In September 2020, ZScaler published a report outlining a targeted attack on Oil and Gas Supply
Chain Industries in the Middle East. DeNexus’ experts discovered additional details of the attack
and new victims. The new findings provide insight on the strategy the threat actor used, which
can help researchers move forward in the investigation of the attack.
While researching this targeted attack on Oil and Gas Supply Chain Industries, DeNexus’ experts
detected at least 3 campaigns in the wild using the same or similar spear phishing email
templates. We currently know that the threat actor is trying to collect information from the
targeted companies and much of the time uses information stealers as final payloads. In most
cases, the threat actor is using AgentTesla malware as the information stealer.
It was found that seven industrial companies were compromised and ten more were targeted
located in Middle East, APAC, Europe and North America.
Malware distribution strategy has changed – in the most recent campaigns, the threat actor uses
an email with a PDF attachment. The PDF contains a link to a ZIP file hosted on a server controlled
by the threat actor or in a third-party file hosting service.
Not only the distribution methods have evolved, but also, the spear phishing campaigns have
become more sophisticated. The threat actor now registers a domain like the
original victim’s domain, victim’s trusted partner, or supplier in order to make the email look even
“As supply chains grow in complexity, so do the cyber security risks associated to them, especially
when they affect trusted partners. We believe that the information found by our team and that we
are making public today will enable companies to take appropriate action in a timely manner and
mitigate existing information security risks.” says Jose M Seara, Founder & CEO of DeNexus.
“Supply-chain related information is weighting more on overall cyber risk assessment with each
evolution of our DeRISK cyber risk quantification platform.”
“Threat Intelligence is one of three major data sets for our risk modeling. Using information about
threats, tactics techniques and procedures (TTPs), indicators of compromise (IoCs), attacker’s
behavior patterns etc., DeRISK changes risk quantification for affected companies” says Vladimir
Dashchenko, VP of Threat Intelligence at DeNexus.
“Changes in the behavior of attackers indicate that they need to reduce the level of detection of
their malicious actions at the first stages of attacks. It is very important to track the evolution of
such behavior in order to increase protection and timely assess the damage from such cyber
attacks” comments Markel Picado, Malware Analyst and Threat Hunter at DeNexus.
Learn more technical details about the Spear-phishing campaign targeting ICS Supply-chain in the
DeNexus is the leading provider of cyber risk modeling for industrial networks. Powered by
probabilistic inference and machine learning, DeNexus is the world’s first self-adaptive software
platform that predicts where and how breaches are likely to occur in unique client contexts.
Fortune 500 companies from power generation to manufacturing to other critical infrastructure
and operations are beginning to use DeNexus’s engine to understand their bespoke cybersecurity
economics and optimize their risk-reduction ROI.
Learn more at www.denexus.io
1 Harbor Drive – Suite 300
Sausalito, CA. 94065
+1 (415) 944-6700