Sloppy security policies are leaving even large energy companies vulnerable to cyberattacks routed through their subcontractors, according to a report released Wednesday by Houston-based security firm Alert Logic.
While the largest companies in the energy industry have taken steps to protect themselves from intruders, they have failed to insist on the same vigilance from their subcontractors, according to the report.
“To put it nicely, I’d say it’s not a mature process,” said Stephen Coty, director of threat research for Alert Logic. “I don’t think that they hold their contractors up to the same standards that they do their employees. I think that’s a growth issue, or understanding the risks.”
Malware offshore: Danger lurks where the chips fail
Alert Logic has reason to worry. Its energy industry customers are targeted more often than its customers in any other industry and faced nearly 9,000 threats between Jan. 1 and May 23, the company said. Nearly half of those attacks were the result of malware, which can be loaded onto computers through contaminated links in emails or on USB drives. Thirty-one percent of the threats were brute force attacks, in which hackers repeatedly attempt to crack passwords, the report said.
“That’s higher than any other industry that’s going on out there,” Coty said. “The only thing that might even come close to this would be financial.”
It’s not hard to understand why, Coty said.
“People are wanting to know where they’re drilling, what their secrets are, what’s the formula (for hydraulic fracturing fluids),” Coty said. “This is all data that people are interested in … even a major company overseas want to know those formulas.”
The U.S. Department of Homeland Security reported in January that the energy industry received 41 percent of all reported cyber attacks in 2012, more than any other industry.
Vulnerable: Hackers pose as daughter to target executive
Alert Logic reported in March that 67 percent of its 54 energy industry clients experienced a brute-force attack, a higher rate than companies in other fields. And 61 percent of Alert Logic’s energy clients were targeted by malware or botnet attacks also a higher rate than businesses in other sectors.
Attacks on oil companies have ripped through 30,000 computers at Saudi Aramco and incapacitated drilling rigs, knocking them offline for weeks.
Contractors for oil companies, electricity providers and pipeline businesses are often small and make easy targets for hackers, Alert Logic said.
Alert Logic published a step-by-step approach to hacking an energy company through a contractor, a routine experts say is widely used by attackers. The steps involve researching a company to identify subcontractors that may have access to valuable information from large energy companies. Attackers could then research employees at the subcontractor company, learning enough about them to send targeted emails using personal information that would inspire the employee to click on links. Those links would allow hackers to break into computer systems, or load malware onto machines.
Hackers used that tactic to send a message that appeared to be from the daughter of Booz Allen Hamilton executive Emile Trombetti, he said at a Houston energy conference last week.
“They found out my daughter’s name,” said Trombetti, senior vice president for the consulting firm. “They found out what school she went to. And they found out her Yahoo address. And I get an email that says, ‘Dad, it’s an emergency.’”
Attackers also could use personal information to guess passwords of company employees, a common tactic used by hackers to break into systems.
Hackers have exploited these avenues to jump from subcontractor systems into major company systems, working through the chain to steal tens of thousands of usernames and passwords, Alert Logic said.
Through the stolen credentials, attackers have accessed highly valuable information, such as seismic survey data, deal financials, intellectual property and other material, Alert Logic said.
The company listed a series of recent attacks that were cause for concern.
“The prevalence of these relatively unsophisticated attacks underscores the importance of fundamental practices: multilayer security, close attention to basic management practices (such as patch management and upgraded operating systems), the use of monitoring and defensive technologies to identify and stop attacks, and continual awareness-raising among employees on the basics of security hygiene,” the report said.