Professional Documents
Culture Documents
Energy Resources & Industrials: Recent Observations Trends
Energy Resources & Industrials: Recent Observations Trends
Energy Resources & Industrials: Recent Observations Trends
Recent observations
Executive summary
The Energy, Resources, and Industrials sector (ERI) is exposed to multiple types of risks across
the cyber threat landscape. The ERI sector is composed of organizations in the power and
utilities, oil and gas, industrial control systems (ICS), construction, as well as the mining and
minerals industries. The ERI sector is a target for multiple types of threat actors and will
continue to be a substantial target due to the sector holding a significant role in critical
infrastructure as well as the key economic importance of services in these industries. Deloitte
has observed two primary motives behind threat actor targeting and will explore five core
threats targeting the ERI Industry.
____________
Threat actor
State-sponsored actors: State-sponsored threat actors use both custom built and commodity RATs that
give the threat actors the capability to target organizations within the ERI industry in state-sponsored
campaigns and attacks.
Cyber criminals: Cyber criminals use commodity RATs to steal access credentials and other sensitive or
proprietary data to sell on underground forums and marketplaces for financial gain.
Threat motivator
Cyber espionage: Threat actors focused on targeting the ERI sector mainly do so to obtain sensitive
proprietary data. State-sponsored threat actors or APT groups target sensitive proprietary data to
improve their own infrastructure and programs within the ERI sector. One of the benefits of cyber-
espionage, especially in the industrial sectors, is that R&D can be reduced significantly due to utilizing
the work already done by the victim.
Financial gain: Cyber criminal threat actors target the networks and sensitive proprietary data of ERI
organizations to sell access or data on Dark Web underground forums.
Lessons learned
ERI organizations will remain a target of advanced threat actors, not only for their sensitive data, but
also because they can be leveraged to impact critical infrastructure.
Observation 2 | Ransomware
In a ransomware attack, threat actors seek to encrypt victim machines and networks for either financial
gain or destructive purposes. Ransomware is used by a variety of threat actors across all industries and
will likely continue to be used to target organizations in the ERI sector in the future.
____________
Threat actor
State-sponsored actors: State-sponsored threat actors are capable of conducting successful attacks
using ransomware for the purposes of disrupting or destroying targeted networks. In these cases there
is typically no decryption key available.
Cyber criminal actors: Cyber criminal threat actors are capable of encrypting victim machines and
networks, and target organizations and victims that will give them the maximum financial gain.
Threat motivator
Financial gain: The critical infrastructure of the ERI sector represents opportunistic targeting for threat
actors using ransomware who are motivated by financial gain.
Destructive purposes: The critical infrastructure of the ERI sector represents specific targeting for threat
actors repurposing ransomware for destructive purposes. State sponsored actors may use ransomware
with no intention of ever providing the decryption key or even using code that does not produce a
decryption key.
Lessons learned
Ransomware can be used to target organizations in the ERI sector and will continue to be used by
threat actors to impact the sector for destructive purposes in addition to financial gain. All companies
and organizations should be aware of and understand how ransomware could impact their corporate
machines and networks.
____________
Threat actor
State-sponsored actors: DNS hijacking targets and incidents reflect the continued escalation and
sophistication of nation state cyber espionage/warfare from both a strategy and capability standpoint.
Threat motivator
Cyber espionage: DNS hijacking attacks focus on impacting many victims at once. Threat actors use
these attacks to accomplish redirecting as many victims as possible to sites that install malware on
victim machines and systems, as well as steal credentials.
Lessons learned
DNS hijacking attacks are man-in-the-middle (MitM) attacks and used to harvest credentials, often
mirroring traffic and redirecting to the legitimate host. Always update and patch. Don’t click on
suspicious links in emails or on social media and make sure the default admin username/password for
the router is changed. Avoid using public Wi-Fi networks to send or receive personal information, or to
log into sites that require a password or username. Implement Domain Name System Security
Extensions (DNSSEC) on all machines. This is an industry-wide security standard allowing domain
owners to monitor traffic on their own domains and check for suspicious activity. They are also able to
register their Domains’ zones, enabling DNS resolvers to verify the authenticity of all DNS responses.
Using a VPN will bypass router settings and perform DNS lookups automatically.
ICS used in ERI processes are becoming more sophisticated and interconnected, which makes ICS more
vulnerable to attack as sensors and controllers continue to be linked to enterprise networks and the
public internet, in efforts to make operations more convenient and efficient. These efforts have actually
significantly increased risk to ICS by establishing pathways for remote access to critical systems.
____________
Threat actor
State-sponsored actors: State-sponsored threat actors utilize industrial control systems (ICS) themed
lures to deliver RATs to ERI organizations.
Threat motivator
Service disruption, destruction, and cyber espionage: State-sponsored threat actors involved in
campaigns targeting ICS in the ERI sector focus on disrupting or destroying critical infrastructure ICS
networks and devices. Additionally, theft of sensitive proprietary data is a motivator for these actors.
Lessons learned
Efforts to make ICS more sophisticated and interconnected for use among organizations in the ERI
sector have significantly increased risk by establishing pathways for remote access to critical systems.
ERI organizations face numerous cross-industry threats which include information stealing malware,
threats to cloud services, and supply chain attacks.
____________
Threat actor
Cyber criminals & APTs: Both types of threat actors utilize information stealing malware, supply chain
attacks, and targeting of cloud services to target cross-industry networks and data, including the ERI
sector, to fulfill their respective agendas.
Threat motivator
Financial gain & cyber espionage: ERI organizations process sensitive proprietary data, which cyber
criminals seek to monetize on the dark web or underground forums. The same sensitive data is also
targeted by state-sponsored threat actors to support national intelligence collection requirements or
gain competitive market advantages.
Lessons learned
Organizations in the ERI sector continue to be attractive targets to cyber criminals and state-sponsored
threat actors across all industries and geographic regions due to the unique information they possess.
As such, they are constantly confronted by both commodity and sophisticated cyber threats.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/u s/about for a detailed
description of our legal structure. Certain services may not be available to attest clients under the rules and regulations o f public accounting.