Hacking from below: Subcontractors can leave big companies vulnerable

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.mysanantonio.com/business/eagle-ford-energy/article/Hacking-from-below-Subcontractors-can-leave-big-4921092.php

Hackers are finding ways to steal information from even large energy
companies, breaking in through poorly defended subcontractor systems on
their way to financial data, fluid formulas and other goodies.

While the largest companies in the energy industry have taken steps to
protect themselves from intruders, they have failed to insist on the same
vigilance from their subcontractors, said Stephen Coty, director of threat
research for Houston-based security firm Alert Logic.

Its energy industry customers are targeted more often than those in any
other industry and faced nearly 9,000 threats from Jan. 1 and May 23, the
company said. Nearly half of those attacks were the result of malware,
which can be loaded onto computers through contaminated links in emails or
through USB drives.

Thirty-one percent of the threats were brute force attacks, in which
hackers repeatedly attempt to crack passwords, the report said.

“That's higher than any other industry that's going on out there,” Coty
said. “The only thing that might even come close to this would be
financial.”

The company released a report on the problem Wednesday, shining light on an
issue that has drawn concern throughout the security community.

Coty said the gaps in energy company cybersecurity policies are a stark
departure from physical safety protocols, which energy companies stress
daily to their employees and contractors.

“To put it nicely, I'd say it's not a mature process,” he said. “I don't
think that they hold their contractors up to the same standards that they
do their employees. I think that's a growth issue, or understanding the
risks.”

It's not hard to understand why hackers target the energy industry, Coty
said.

“People are wanting to know where they're drilling, what their secrets are,
what's the formula (for hydraulic fracturing fluids),” Coty said. “This is
all data that people are interested in ... even a major company overseas
wants to know those formulas.”

The U.S. Department of Homeland Security reported in January that the
energy industry received 41 percent of all reported cyberattacks in 2012,
more than any other industry.

Alert Logic said in March that about two-thirds of its 54 energy industry
clients experienced brute-force or malware attacks, a higher rate than
companies in other fields.

Attacks on oil companies have ripped through 30,000 computers at Saudi
Aramco and incapacitated drilling rigs, knocking them offline for weeks at
a potential cost of millions of dollars, the Houston Chronicle reported
earlier this year.

Contractors for oil companies, electricity providers and pipeline
businesses are often small and make easy targets for hackers, Alert Logic
said.

Alert Logic described a routine it said hackers use widely to attack energy
companies through contractors

The process includes researching a company to identify subcontractors that
may have access to valuable information; identifying the subcontractors'
employees; and learning enough about those workers to send targeted emails
containing personal information that would prompt them to click on links.
The links allow hackers to break into computer systems or load malware onto
machines.

Booz Allen Hamilton executive Emile Trombetti said hackers used that tactic
to send a message that appeared to be from his daughter.

“They found out my daughter's name,” Trombetti, senior vice president for
the consulting firm, told the audience at a Houston energy conference last
week. “They found out what school she went to. And they found out her Yahoo
address. And I get an email that says, 'Dad, it's an emergency.'”

Trombetti said he recognized the email as a hack attempt, but worried that
people less familiar with security issues might not see through such ploys.

Attackers also use personal information to try and guess passwords of
company employees.

Hackers have exploited these avenues to jump from subcontractor systems
into major company systems, working through the chain to steal tens of
thousands of user names and passwords, the Alert Logic report said.

Through the stolen credentials, attackers have accessed valuable
information, such as seismic survey data, details of financial deals,
intellectual property and other material, Alert Logic said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.