'Unsophisticated' hackers targeting systems used by oil and gas industry, CISA says

Cyberthreat actors are targeting complex systems used by the oil and natural gas industry, according to a one-paragraph notice published by the Cybersecurity and Infrastructure Security Agency (CISA).

The agency is warning of “unsophisticated cyber actor(s)” targeting technology used by U.S. critical infrastructure sectors — particularly in "Energy and Transportation Systems." 

The advisory says the hackers are targeting the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) technology typically used by companies in these sectors for a variety of operational tasks. CISA, the FBI, the Environmental Protection Agency and the Department of Energy (DOE) also published a more general guide on threats to such systems.

A CISA spokesperson declined to provide specifics on what actors are being referred to and what incidents prompted the advisory. No attacks on oil or natural gas companies have been reported publicly in recent weeks.

The hackers, according to the advisory, are using “basic and elementary intrusion techniques” but the agencies said the “presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage.”

The larger guide urges organizations to take basic measures like removing operational technology from the internet, changing default passwords, securing tools used to remotely access networks and segmenting operational networks from business IT networks. 

Officials added that critical infrastructure operators should practice running operational technology manually.  

“The capability for organizations to revert to manual controls to quickly restore operations is vital in the immediate aftermath of an incident,” they explained. “Business continuity and disaster recovery plans, fail-safe mechanisms, islanding capabilities, software backups, and standby systems should all be routinely tested to ensure safe manual operations in the event of an incident.” 

Several energy industry titans were attacked in 2024, including Halliburton and Newpark Resources. U.S. experts were also called in to Costa Rica after the country’s state-owned energy provider was hit with ransomware. 

Since the headline-grabbing 2021 attack on Colonial Pipeline, companies like Shell, Encino, Oiltanking, Mabanaft and more have dealt with ransomware incidents — prompting increased efforts by the federal government to mandate stricter cybersecurity protections.

Securing critical infrastructure and operational technology was a significant concern raised repeatedly at the RSA Conference in San Francisco last week, where Department of Homeland Security secretary Kristi Noem pledged to have CISA focus on the issue. 

Kate Ledesma, who spent five years at CISA before moving to industrial cybersecurity firm Dragos, told Recorded Future News at the conference last week that they have seen an increase in the number of unsophisticated intrusions causing significant disruption to critical infrastructure.  

Ledesma referenced last year’s string of attacks by Iranian actors targeting tools used within water utilities across the U.S. In response to the Israel-Hamas conflict, Iranian actors defaced several water utilities, often exploiting devices that were being used with default passwords still enabled. 

“One thing we think and talk a lot about at Dragos, and I think our government colleagues as well, is there are a lot of very non-sophisticated things that actors and threat groups can do that can cause disruption to our critical infrastructure,” she said.

“Things that maybe didn't cause cascading disruptions at that time, but these very non-sophisticated methods can cause disruptions, and if done at scale, could cause larger disruptions that could have an impact on the operations of our infrastructure.”

Derek Manky, global vice president of threat intelligence at Fortinet’s FortiGuard Labs, added that the company has seen a dramatic evolution in attackers targeting industrial environments with more sophisticated techniques.

The rise of crime-as-a-service (CaaS) operations has made it easier for adversaries to launch attacks, providing them with ready-made tools to breach critical infrastructure, he explained.

One of the most significant shifts, according to Manky, has been the increasing convergence of regular IT with operational technology (OT) environments, which expands the attack surface and makes traditional security measures insufficient. 

“Threat actors are capitalizing on this shift by leveraging new attack methods that were previously impractical to use against air gapped OT systems and employing reconnaissance-as-a-service to map out OT networks before deploying malicious payloads,” he said.