At 1:48 p.m. Aug. 1, 2012, Walter Energy Inc. submitted a press release to a newswire service announcing its quarterly results—just more than two hours before the news was made public.
At 2:14 p.m., less than 30 minutes after the wire service uploaded the press release into its system, someone bought Walter Energy CFDs referencing 36,000 shares of stock, valued at about $1.2 million, and then made another trade for a larger amount through a different account. That afternoon someone else carried out a similar transaction, the U.S. Securities and Exchange Commission said in court documents unsealed this week. It all happened before the press release became public.
The next day the two are accused of closing their positions in the Walter Energy CFDs and pocketing a combined $137,000 in profit as part of what Andrew Ceresney, director of the SEC’s Enforcement Division, called “one of the most intricate and sophisticated trading rings that we have ever seen, spanning the globe and involving dozens of individuals and entities.”
Walter Energy was only one of the targeted companies—others included Caterpillar Inc. and Panera Bread Co.— listed in a federal court document detailing the SEC’s fraud charges against 32 people. They are accused of using advanced techniques to hack into two or more newswire services between 2010 and 2014 to steal hundreds of corporate earnings announcements before the newswires released the information publicly. The information was then sent to traders in Russia, Ukraine, Malta, Cyprus, France and the U.S.
The scheme, allegedly led by two Ukrainians, generated more than $100 million in illegal profits, the SEC said. The hack shows that the cyber security threats are becoming more elaborate and should remain on the radar for oil and gas companies, which have been frequent targets of cyber attacks in the past.
While the latest high-profile scheme was elaborative, the oil and gas industry is typically still seeing the same previously deployed attacks, experts said.
“In many cases, attackers are using the same methods to hack into companies’ systems given that attackers frequently will look for the path of least resistance such as phishing emails,” said Edwin Cisneros, director of PwC’s cyber security practice.
But use of malware via phishing email; compromised credentials; and water holes, essentially “web browsing drive-by attacks,”are among the fastest-growing sources of cyber attacks against the oil and gas sector, he added.
“If common methods don’t prove to be successful, the game is then changed to increase the sophistication of the attack vectors,” he said.
The oil and gas industry is also still seeing attacks through email, infected USB sticks being plugged in machines and employees being talked out of information over the phone, Red Tiger Security Founder Jonathan Pollet told Hart Energy.
“We are also seeing that sometimes the attackers will target the equipment manufacturers,” Pollet said. He explained this involved the attacker getting equipment that a company would buy, finding the equipment’s vulnerability and putting in code that has been infected with malware. “So it’s like a supply chain issue.”
The motives vary. It could be an attempt to swipe new technology or other intellectual property, damage infrastructure, defame or wreak havoc elsewhere because they simply don’t like the company and its actions, or in the latest high-profile case—money.
“Former employees are becoming more of a threat especially with the ease of personal devices coupled with the lack of monitoring controls, processes and other technologies that can be used to detect exfiltration of data or system configuration changes,” Cisneros added.
So what can companies do to protect themselves?
“It requires having a robust security program, so it’s not just one technology that is going to protect them,” Pollet said.
The companies that are doing it right have built a cybersecurity program starting with governance or determining who has responsibility for cybersecurity, investing in qualified staff and identifying missing technical solutions such as firewalls, intrusion prevention systems or applications, he added.
The National Institute of Standards and Technology, which provides a set of security controls that should be in place to protect companies, can also be a big help, he said. Red Tiger helps companies in various sectors implement such controls and framework.
A study conducted in April by Symantec Corp. found that hackers attacked 43% of global mining, oil and gas companies at least once last year, Bloomberg reported in June. That month, another survey—conducted by Trend Micro Inc.—revealed 47% of energy organizations reported attacks.
But Cisneros said the frequency of attacks is down.
PwC’s Global State of Information Security Survey 2015 showed the average number of detected incidents against oil and gas companies dropped from 6,511 in 2013 to 5,493 in 2014.
Executive committees are regularly discussing cybersecurity and forming partnerships to develop strategies and identify risks, Cisneros said. “This is a strategic trend we are seeing contrasting the tactical approach of buying a new tool or focusing on threat vector.”
And the downturn doesn’t seem to have deterred attention on cyber security threats. Instead, it has helped companies become more strategic, focus efforts on high-risk areas and develop multiyear cyber security roadmaps, Cisneros said.
There is still a growing interest in cyber security, Pollet added.
To companies thinking about cutting back in this area given the sector’s tough times, Cisneros said:
“This is a perfect time to ask yourself, ‘Do I have a strategy or am I putting out fires? Am I being efficient in using a rifle and knocking out the areas of higher risk or is my approach a shotgun approach and hoping I hit something critical?’ ”
His advice: “First, focus on your cyber security strategy, then you can decide which initiatives makes sense to focus your resources.”
Velda Addison can be reached at firstname.lastname@example.org or via Twitter @veldaaddison.