Oil companies in India have suffered 3.6 lakh cyberattacks in the last 6 months

On April 20, state-owned oil supplier Oil India, confirmed that the company had suffered a major cyberattack on its information technology (IT) systems of its Assam facilities, on April 13. While Oil India said that the attack did not affect operations, media reports claimed that the hackers demanded $75,00,000. In a regulatory filing, Oil India said that the necessary precautions had been taken.

But Oil India isn’t the only petroleum company in India that has suffered such attacks. According to a study by civil society organization, the CyberPeace Foundation, nearly 3.6 lakh attacks were detected on such companies between October 2021 and April 12, 2022, by threat intelligence sensors deployed to analyze real-time cyberthreats on networks. The study said that 19,342 threats were detected in February 2022 alone, which was the least in these months. October had the higher number of attacks, at 1.17 lakh.

The study was part of CyberPeace Foundation’s eKawach program, under which it partnered with Autobot Infosec Private Ltd and CyberPeace Center of Excellence (CCoE) to deploy the SCADA Critical Information Infrastructure (CII) threat intelligence sensors, which are industrial control systems deployed on critical infrastructure.

A spokesperson for CyberPeace Foundation said, “Deploying the simulated network will play a key role in collecting data on attack patterns, different types of attack vectors for the different protocols, and the recent malicious activities.” 

An attack vector is a method used by hackers to exploit cybersecurity vulnerabilities and infiltrate a system or network. 

The study signals the growing number of cyber attacks on critical infrastructure firms in India. Such attacks have increased in the past year not just in India but globally. Several US companies, such as Colonial Pipeline and JBS Foods, were hit by ransomware attacks in 2021. 

Beyond petroleum, power companies in India have also come under fire. Earlier this month, UK-based cybersecurity firm Recorded Future warned about a Chinese state-backed threat campaign targeting power companies in India. The firm had flagged similar attacks on power grids in the country in February as well.

“In recent months, we observed likely network intrusions targeting at least 7 Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states,” the security firm said in a blog post on April 6. It added that the SLDCs were located in North India and in proximity of the disputed Indo-China border in Ladakh.

Last year, the firm had said that a Chinese state-backed hacker group called RedEcho had targeted power grids in India. “This latest set of intrusions, however, is composed of an almost entirely different set of victim organizations. In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group,” the company said in its post.

Further, CyberPeace Foundation also detected a significant increase in phishing and social engineering attacks on Indian organizations in the petroleum or refinery industry. Such attacks are used to dupe users into sharing sensitive information like passwords and other login details. Hackers are even using messaging app WhatsApp to send phishing messages with malicious links in the name of Indian Oil Corporation to unsuspecting users, the firm said.

Though CyberPeace Foundation didn’t attribute the attacks directly to any ransomware group or state-sponsored attack, the researchers pointed out that javascript code called hm.js was being executed from a Baidu subdomain hm.baidu.com, which is used for Baidu Analytics. This indicates the involvement of Chinese hacker groups.

''With the number of ransomware attacks continuing to skyrocket, cybercriminals are expanding their targets by shifting their focus towards critical infrastructure and evolving into deep-rooted software supply chain attack campaigns, which can cause long-lasting devastation,” warned Parag Khurana, country manager of Barracuda Networks, a cybersecurity firm. 

Critical infrastructure firms aside, ransomware attacks on Indian organizations, too, have been on the rise. A report this month from security firm Palo Alto Networks, noted a 218% year-on-year (YoY) increase in such attacks in 2021.

Barracuda Networks has also seen an increase in a cyberattack on critical infra companies such as Oil India. Attacks on critical infra in India accounted for 11% of all cyberattacks in 2021. 

Khurana pointed out that attacks on critical infra companies can cripple day-to-day operations, cause chaos, and result in financial losses from downtime, ransom payments, recovery costs, and other unanticipated expenses.

Using cyberattacks to disrupt critical infra companies started back in 2010, when the US and Israel used the Stuxnet virus to target a nuclear facility in Natanz, Iran to derail the country’s nuclear program. The virus caused a malfunction in the uranium enrichment centrifuges, which affected the plant's nuclear enrichment efficiency.