It has always been clear, even before the Colonial Pipeline attack, that the energy sector is a prime target for not only criminal threat groups, but also nation-state actors. After all, halting fuel and energy supplies can quickly bring a region to a halt and thus require the highest level of cyber and physical security possible.
One of the best first steps an organization can take to protect itself is understanding its enemy and preferred attack methodology and applying that knowledge when implementing security measures, such as an offensive security program. Trustwave SpiderLabs has compiled a list of the primary attack groups that focus on the energy sector, along with their basic tactics, techniques, and procedures, as observed in the Trustwave Fusion platform.
The most common tactic used by attackers was credential access, which consists of techniques for stealing credentials like account names and passwords, accounting for over 37.7% of the incidents analyzed.
As a result of these tactics, Trustwave SpiderLabs has found dozens of energy sector victims listed on threat group data leak sites. Granted, these have to be taken with a grain of salt and not all attacks result in a financial gain for the attacker, but to date, ransomware has generated millions in payment with the research firm Chainanalysis reporting an overall total of $1.1 billion paid out in 2023 across all vertical markets.
Recent Energy Sector Attack Trends
Trustwave SpiderLabs has tracked an increasing number of attacks spanning the last three years. This suggests that ransomware threats are not only persisting, but potentially growing in frequency or at least more oil and gas industry victims are reporting incidents.
Many of the attacks taking place during this time period clustered from late 2022 and into 2023. This could indicate some synchronicity with the release of notable zero days such as Citrix, MOVEIt, and Accellion, which our researchers have tracked being used by various threat groups. This clustering could also indicate cyclic or seasonal patterns in ransomware campaigns, possibly aligned with industry financial cycles or geopolitical events affecting energy markets.
Now, let’s take a deep dive look at the threat groups targeting the energy sector. One note, several of the groups listed have been disrupted by law enforcement activity and may or may not remain in operation. However, the tactics they employed are in use by other groups and should be defended against.
BlackCat/ALPHV
BlackCat/ALPHV is a ransomware-as-a-service (RaaS) group that has targeted various organizations directly and unapologetically. RaaS groups have developers who manage and update the malware, while affiliates carry out the actual ransomware attacks.
Since its emergence in November 2021, BlackCat has earned a reputation as a remarkably formidable and inventive ransomware operation. It has consistently ranked among the top ten most active ransomware groups, according to multiple research entities. This may no longer be true, as BlackCat/ALPHV was disrupted by an international law enforcement operation in late 2023. Currently, there is some debate over whether or not the group is, in fact, still operating, as SpiderLabs discussed in this blog.
While operating, BlackCat/ALPHV employed a double extortion ransomware scheme, combining data encryption with data theft tools as part of its attack strategy. This approach intensified the pressure on victims to comply with their demands.
BlackCat/ALPHV’s Initial Access Vectors:
- T1189: Drive-by Compromise
o Malvertising: WinSCP and AnyDesk software infected with Cobalt Strike beacon
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
- T1133: External Remote Services
o Remote desktop (RDP) access using Valid Accounts
- T1190: Exploit Public-Facing Application
o ProxyShell – Microsoft Exchange Server Vulnerabilities: (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523)
o SonicWall SMA100 Pre-Auth SQL Injection (CVE-2019-7481)
Lockbit 3.0
Like BlackCat/ALPHV, LockBit 3.0 is a RaaS group that has recently been hit with a disruptive law enforcement operation. The latest operating version of LockBit inherited the legacy of its predecessors, LockBit and LockBit 2. Beginning in January 2020, LockBit adopted an affiliate-based ransomware approach, allowing its affiliates to employ diverse tactics in targeting a broad spectrum of businesses and critical infrastructure organizations.
This group's extensive activity, which constitutes 36.36% of the ransomware incidents points to a particular predilection for the oil and gas industry possibly due to the sector's critical infrastructure status and potential for high ransom yields.
LockBit 3.0 is known to facilitate network intrusions by using initial access brokers and an insider recruitment program advertised on various hacker forums.
LockBit 3.0’s Initial Access Vectors:
- T1189: Drive-by Compromise
- T1566: Phishing
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
- T1133: External RDP access using Valid Accounts
- T1190: Exploit Public-Facing Application
o Fortinet FortiOS SSL VPN web portal (CVE-2018-13379), BIG-IP F5 iControl Server-Side Request Forgery / Remote Command Execution (CVE-2021-22986)
CL0p
CL0P is another RaaS group that first appeared in February 2019, evolving from the CryptoMix ransomware variant. CL0p’s malicious software was strategically employed in extensive spear-phishing campaigns, using a verified and digitally signed binary to circumvent system defenses effectively. CL0P utilizes the ‘double extortion’ tactic.
CL0p’s Initial Access Vectors:
- T1566: Phishing
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
- T1190: Exploit Public-Facing Application
o GoAnywhere MFT Remote code injection via admin panel (CVE-2023-0669)
o MOVEit Transfer SQL Injection Remote Code Execution (CVE-2023-34362)
o Accellion FTA SQL injection vulnerability (CVE-2021-27101)
o Accellion FTA OS command execution vulnerability (CVE-2021-27102)
o Accellion FTA OS command execution vulnerability (CVE-2021-27104)
o SolarWinds Serv-U Remote Code Execution Vulnerability (CVE-2021-35211)
Hive
Hive also operates under the RaaS model, with the specific method of initial intrusion varying depending on the affiliate responsible for targeting the network. Between June 2021 and at least November 2022, threat actors have extensively employed Hive ransomware to target various energy sector businesses and critical infrastructure sectors. Hive was also the target of a US Justice Department operation in early 2023.
Hive’s Initial Access Vectors:
- T1566: Phishing
o Spear-phishing with malicious attachments
- T1078: Valid Accounts
o Compromised accounts and stolen credentials
- T1190: Exploit Public-Facing Application
o Microsoft Exchange Server Security Feature Bypass (CVE-2021-31207)
o Microsoft Exchange Server Remote Code Execution (CVE-2021-34473)
o Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2021-34523)
o FortiOS SSL VPN Authentication Vulnerability (CVE-2020-12812)
Quantum
Quantum (AKA Quantum Locker) ransomware was discovered in July 2021. The Quantum threat group, like BlackCat/ALPHV, utilizes the double extortion ransomware methodology to improve its chances of gaining a financial payout from its victims.
Quantum’s Initial Access Vectors:
The primary takeaway from this study is that safeguarding the energy sector against cyber threats demands both an offensive and defensive security mindset rooted in understanding the TTPs of malicious actors.
The insights provided by Trustwave SpiderLabs shed light on the primary attack vectors and techniques employed by threat groups like BlackCat/ALPHV, Lockbit 3.0, CL0p, Hive, and Quantum. This knowledge can help a security team know what to look for during any proactive security event such as a penetration test or Red Team exercise.
Trustwave’s Offensive Security Methodology
Trustwave leverages a comprehensive toolkit to assess whether clients possess the necessary tools, techniques, and procedures to thwart data breaches and unauthorized system access. As a leading provider of penetration testing, Trustwave tailors Offensive Security programs to suit any organization’s size and needs, regardless of their cybersecurity budget.
Implementing Trustwave’s Offensive Security program is straightforward. Clients can quickly initiate security assessments, and existing Trustwave customers can easily schedule tests through the Fusion Platform portal, bypassing extensive approval processes. Post-testing, results are readily accessible within Fusion.
