The energy industry is increasingly being targeted by malicious actors and threat groups through activity on the dark web, according to a report by Searchlight Cyber.
The report details numerous instances of threat actors selling initial access to global energy organizations.
These include targets on popular darknet forums such as Exploit, RaidForums, and BreachForums in the US, Canada, UK, France, Italy, and Indonesia.
Energy Sector Targets
The main activity observed on the dark web targeting the energy industry is "auctions" to gain initial access to energy companies, often on dark web forums, and Exploit is the most popular site for these auctions.
The report noted that some threat actors published multiple auctions affecting different organizations, indicating that they are experts in the initial access market.
Threat actors often use the terms "start," "step," and "blitz" to denote starting prices for initial access, bid increments, and "buy it now" prices (blitz).
The research also highlights threat actors discussing ICS systems and sharing tutorials, papers, and documentation on ICS/SCADA, PLCs, RTUs, HMIs, and other components of industrial systems.
This report is illuminating, and they reveal a major shift in the threat landscape targeting the oil and gas industry.
The fact that threat actors are auctioning off initial access to corporate networks on the dark web underscores the complexity and organization within the cybercrime underworld.
Notably, these auctions are not localized; they target organizations in many countries around the world, highlighting the global nature of this threat.
The standardization of auction posts with terms like "begin," "step," and "blitz" shows just how sophisticated this illegal market is.
It also provides a window into the types of information cybercriminals value when targeting organizations, such as access type, country, industry, and revenue.
While such activity is "definitely worrisome," it's important to note that this visibility can be turned to security professionals' advantage.
By monitoring these darknet forums, we can identify potential threats to our organization and take proactive steps to protect the network.
Threat Modeling Insights
Additionally, the report's findings provide valuable insights for threat modeling.
Even if an organization does not match the exact profile of the victim listed in the auction post, the fact that this tactic was used against other energy companies is crucial information.
It can inform defense strategies and help security teams prepare for and mitigate such threats.
Ransomware threat actors are going after any industry that generates significant profits, and energy companies certainly fall into this category.
Energy industry organizations tend to have weak security controls due to the large number of remote access connections that can be exploited through weak or stolen credentials (MITER ATT&CK T1589.001) or VPN vulnerabilities (T1588.005).
In fact, Colonial Pipeline was breached by the DarkSide ransomware gang via a compromised VPN, resulting in $4.4 million in ransomware payments, plus nearly $1 million in fines proposed by federal regulators.
Preventing breaches starts with getting the right detections in your security operations, and as stated in the report, organizations should use MITER ATT&CK to build threat notification defenses based on detecting TTPs commonly used by adversaries for their industry.
The energy industry is not a new target for cybercriminals, a point that the report ultimately underscores, and it also shows how advanced the cybercrime ecosystem has become.
Between crime-as-a-service products, brokers selling access to infected targets, botnets, crypto mining farms, and what have you, they showcase the diversity and maturity we have with legitimate business organizations.
Having this additional information may help organizations understand the types of adversaries they may face, but the truth is anyone can be targeted.
Ultimately, the standard precautions we should all take: up-to-date patches, security configurations, educated users, and other measures apply no matter where we expect an attack to come from.