What’s the background?
We do a significant amount of work in the petroleum industry and have recently worked a number of petroleum marketer breaches. Some were customers of some of our services, some simply reached out after they identified suspicious activity in their environments. In most of these cases, the tactics and techniques are almost identical. In addition, the indicators of compromise (IOCs) show that a very large and sophisticated attack group with many smaller cells is specifically targeting petroleum marketers. We attribute that to some very large and successful attacks within the market in recent weeks and months. All of those are rather well known from the press, so we don’t really need to mention their names here.
As these attacks continue to deliver huge successes for the attackers, they will continue to target both upstream and downstream petroleum resources to look for additional value. The threats began in earnest with the breach of a vendor back in early 2016, which likely produced a significant amount of technical knowledge that the attackers could use to perpetrate attacks. Given the success that they’ve seen, they’ve also gained significant knowledge of petroleum systems along the way.
How is petroleum specifically being targeted?
Several of the breaches that we’ve been able to contain started with Office365 email compromises. In these attacks, we saw weak implementations of security tools that allow attackers to gain footholds with medium-sized petroleum marketers. Given access to a mailbox at the marketer, the attackers responded to previous emails that the attacked party received from oil brands and other vendors. These emails contained a link to a Word document that was infected with the Emotet command and control (C&C) application. The document simply had language that said the user needed to click the “Enable Content” button in order to read it. When clicked, the enabled document would deploy Emotet on the local machine and give the attacker remote access, from which they could start moving laterally within the marketer’s organization.
In another attack that we recovered recently, we had the POS systems protected with managed firewalls and isolated from the rest of the environment. This is a common implementation, often required by the oil brand, in order to protect the POS. Unfortunately, it doesn’t protect the rest of the marketer’s assets from advanced and persistent threats. And in this case, the marketer had implemented a broad and open VPN network to their 35-plus sites that they managed themselves, with limited IT and security staff. The attacker was able to gain a foothold at their corporate office at 2am, and before staff started arriving the next day, the attacker had deployed ransomware to over 100 systems across the organization. The attack included the back office servers at every store, which were reachable from the corporate office.
While the POS systems were isolated from the attack, and no cardholder data was exposed, the impact of the attack was basically an operational shutdown for the petroleum marketer. It will be weeks, if not months, before they are able to rebuild all of their systems and become fully operational again. It will also be very expensive, as they will require significant outside help to both rebuild the environment and protect it from attackers that will certainly come back with another attempt later.
How do I protect myself?
As we’ve learned over the past several years, defensive measures such as firewalls will not completely keep attackers out of environments. Even with the most complex network environments employing layer 7 firewalls, a sophisticated attacker will trick your users into clicking on a malicious link and walk right by your defenses. Given the persistent and direct attacks against petroleum marketers today, advanced threat detection and response capabilities must be employed to fully protect the environments.
There are many facets to Managed Detection and Response (MDR). Deploying advanced endpoint security to all assets, active email monitoring and logging all activity to a centralized SIEM are some key factors. But the most important factor—even when MDR systems are deployed—is having a trained security staff that understands the tactics and techniques of these sophisticated attackers. The right team will proactively monitor the entire environment 24x7x365 to know when a compromise has occurred and will take immediate action to contain and limit the scope of the attack. If you or your team can’t identify an active attack inside your environment within 10 minutes, then your chances of containing it are very low.
The very complex nature of petroleum POS and back office systems have actually protected us as a market for quite some time. Unfortunately, our days of security by obscurity appear to be over. It’s time for petroleum marketers to face the threats head on and address them, as most other industries have had to do in recent years.
If you’re ready to bolster the security of your network with advanced threat detection and response capabilities, give us a call. We stand ready to help: