Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.
Promoted

Dark web threats against the energy industry

Cyber threat to energy companies on dark web forums.
By Searchlight Cyber
05/06/2023, 7:00 am Updated: 27/06/2023, 1:40 pm
© Supplied by Searchlight CyberA photo of the energy industry from Searchlight Cyber.

The latest Searchlight Cyber threat intelligence report exposes how cybercriminals sell initial access to energy industry companies on dark web forums – with real examples of posts auctioning vulnerabilities in organisations around the world.

New energy industry report

Searchlight Cyber’s recent survey of CISOs found that 72% of oil and gas companies are already gathering data from the dark web. While that is a promising start, Searchlight Cyber noted at the time that this is less adoption than in comparable high-risk industries, see below:

  • financial services (85%)
  • manufacturing (83%)
  • transportation (81%)

Even more concerningly, more than a quarter (27%) of energy industry CISOs said that they believe that activity on the dark web has no impact on their company.

The Searchlight Cyber report, Dark Web Threats Against the Energy Industry, demonstrates conclusively that that is not the case by showing that energy companies are routinely discussed on dark web forums. In particular, by threat actors auctioning initial access to remote software, VPNs and stolen credentials.

This analysis is based on a sample gathered over a 12-month period (February 2022-February 2023) that is indicative of the types of threat actor activity that takes place on dark web sites, forums and marketplaces.

Key findings of the report

The primary takeaway of this threat intelligence is that the predominant activity we observe against the energy industry is “auctions” for initial access to corporate networks that routinely take place on popular dark web hacking forums, including Exploit and (the now defunct) RaidForums and BreachForums.

The sample in this report alone includes numerous listings for organisations in countries all over the world, including targets in the USA, Canada, UK, France, Italy and Indonesia.

These dark web auction posts have their own standard “format”. Threat actors often use the terms “Start”, “Step” and “Blitz”, which indicate the start price, the increments of the bids, and a “buy it-now” price (blitz).

Most of these auction posts also list the access type along with the country of the organisation, its industry and its revenue. In some cases, the name of the organisation is also given.

The post in the image below is a typical example of the format and content of these posts. From the information provided by the threat actor we can determine:

A photo of findings from dark web energy industry report by Searchlight Cyber. © Supplied by Searchlight Cyber
Findings from Searchlight Cyber’s dark web energy industry report.

While cybercriminals share this information with the intention of attracting buyers, visibility into auction activity on dark web forums offers security professionals a valuable opportunity to identify if their organisation is being targeted.

With information on the revenue, location, and technology of the potential victim, security teams can determine if they fit the profile and take mitigative action.

Even if they don’t fit the exact profile of the victim, they know this is a tactic being used against other energy companies that they should factor into their threat modelling.

Threat modelling for the energy industry

While one objective of this report was to demonstrate beyond a doubt that the activity on the dark web does impact energy companies, the second – and more important objective – was to provide security teams at energy companies with advice and guidance on what they can do about it.

Searchlight Cyber has therefore combined the reconnaissance it has observed over the past year with insight into how energy companies can start threat modelling – a process for identifying, enumerating, and prioritizing threats – based on dark web intelligence.

Where applicable, it has also provided the MITRE ATT&CK codes for the attack techniques it has observed, to demonstrate how this intelligence can practically be used by energy organisations to improve their understanding of – and defences against – threat actors that are targeting them on the dark web.

By building threat models, and feeding them with intelligence gathered from the dark web, energy organisations can identify threats against their organisations from right at the beginning of the Cyber Kill Chain, which allows their security posture to be much more responsive to emerging attacks.

Download Searchlight Cyber’s report – Dark Web Threats Against the Energy Industry – for the full analysis and findings of its dark web intelligence. For more on Searchlight Cyber, visit its website.

Recommended for you

Tags