The oil and gas industry faces substantial risk from threat actors as diverse as cybercriminals and terrorists. Many of these threats originate from the opaque and gated areas of the internet within online illicit communities that enable these threat actors to communicate and act on their plans.
Illicit communities remain the key source for highly valuable data and intelligence pertaining to a wide range of cyber and physical threats, fraudulent activities, and malicious actors. As industries like oil and gas continue to face unknown threats, relevant data from illicit communities is necessary to inform decision making across the enterprise and to navigate risk effectively. With its unmatched trusted intelligence and data derived from these communities, Flashpoint helps oil and gas companies address the following:
In 2017, groups protesting an oil pipeline had used various physical methods to halt progress in construction, such as chaining themselves to construction equipment, using human barricades at access points, and vandalizing work areas.
Flashpoint identified the dates that were most likely to involve extremist groups, vandalism, and potential for clashes with police. Customers were also provided with strategies on how to educate security personnel to avoid incidents that could result in reputational damage. Our analysts also offered customers strategic advice in the instance of a violent protest, including how to set up emergency notification systems and physical evacuation plans.
PHYSICAL & JIHADIST THREATS
In April 2017, an ISIS-aliated media unit released a video that purported to feature an improvised explosive device attack on an oil pipeline between Diyala and Baghdad in Iraq. ISIS has a history of targeting oil and gas pipelines. It has previously targeted a gas pipeline leading to Homs, Syria, as well as one that supplies Jordan. By targeting energy infrastructure, ISIS is able to potentially disrupt a target country's economy, which is a longtime, high-priority target for jihadists.
The physical element of information security often takes a backseat to the technology protecting the information. Theft, vandalism, or alteration of hardware can be equally as destructive and costly as a malware infection, and possibly even easier and more productive than a digital attack. With Flashpoint’s help, actors like ISIS can be monitored on illicit communities and chat services not just for attribution of attacks, but for attack plans, potential targets, and tactics; and when items of interest are mentioned, the customer will be alerted and linked to the relevant threat actor conversation. Further, Flashpoint offers finished intelligence reports to help react to threats at both a tactical and strategic level.
A third of global crude oil and half of global liquefied natural gas transits through the South China Sea, making it a high risk area for attacks. In the past, hackers have targeted supply routes and objects at sea, including an incident where hackers shut down an oil rig, and flooded another with malware that took 19 days to repair. The shipping and logistics industry has also been targeted by Chinese actors. Zombie Zero, an APT connected to China, targeted shipping and logistics enterprise environments. This malware infected manufacturers selling proprietary hardware for terminal scanners used to inventory items being shipped or transported internationally. Aside from stealing financial information, the malware was able to steal intellectual property.
Even if a company had access to illicit communities, attacks and tactics like these would likely be discussed on foreign language forums and in need of translation and contextualization not generally available to security and risk teams. With Flashpoint, our analysts not only have access to these elite sites but also have the language capabilities to understand them, helping to predict what types of malware are being used and whether or not personally identifiable or intellectual property is being sold. Customers could strategically prepare for attacks--including targeted attacks--and benefit from tactical insights into any attacks or damage that did occur.
DISTRIBUTED DENIAL-OF-SERVICE (DDoS) ATTACKS
Beginning in March 2017, a Turkish nationalist hacktivist aggressively conducted distributed denial-of-service (DDoS) attacks against US and European government and private sector websites, including a number of attacks on utilities providers. This campaign is part of a broader movement by Turkey’s most aggressive nationalist hacking groups to protect what it considers the country’s national interests in the aftermath of the failed coup. Supporters of the group suggested on Facebook that the cyberattacks should also target US critical infrastructure, including public transportation and water supplies.
By monitoring the group and leveraging the insights and language capabilities of our analysts, Flashpoint has been able to assess patterns in the group's attacks and warn customers of certain dates when attacks might occur. Our analysts also helped customers analyze the specific DDoS tool used by the group, enabling customers to adjust their DDoS mitigation strategy to block attacks from the tool.