Dark Web Threats Target Energy Industry as Cybercrime Tactics Shift
The energy industry is increasingly targeted by malicious actors and threat groups through activity on the dark web, according to a report from Searchlight Cyber, which detailed numerous instances of threat actors selling initial access to energy organizations around the world.
These include targets in the U.S., Canada, United Kingdom, France, Italy and Indonesia on popular dark web forums like Exploit, RaidForums and BreachForums.
Energy Industry Targets
The predominant activity observed against the energy industry on the dark web is “auctions” for initial access to energy companies routinely taking place on dark web forums, with Exploit being the most popular site for these auctions.
The report noted some threat actors post multiple auctions impacting different organizations, suggesting that they are specialists in the initial access market.
Threat actors often use the terms “Start,” “Step” and “Blitz,” which indicate the start price, the bid increments and a “buy-it-now” price (blitz) for initial access.
The research also highlighted threat actors discussing ICS systems and sharing tutorials, papers and documents on ICS/SCADA, PLC, RTU, HMI and other components of industrial systems.
Craig Jones, vice president of security operations at Ontinue, called the report illuminating and said they revealed a significant shift in the threat landscape targeting the oil and gas industry.
“The fact that threat actors are auctioning off initial access to corporate networks on the dark web underscores the sophistication and organization within the cybercriminal underworld,” he said.
Notably, these auctions aren’t localized; they target organizations in numerous countries around the world, highlighting the global nature of this threat. He added that the standardization of auction posts with terms like “Start,” “Step” and “Blitz” suggested a level of maturity in this illicit marketplace.
“It also provides a window into the kind of information cybercriminals value when targeting organizations, such as access type, country, industry and revenue,” Jones said.
He added that while this activity is “undoubtedly alarming,” it’s important to note that this visibility can be turned into an advantage for security professionals.
“By monitoring these dark web forums, we can identify potential threats to our organizations and take proactive measures to safeguard networks,” he noted.
Threat Modeling Insights
Furthermore, he said the report’s findings offered valuable insight for threat modeling.
“Even if an organization doesn’t match the exact profile of a victim listed in an auction post, the fact that this tactic is being used against other energy companies is crucial information,” Jones said. “It can inform defensive strategies, helping security teams prepare for and mitigate such threats.”
Phil Neray, vice president of cyber defense strategy at CardinalOps, a detection posture management company, pointed out that ransomware threat actors are going after any industry that generates significant profits, and energy companies certainly fall into that category.
He added that energy industry organizations tended to have weaker security controls due to a high number of remote access connections that can be exploited via weak or stolen credentials (MITRE ATT&CK T1589.001) or VPN vulnerabilities (T1588.005).
“In fact, Colonial Pipeline was breached by the DarkSide ransomware gang via a compromised VPN, resulting in a ransomware payout of $4.4 million dollars plus a proposed fine of nearly $1 million from federal regulators,” he pointed out.
From his perspective, preventing breaches starts with having the right detections in your SOC and, as described in the report, organizations should be using MITRE ATT&CK to build a threat-informed defense based on detecting TTPs commonly used by adversaries targeting their industries.
Mike Parkin, senior technical engineer at Vulcan Cyber, noted that the energy sector is not a new target for cybercriminal attack, which the report ultimately reinforces—it also showed just how advanced the cybercrime ecosystem has become.
“Between crime-as-a-service offerings, brokers selling access to compromised targets, botnets, cryptomining farms and what have you, they are showing the diversity and maturity we expect from legitimate commercial organizations,” he said.
He explained that having this additional information could be helpful for an organization to understand what sort of adversaries they may face, but the truth is anyone can be a target.
“Ultimately, the standard precautions we should all be taking—up-to-date patches, secure configurations, educated users and other measures—applies regardless of where we expect an attack to originate,” Parkin said.