Cyber attacks on the Indian Petroleum Refinery network have been on the rise with enormous attacks recorded between October 2021 to April 2022, as per research done by CyberPeace Foundation (CPF), Autobot Infosec Private Limited, along with CyberPeace Center of Excellence (CCoE).

The research has found that nearly 3.6 lakh of attack events have been recorded between October 2021 and April 2022 on the Critical Information Infrastructure (CII) threat intelligence sensors network simulating the Petroleum Refinery network, simulated by the research group in India.

The study is a part of the CyberPeace Foundation’s e-Kawach program to implement a comprehensive public network and threat intelligence sensors across the country to capture internet traffic and analyse real-time cyberattacks faced by a location or an organisation.  

Creating simulated networks

“By deploying the simulated network, we can collect data on attack patterns, the different types of attack vectors for the different protocols, and the recent trends of malicious activity,” a CyberPeace Foundation spokesperson said. “Like any other critical infrastructure worldwide, Indian critical infrastructure is also vulnerable to cyber attacks involving state and non-state actors,” the report said.

The Supervisory Control and Data Acquisition (SCADA) Critical Information Infrastructure (CII) threat intelligence sensors network simulating the petroleum and refinery industry witnessed a surge in the number of cyberattacks with 3,59,989 hits between October 2021 and April 12, 2022.

Specifically, about 1,17,633 hits were recorded in October 2021 while 55,871 hits were recorded in November 2021. December 2021 recorded 20,714 hits. The number of hits recorded in January 2022, February 2022 and March 2022 stood at 52,598, 19,342 and 69,998, respectively.

In April 2022 (until April 12), about 23,833 hits were recorded. The most attacked protocols were FTP, HTTP, s7comm, Modbus, SNMP, BACnet. The vulnerable, exposed systems that are unmonitored and facing the internet are the most attacked targets for threat actors, it said.

Phishing attacks

It also found an increase in the number of phishing/social engineering attacks on Indian organisations in the petroleum or refinery business. Recently, news had been making the rounds on the internet that Oil India Limited’s field headquarters in Assam’s Dibrugarh faced a cyberattack with the injected malware on their systems asking for $75,00,000 as a ransom.

Additionally, the CPF spokesperson highlighted the circulation of WhatsApp messages masquerading as an offer from Indian Oil with links luring unsuspecting users with the promise of Indian Oil fuel subsidy presents.

A similar study has been conducted by the research teams, based on a WhatsApp campaign that contained a link pretending to be a gift offer from Indian Oil that entices users to participate in a survey and get a chance to win $2,000. It also highlighted certain warning signs of this particular campaign.

“The campaign is pretended to be an offer from Indian Oil Corporation but is hosted on a third-party domain instead of the official Indian Oil website, which makes it more suspicious,” it explained. The domain name associated with the campaign has been registered in recent times. Further, multiple redirections have been noticed between the links.

“No reputed site would ask its users to share the campaign on WhatsApp. The prize is kept attractive to lure the laypeople. Grammatical mistakes have been noticed,” it further added.

During the analysis, the research team found that a javascript code called hm.js was being executed in the background from the host hm(.)baidu(.)com, a Baidu subdomain and is used for Baidu analytics, also known as Baidu Tongji. 

Chinese attack

“The important part is that Baidu is a Chinese multinational technology company specialising in Internet-related services, products, and artificial intelligence, headquartered in Beijing’s Haidian district, China,” it said.

Also, cyberattacks on critical infrastructure have been on the rise. Recently, threat intelligence firm Recorded Future Inc in a report had said that a suspected Chinese state-sponsored activity group has been targeting India’s power sector as part of a cyber-espionage campaign.

Recorded Future’s Insikt Group has detected “ongoing targeting of Indian power grid organisations by China-linked adversaries”. In recent months, it has observed network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch. 

Apart from the targeting of power grid assets, it has also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group, it had said.

comment COMMENT NOW