Hackers target oil, gas firms with “Phantom Menace“
19 May 2015
The oil transportation world has suffered the most severe and sophisticated cyber attacks new findings reveal.
According to a report by Panda Security, Operation Oil Tanker: The Phantom Menace, the breach was discovered when an employee opened an infected PDF that was declared safe by existing security systems.
The document seemed like a PDF file of approximately 4MB in size, with information about the oil market.
However, a blank screen appeared when the employee clicked on the PDF.
Though other anti-virus programmes had failed to detect the attack, a pilot security programme, it had been flagged as suspect by a pilot security even though the cyber attack had created a number of sophisticated custom scripts to avoid detection by anti-virus software.
What was different about the attack from the thousands of others that seek to steal information was the fact that it could remain hidden for as long as it did.
According to experts this was in part due to absence of any malware, hence the name 'Phantom Menace'.
The programme, which is basically a self-extracting file, creates a folder and extracts six files into it, once it is run. It then runs one of them – stat.vbs - but does nothing else.
Despite being hit by the cyber-attack, none of the dozens of affected companies had been willing to report the invasion and risk global attention for vulnerabilities in their IT security networks.
Luis Corrons, PandaLabs technical director and report author, said, ''Initially this looked like an average non-targeted attack. Once we dug deeper, though, it became clear that this was a systematic, targeted attack against a number of companies in the same specific industry sector.''
In most cases, establishing the identity of the source of a cyber-attack is tremendously challenging, but once discovered, The Phantom Menace had a tell tale weakness - the FTP connection used to send out the stolen credentials. Through the FTP connection, PandaLabs identified both an email address and name.
Corrons added, ''We can limit the impact of this potentially catastrophic cyber-attack, but only if the victimised companies are willing to come forward.''
According to Panda Security, it was ready and willing to identify the individual to authorities, but in the absence of credible reports from the alleged victims, the authorities were unable to launch their investigations or make any arrests.