Businesses in the energy sector produce, extract, sell, and supply various sources of energy. These energy sources include oil and gas reserves, nuclear energy, and renewable energy for fuel and to generate electricity. The critical nature of the energy sector exposes both energy companies and wider society to severe risks resulting from cyber attacks. This article focuses on the specific threat of ransomware in the energy sector.

High-Profile Ransomware Attacks on Energy Companies

Due to the far-reaching consequences of cyber attacks on the energy sector, the disruptions caused often make global media headlines. Here are examples of recent high-profile ransomware attacks targeting energy companies:

Oiltanking GmbH Group and Mabanaft Group

These two Germany-based companies confirmed on the same day that both had been hit by a successful ransomware attack.  Both companies are involved in the storage and supplying of oil and other materials to downstream companies such as Shall.  The attackers appear to have targeted the loading and unloading systems of the Oiltanking GmbH Group in order to reduce the company's ability to transfer oil products.  Mabanaft "declared force majeure for the majority of its inland supply activities in Germany" and immediately began executing on its contingency plans to help minimize the impact of the attack.  Later reports indicated that only a small number of filling stations (~200) were adversely affected by limited gasoline availability issues resulting from the attack.

Security researchers believe that the attack was carried about by the ransomware group known as Black Cat.

Colonial Pipeline

It’s impossible to start anywhere else but with one of the most disruptive ransomware attacks ever on US critical infrastructure. The Colonial Pipeline supplies gas and jet fuel from Texas to its terminus at the Port of New York and New Jersey. Stretching over 5,500 miles, this pipeline plays a prominent role in heating homes, refueling cars, and powering airplanes.

The ransomware attack on the Colonial Pipeline was conducted by the DarkSide ransomware gang. The gang targeted the billing system used by Colonial Pipeline. Upon seeing an on-screen ransom demand, an employee alerted his superiors who made the decision to shut the pipeline down completely.

The Colonial Pipeline supplies around 45 percent of the East Coast’s fuel needs. The disruption caused by this ransomware attack resulted in a $4.4 million ransom payment made to the DarkSide of which the FBI helped recover a significant proportion. Aside from that direct cost, a large knock-on effect of shutting the pipeline down was the gasoline shortages resulting from panicked motorists queuing up to fill up their tanks in light of the news.

The Colonial Pipeline incident serves as a stark warning sign about the vulnerability of the energy sector to ransomware attacks. This incident did not even manage to breach any operational systems that directly control the pipeline, yet it still caused untold havoc and made global headlines. As threat actors become more sophisticated in their techniques and ambitious in their targets, other large-scale energy disruptions will happen to any company that neglects cybersecurity.

Volue ASA

Shortly before the Colonial Pipeline incident, a ransomware attack also struck Volue ASA. The Norwegian company, which provides energy technology, was targeted by the Ryuk ransomware family.

The attack on Volue ASA impacted files, databases, and applications. Similar to other Ryuk attacks, this incident did not exfiltrate data and demanded a ransom to prevent the data from being published on the dark web. The method of attack was to encrypt files and make them unreadable.

A website statement made by Volue CEO Trond Straume outlined how “no ransom has been paid to the group behind the attack.” It appears this was intended as a statement of defiance against caving into ransom demands. The worst consequences appear to have been disruptions to Volue’s applications and employee workstations.

COPEL

COPEL is a state-owned Brazilian energy utility organization. In a February 2021 attack, the same DarkSide gang responsible for the Colonial Pipeline incident claimed to have exfiltrated over 1,000 gigabytes of data from COPEL’s systems as part of a ransomware attack. According to DarkSide, this data included clear-text passwords, network maps, and employee personal data.

The COPEL incident struck at the same time as another major state-owned Brazilian electric utility company named Electrobras also disclosed a ransomware attack. It remains unclear whether Darkside was involved in both incidents. A statement outlining the response to the COPEL attack mentioned that it was necessary to suspend the operation of COPEL’s computerized environment, which presumably was a costly outcome for the company.

Pemex

Pemex is a Mexican state oil company that was targeted in a ransomware attack by the Ryuk ransomware family back in November 2019. This incident came at a time when Pemex was already struggling to battle a declining credit rating, huge debts, and slowdowns in oil production.

Luckily for Pemex, it appears the cybersecurity defenses in place enabled a swift response to this attack. The critical operational functions of oil storage and production avoided any impact. Furthermore, the ransomware was contained to less than 5 percent of the organization’s computers.

The Pemex incident may have caused more disruption than the company disclosed. An anonymous employee informed Reuters that the servers crashed and people weren’t able to do their daily work.

Norsk Hydro

Norsk Hydro is a Norwegian company focused on renewable energy. In March 2019, a serious ransomware attack rapidly propagated through the company’s global network of 3,000 servers and thousands of workstations. The attack even stalled production in manufacturing facilities belonging to Norsk Hydro.

Upon seeing ransom demands to remove the encryption from affected devices, the company decided not to engage with these demands and rebuild everything from scratch. Recovering from an attack of this scale required relying on pen and paper to track many important business aspects, including orders, finances, and manufacturing processes.

The total cost of the attack on Norsk Hydro added up to $70 million, however, the size of the company is such that it could absorb this type of cost. More pertinently, the aftermath of the attack resulted in a complete attitude shift that put cyber risk at the top of the company’s strategic agenda.

How The Energy Sector Can Prevent Ransomware Attacks

Given the devastating impact of successful ransomware attacks that result in even short outages and disruptions to energy supplies, it’s critical to implement cybersecurity strategies that prevent such incidents.

Address Physical Security

Physical security controls should cover both information technology (IT) and operational technology (OT), including industrial control systems and data centers. The interdependencies between the virtual and the physical in the energy sector require strong physical security controls.

Physical security controls can include sensors and alarms that detect intrusions, guards posted in visible locations to deter people from trying to access a restricted location, and barriers such as high walls, tamper-resistant devices, and hard-to-pick locks.

Establish an OT Security Policy

Operational technology (OT) uses hardware and software to monitor and control the physical devices and environment. OT technology is more interconnected than ever with the rest of the network thanks to the proliferation of the Internet of Things. It’s critical that businesses address this increased interconnectivity with a dedicated OT security policy that covers fundamental security practices, including patching, changing default passwords, asset visibility, and incident response.

Use Robust Threat Intelligence

Companies in the energy sector should look to combine both tactical and strategic threat intelligence. Strategic intelligence is more proactive in nature; it focuses on industry-specific high-level overviews of the current threat landscape. Ransomware attack groups operate highly sophisticated operations, so it’s critical to have skilled analysts who use robust threat intelligence to identify current trends and threats and help build mechanisms to defend against those threats.

Combat Phishing

Phishing emails remain a significant initial attack vector for ransomware. Cybercriminals target victims with well-crafted emails that dupe them into revealing login credentials to systems or downloading malicious files. From this initial attack vector, the perpetrators infiltrate the network and install malicious software on as many systems as possible.

The fight against phishing begins with a dedicated email security platform. Ideally, energy companies should deploy a solution that has AI-driven, self-learning capabilities to help detect and flag suspicious emails. By stopping phishing campaigns with email security, you can prevent the account takeover or credential harvesting incidents from which ransomware often proliferates.

Conclusion

Ransomware attacks on the energy sector often result in immediate operational disruptions that threaten the bottom line of victim businesses. These attacks also threaten the supply of crucial power sources upon which a functioning society depends. While businesses in this industry will certainly continue to be targeted, becoming a victim of a successful attack is not inevitable.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.