The energy business, including oil and gas producers, was hit by more targeted malware attacks from April to September last year than any other industry, said the Council on Foreign Relations (CFR) report, citing data from a Houston-based security company, Alert Logic.
Cyber attacks on energy companies, which are increasing in frequency and sophistication, take two main forms, the CFR report said. The first kind, cyber espionage, is carried out by foreign intelligence and defense agencies, organized crime, or freelance hackers.
These parties covertly capture sensitive corporate data or communications with the goal of gathering commercial or national security intelligence. U.S. energy companies are subject to frequent and often successful attempts by competitors and foreign governments to access long-term strategic plans, bids tendered for new drilling acreage, talks with foreign officials and other trade secrets, the report said.
A campaign against U.S. energy companies by hackers based in China, called Night Dragon by McAfee, a leading security company that is part of Intel Corp, began in 2008 and lasted into 2011. The campaign stole gigabytes of material, including bidding data in advance of a lease auction. One unidentified energy company official believes his company lost a bid in a lease auction because of the attack, the CFR report said.
Many companies are either unaware of similar attacks or are afraid to disclose them for fear of upsetting investors, it said.
"That's too bad because it makes it harder for Washington to help them and it also makes it harder for the public to be aware of what threats are out there," said Blake Clayton, a fellow in energy and national security at CFR and a co-author of the report.
The second main cyber risk to energy companies is the disruption of critical businesses or physical operations through attacks on networks.
"This has a lower probability but potentially higher cost," said Clayton.
The Stuxnet virus, said to have been created by the United States and Israel to attack Iran's nuclear program, is an example of a campaign that ended up escaping from its intended target at the risk of causing harm to a U.S. company. Chevron Corp said late last year it had been infected by Stuxnet, but said without elaborating the virus was quickly controlled.
An attack dubbed Shamoon last year on Saudi Aramco, Riyadh's state oil company, ultimately disabled some 30,000 computers. The company said the attack was aimed at stopping oil and gas output at the biggest OPEC crude exporter.
Oil production was apparently unaffected, but damage could have been more severe had the attack penetrated further into the network, the report said.
Hackers from a group called "Cutting Sword of Justice," suspected to be insiders, claimed responsibility for the attack, which was believed to have been delivered using a USB drive.
(Reporting by Timothy Gardner; Editing by Matt Driskill)