CISO Case Files: For Profit or Sabotage

New Oil meets the Old Oil: 

If data is the new oil, then data from an oil company must be twice as valuable. Thus, energy and oil companies are attractive targets for hackers looking to cash in or inflict pain. Hackers, be they profiteers or saboteurs, will often use the same vulnerabilities to gain access. Such distinctions won’t be known until after a breach. It’s not until someone boots up their work station will your company know if they are being extorted via ransomware or destroyed via a Shamoon-like attack. That is the gamble energy companies are taking every day.  Luckily some companies are taking steps to move the odds in their favor. 

Details from the Crime Scene: 

Our client, an international energy company, launched a joint project with three companies to create a new export oil refinery in the middle east.  Vendor A, an integration specialist, was chosen to handle the information technology and telecommunications needs. Vendor A created an SMB server that housed over a thousand files, with seven thousand documents covering each facet of the construction process.  The most dangerous items were network diagrams, telecommunications equipment, and the cybersecurity protocols for the entire refinery. Listed among the telecommunication load out were the make and model of all internet-connected cameras, VOIP telephones, and the IP address for all these devices. Details of connected devices present a significant issue.  Many connected or IoT devices are unsecured with default credentials or no authentication. Such vulnerabilities are exploited in hacks for spying, a jumping-off point for malware, and spear-phishing attacks. These issues create an entry point for numerous cyber attacks from ransomware, malware like Shamoon, or economic disruption by nation-states.  Learn more about the rise of zero credential threats on our blog.

CybelAngel Investigates: 

CybelAngel data breach prevention locates leaking data sources before threat actors can find them and exploit data leaks.  SMB servers are a common source of data leaks as they are created quickly by those with limited security awareness and shared among multiple users. In this case, the exposed server belongs to the telecommunications vendor, a third party that should have been aware of the sensitive nature of this data.  Once locating the leak, our Machine Learning algorithms screened each document found for accuracy, sensitivity, and the likelihood of a critical incident. A high likelihood of a critical incident was found triggering the next step of an Analyst Team Investigation.  Third-party risk is our specialty. Learn how to manage your risks in our white paper.

Arresting the Leaks:

The Analyst Team launched their investigation seeking to answer three questions: What was leaking? Where was this server located? What are the risks for our client? Answering these questions would provide our clients with actionable information to protect themselves.  The documents within the server identified the vendor and our client, with expansive details about their plans, budgets, and strategic goals. The information in the documents and the associated IP address confirmed this third-party vendor owned the server.  The final point was the threat presented by these documents.  In addition to the cyber risks, the analyst team found legal liabilities, possibilities of corporate espionage, and physical security risks from terrorist attacks. The combination of threats involved represented a volatile situation for our client.  Informing our client allowed them to reach out to the vendor; by enforcing non-disclosure and security agreements, our client could have the server resecured. CybelAngel continued to monitor these documents across the web to confirm these documents were not already compromised or for sale on the dark web.  Want a closer look at how to detect and remediate third-party leaks? See our whitepaper.

Detectives Notes: 

Energy companies have found themselves at the forefront of cyberattacks. It’s not surprising; energy companies have several features that make them appealing targets for threat actors.  Energy companies are profitable, meaning there is money to be extracted. They are indispensable to national economies with significant repercussions if their operations are interrupted, from rising commodity prices to supply chain shocks.  See what it is like to live through the repercussions of a cyber attack in our blog. Finally, they represent national security concerns as seen with the Shamoon attacks of 2012, to Abqaiq–Khurais attack 2019, and recently the 2021 Colonial Pipeline attack.  With such high risks, an ounce of prevention is worth all the cure in the world. Take your first step on a proactive preventative path by requesting a My Exposure Dashboard.