The roots of attacks on the energy sector are rooted in the Dark Web

The risk of attacks on companies operating in the energy sector is high, especially in light of the current geopolitical context. Such companies are a strategic target for criminal groups dedicated to extortion activities as well as for statutory actors who operate with the purpose of sabotage and intelligence.

The intelligence company of the dark web Searchlight Cyber ​​has published an interesting report which analyzes how malevolent actors find a thriving ecosystem on the dark web for preparing attacks precisely against organizations in the energy sector.
Experts point out that attackers of various kinds use the dark web to gain access to previously compromised networks o acquire resources and information useful for attacks.
Various categories of actors have ended up under the magnifying glass, from hackers who offer support for the various stages of an attack on “access broker.”
The role of an “access broker” is essential in the cybercrime ecosystem, these actors facilitate the sale or exchange of initial access to computer networks or systems. The information they offer for sale either comes from a previous compromise of the target systems or stolen through a variety of techniques, such as malicious code or spear-phishing campaigns.
These brokers they act as intermediaries between cybercriminals who gain unauthorized access to an organization’s networks and buyers interested in purchasing or using that access to launch the attack. In practice it is as if someone had obtained a copy of the keys to your house and resold it to the highest bidder who will then technically break into your house to carry out the crime.
The information to access a company is often offered on specialized hacking forums and marketplaces.
Initial access to a company’s network can be offered in various forms, such as knowledge of system login credentials for dial-up connections, RDP access, VPN credentials, or stolen credentials for accessing services and servers.

Monitoring the offer is essential for those involved in threat intelligence, even more so for companies that are possible targets of attacks which, by discovering access to their network, could close the doors to attackers in time and avoid catastrophic intrusions.

The Searchlight report offers an interesting insight into this underwater world it focuses on buying and selling initial access to energy organizations warning of related risks.

The report is based on theanalysis of posts published between February 2022 and February 2023 on hacking forums, dark web sites, and marketplaces used by cybercrime.
Only announcements and discussions offering and seeking initial access to the networks of energy sector organizations have been analyzed, the sample proposed in the report is a subset of a larger analysis and includes targets in the United States, Canada, United Kingdom, France , Italy and Indonesia.
It is immediately evident that such information is always auctioned, the highest bidder will win exclusive access to the network of the company whose accesses are for sale.
“The predominant activity we observe against the energy industry on the dark web is the ‘auctions’ for initial access to energy companies that routinely take place on dark web forums.” reads the report published by the experts. “The listings also include companies across the energy sector spectrum – upstream, midstream and downstream – in traditional energy companies such as oil and gas but also renewable energy organisations.”
The following image shows an example of an auction which shows the type of company, its size, geographical location, and obviously the type of access. The rules for participating in the auction are also visible, i.e. the starting price (Start), the increase for each offer (Step), and the price to immediately close the auction, known as “Bliz.”
The turnover of the companies is reported because it gives an indication of the “gain potential” in case of a successful attack once the company has been penetrated.

The offers analyzed included a initial access price ranging from as little as $20 up to $2,500 depending on various parameters such as geographic location of the target organization or the potential for supply chain attacks.
This last aspect is interesting, or by compromising a company it is possible to impact a variable number of other companies that use its services, even reaching the partial paralysis of an entire sector. This is what happened during the attack on the Colonial Pipeline in the USA in May 2021, in which case the distribution of fuel on the eastern side of the USA was heavily impacted and the average price for a gallon of gas rose to levels not recorded since 2014 .
What is most worrying is the presence of discussions and offers relating to ICS (industrial counter system) and OT (operational technology) systems on whose operation industrial processes of companies in the energy sector and more generally any industrial process depend.
Interfere with these processes it could lead to the total shutdown of a company’s operations and even cause accidents that could lead to environmental disasters or loss of life.
The malicious actors monitored by the company have offered in some posts detailed instructions on how to exploit known vulnerabilities in Internet-facing ICS systems as well as providing detailed information about the companies that use them.

“Dark web intelligence is a valuable asset for monitoring an organization’s security posture, helping the security team identify early indicators of attack and feeding into their threat analysis models.” concludes Jim Simpson, Director of Threat Intelligence at Searchlight Cyber. “Even if companies don’t have the resources to conduct threat hunting, the data could be used as a source of information and do some reasoning and simulations. What if our VPN has a vulnerability and an attacker exploits it to get credentials for a privileged user in R&D? How would we respond to this incident?”