles or geopolitical events affecting energy markets.

Now, let’s take a deep dive look at the threat groups targeting the energy sector. One note, several of the groups listed have been disrupted by law enforcement activity and may or may not remain in operation. However, the tactics they employed are in use by other groups and should be defended against.

 

BlackCat/ALPHV

BlackCat/ALPHV is a ransomware-as-a-service (RaaS) group that has targeted various organizations directly and unapologetically. RaaS groups have developers who manage and update the malware, while affiliates carry out the actual ransomware attacks.

Since its emergence in November 2021, BlackCat has earned a reputation as a remarkably formidable and inventive ransomware operation. It has consistently ranked among the top ten most active ransomware groups, according to multiple research entities. This may no longer be true, as BlackCat/ALPHV was disrupted by an international law enforcement operation in late 2023. Currently, there is some debate over whether or not the group is, in fact, still operating, as SpiderLabs discussed in this blog.

While operating, BlackCat/ALPHV employed a double extortion ransomware scheme, combining data encryption with data theft tools as part of its attack strategy. This approach intensified the pressure on victims to comply with their demands.

BlackCat/ALPHV’s Initial Access Vectors:

  • T1189: Drive-by Compromise
    o Malvertising: WinSCP and AnyDesk software infected with Cobalt Strike beacon
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
  • T1133: External Remote Services
    o Remote desktop (RDP) access using Valid Accounts
  • T1190: Exploit Public-Facing Application
    o ProxyShell – Microsoft Exchange Server Vulnerabilities: (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523)
    o SonicWall SMA100 Pre-Auth SQL Injection (CVE-2019-7481)

 

Lockbit 3.0

Like BlackCat/ALPHV, LockBit 3.0 is a RaaS group that has recently been hit with a disruptive law enforcement operation. The latest operating version of LockBit inherited the legacy of its predecessors, LockBit and LockBit 2. Beginning in January 2020, LockBit adopted an affiliate-based ransomware approach, allowing its affiliates to employ diverse tactics in targeting a broad spectrum of businesses and critical infrastructure organizations.

This group's extensive activity, which constitutes 36.36% of the ransomware incidents points to a particular predilection for the oil and gas industry possibly due to the sector's critical infrastructure status and potential for high ransom yields.

LockBit 3.0 is known to facilitate network intrusions by using initial access brokers and an insider recruitment program advertised on various hacker forums.

LockBit 3.0’s Initial Access Vectors:

  • T1189: Drive-by Compromise
  • T1566: Phishing
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
  • T1133: External RDP access using Valid Accounts
  • T1190: Exploit Public-Facing Application
    o Fortinet FortiOS SSL VPN web portal (CVE-2018-13379), BIG-IP F5 iControl Server-Side Request Forgery / Remote Command Execution (CVE-2021-22986)

 

CL0p

CL0P is another RaaS group that first appeared in February 2019, evolving from the CryptoMix ransomware variant. CL0p’s malicious software was strategically employed in extensive spear-phishing campaigns, using a verified and digitally signed binary to circumvent system defenses effectively. CL0P utilizes the ‘double extortion’ tactic.

CL0p’s Initial Access Vectors:

  • T1566: Phishing
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
  • T1190: Exploit Public-Facing Application
    o GoAnywhere MFT Remote code injection via admin panel (CVE-2023-0669)
    o MOVEit Transfer SQL Injection Remote Code Execution (CVE-2023-34362)
    o Accellion FTA SQL injection vulnerability (CVE-2021-27101)
    o Accellion FTA OS command execution vulnerability (CVE-2021-27102)
    o Accellion FTA OS command execution vulnerability (CVE-2021-27104)
    o SolarWinds Serv-U Remote Code Execution Vulnerability (CVE-2021-35211)

 

Hive

Hive also operates under the RaaS model, with the specific method of initial intrusion varying depending on the affiliate responsible for targeting the network. Between June 2021 and at least November 2022, threat actors have extensively employed Hive ransomware to target various energy sector businesses and critical infrastructure sectors. Hive was also the target of a US Justice Department operation in early 2023.

Hive’s Initial Access Vectors:

  • T1566: Phishing
    o Spear-phishing with malicious attachments
  • T1078: Valid Accounts
    o Compromised accounts and stolen credentials
  • T1190: Exploit Public-Facing Application
    o Microsoft Exchange Server Security Feature Bypass (CVE-2021-31207)
    o Microsoft Exchange Server Remote Code Execution (CVE-2021-34473)
    o Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2021-34523)
    o FortiOS SSL VPN Authentication Vulnerability (CVE-2020-12812)

 

Quantum

Quantum (AKA Quantum Locker) ransomware was discovered in July 2021. The Quantum threat group, like BlackCat/ALPHV, utilizes the double extortion ransomware methodology to improve its chances of gaining a financial payout from its victims.

Quantum’s Initial Access Vectors:

  • T1566: Phishing

The primary takeaway from this study is that safeguarding the energy sector against cyber threats demands both an offensive and defensive security mindset rooted in understanding the TTPs of malicious actors.

The insights provided by Trustwave SpiderLabs shed light on the primary attack vectors and techniques employed by threat groups like BlackCat/ALPHV, Lockbit 3.0, CL0p, Hive, and Quantum. This knowledge can help a security team know what to look for during any proactive security event such as a penetration test or Red Team exercise.

 

Trustwave’s Offensive Security Methodology

Trustwave leverages a comprehensive toolkit to assess whether clients possess the necessary tools, techniques, and procedures to thwart data breaches and unauthorized system access. As a leading provider of penetration testing, Trustwave tailors Offensive Security programs to suit any organization’s size and needs, regardless of their cybersecurity budget.

Implementing Trustwave’s Offensive Security program is straightforward. Clients can quickly initiate security assessments, and existing Trustwave customers can easily schedule tests through the Fusion Platform portal, bypassing extensive approval processes. Post-testing, results are readily accessible within Fusion.

Latest Trustwave Blogs

Using Trustwave DbProtect and Offensive Security Solutions to Protect Against Nation-State Cyber Threats

The US Director of National Intelligence (DNI) earlier this month gave a stark warning to the Senate Armed Services Committee detailing the cyberthreats arrayed against the US and the world from...

Read More

Trustwave SpiderLabs Unveils the 2024 Public Sector Threat Landscape Report

Trustwave SpiderLabs’ latest report, the 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies details the security issues facing public sector...

Read More

Trustwave Backs Multinational OT Security Recommendations to Protect Critical Infrastructure

The Canadian, US, and UK governments issued a series of recommendations in their just-released security alert Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity, which mirror my...

Read More