New threat intelligence report shows how cybercriminals routinely target energy companies on dark web forums
Washington DC, US & Portsmouth, UK – May 16, 2023
Searchlight Cyber, the dark web intelligence company, today released its new report, Dark Web Threats Against the Energy Industry, which examines cybercriminals’ reconnaissance against energy companies on the dark web. The report analyzes threat actor activity against the energy sector over a 12 month period and provides guidance on how this dark web intelligence can be factored into threat models to help organizations improve their security posture.
Searchlight Cyber analysts detail numerous instances of threat actors selling initial access to energy organizations around the world including targets in the USA, Canada, UK, France, Italy, and Indonesia on popular dark web forums like Exploit, RaidForums, and BreachForums. The research also highlights threat actors discussing ICS systems and sharing tutorials, papers, and documents, on ICS/SCADA, PLC, RTU, HMI and other components of industrial systems.
The research also found:
- The predominant activity observed are auctions for initial access to energy companies that routinely take place on dark web forums.
- Threat actors often use the terms “Start”, “Step” and “Blitz”, which indicate the start price, the increments of the bids, and a “buy-it-now” price (blitz) for initial access.
- Most of these auction posts list the access type along with the country of the organization, its industry, and its revenue.
- Several threat actors post multiple “auctions” impacting different organizations, suggesting that they are specialists in the initial access market.
Critically, the report explains how energy organizations monitoring the dark web can use this intelligence to spot when they are being targeted, and to prepare their defenses for the most likely types of attack based on the threats they observe against their peers. This “threat modeling” process involves identifying, categorizing, and prioritizing threats based on a hypothetical attacker’s point of view.
Commenting on the findings, Jim Simpson, Director of Threat Intelligence at Searchlight Cyber said: “Energy companies are routinely discussed on dark web forums, with threat actors frequently auctioning initial access via remote software, VPNs, and stolen credentials for exploiting corporate infrastructure, Industrial Control Systems, and Operational Technology. The examples we highlight in this report are alarming but the intention of this research is to demonstrate to security professionals operating in this sector that they can use this intelligence to protect themselves, if they have access to it.
“With visibility into cybercriminal reconnaissance, energy companies can identify likely paths of attack, inform their defenses, and prioritize security measures that will help them cope with the most imminent threats. Dark web data gives companies an insight into the mindset and operations of cybercriminals, which is invaluable to any intelligence team.”
Click here to download the full report.
About Searchlight Cyber
Searchlight Cyber provides organizations with relevant and actionable dark web intelligence, to help them identify and prevent criminal activity. Founded in 2017 with a mission to stop criminals acting with impunity on the dark web, we have been involved in some of the world’s largest dark web investigations and have the most comprehensive dataset based on proprietary techniques and ground-breaking academic research. Today we help government and law enforcement, enterprises, and managed security services providers around the world to illuminate deep and dark web threats and prevent attacks. To find out more visit slcyber.io or follow Searchlight Cyber on LinkedIn and Twitter.