As first reported by The Local and Dagens Næringsliv, the National Security Authority Norway (Nasjonal Sikkerhetsmyndighet – NSM) detailed how 50 companies in the oil sector were hacked and how another 250 have been warned that they may have been hit too.
NSM is Norway's prevention unit for serious cyber-attacks and, like CERT-UK in Great Britain, warns companies about the newest threats. It took part of the CyberEurope2014 exercise in June.
The companies themselves haven't been named – although NSM is investigating whether the computer systems at Statoil, Norway's largest oil company, were targeted. Technical details are also few and far between at this moment in time.
This isn't the first time this type of attack has hit Norwegian shores, with ten oil, gas and defence sector firms hit via targeted spear-phishing emails in 2011. The unidentified hackers made off with industrial drawings, contracts and log-in credentials.
Responding to the news, Alan Calder, founder and executive chairman of IT Governance, told SCMagazineUK.com that cyber-criminals often use spear-phishing emails as the starting point for their attack.
“Spear phishing attacks – increasingly through the compromised systems of small suppliers to large companies– is an increasingly interesting attack vector for criminals attempting to steal valuable information and IP,” Calder said.
“Small companies are inexpert at cyber self-defence – hence the UK government launching its Cyber Essentials certification scheme. We hope to see more and more large organisations themselves becoming CE certified and then insisting on their suppliers all doing the same.
Independent security technologist and ethical hacker Jonathan Care added that the energy sector is increasingly under threat from hacker and nation states.
“The energy industry is under increasing attack from a number of actors, including unfriendly nation states, competitors who engage in a "dirty tricks" war, and criminals intent on extortion, theft and damage,” Care told SC.
“This has now extended to the online world, as many corporations in this sector are unprepared for online attacks and the engineers responsible for control systems are not nearly enough aware of the threats, attack profiles, and vulnerabilities that exist in currently deployed systems.
“For example, a number of systems which control critical energy services (as well as other utilities) are deployed with remote access available to the internet at large, often with little or no authentication to protect these terribly vulnerable - and fragile systems from attacks. We need to apply proper discipline to control systems in the same way that it is currently exists for IT systems."
He added: "We've seen the same arguments in past in mainstream IT - these systems are too important to patch, no one will know if I make a remote access backdoor for convenience, or simply "who would want to hack me?".