Page 22 - index
P. 22
Operation Oil Tanker: The Phantom Menace – Cyber Defense
Magazine
When you think of the term, ‘Phantom Menace’, you may think of Star Wars. But to us, as
security experts, Phantom Menace represents one of the most sophisticated and malicious
cyber-attacks our PandaLabs has ever encountered. It was an attack on the oil industry that its
victims are still trying to recover from.
Today, most computer threats are designed to steal information from targeted systems. We
examine thousands of cases at PandaLabs because, after all, there are more than 250,000 new
malware files are put in circulation every day. The Phantom Menace, however, had gone
completely undetected, as it didn’t use any kind of malware. It sailed freely under the radar of
antivirus engines for multiple companies for years on end.
How did it manage that? The attack was sent using spear phishing, with an attachment called
“Document” that used a PDF icon and the file extension “.exe”. When we first studied the attack
and saw how it was stealing credentials and relaying them to its source, we assumed some kind
of Trojan was in play – like Zeus, Netbus, or any of the major Trojan families, which are
frequently modified to perform this kind of attack. The “Document” file, though, was a self-
extracting file that created a folder, dropped 6 files in and ran one, which was a simple script.
The file would then go about opening a real PDF, unzipping a file and executing another script.
During this process, credentials were extracted and relayed to the source through the use of
legal password recovery tools from browsers and email clients and a simple FTP command
from the Operating System.
Since its behavior could not be immediately defined as malicious, it was allowed to work
unnoticed by behavior-based detectors. The attack managed to steal credentials from 10
different companies, most of them European, whose main activity was the maritime transport of
oil and gas.
Our investigation tracked the source of the Phantom Menace back to Ikeja, a suburb in Lagos,
the capital city of Nigeria. Furthermore, we were able to identify a Nigerian citizen who is most
likely the mastermind behind this attack.
The next step was clear: inform the authorities so that they could start an investigation and
apprehend the person responsible for the hack. For example, one the affected companies was
from Spain, leading us to the Spanish Civil Guard – a police force that we have collaborated
with in the past and which has a very good reputation in the fight against cyber-crime.
Unfortunately, they and other authorities now face a perplexing and challenging problem: to
start an investigation, they need a victim who will report the crime. And yet, none of the 10
known victims of this attack are willing to report it.
22 Cyber Warnings E-Magazine – June 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
