Zephyr Energy hackers swiped £700,000 after redirecting a contractor payment

Oil and gas firm Zephyr Energy has reported that one of its US subsidiaries has suffered a cyber intrusion that allowed the attackers to siphon off hundreds of thousands of pounds.

The London-headquartered company said the incident saw a contractor payment diverted to an account controlled by threat actors. The company confirmed around £700,000 was lost in the incident.

"Upon discovery of the incident, the company immediately notified the relevant law enforcement authorities and is working with the corresponding banks and consultants to attempt to recover the diverted funds," the company said in a regulatory filing with the London Stock Exchange.

Zephyr noted that the incident has been contained and IT systems have been thoroughly assessed by a leading cybersecurity consultancy.

Operations and corporate activities are continuing as normal, but its own internal IT teams are keeping a close eye on company systems.

"While Zephyr uses industry standard practices in relation to its technology and payment systems, additional layers of security have been implemented as a result of this attack," it added.

"The company's board of directors can confirm that the company has more than sufficient working capital to ensure that this isolated matter will not impact the company's ability to perform its ongoing operations."

Zephyr Energy attack: What happened?

There's no information on how the attack actually took place, but it has all the hallmarks of a business email compromise (BEC) incident.

Via phishing campaigns, hackers typically gain access to email inboxes or accounting systems that enables them to change bank details during payment or invoice processing, in what's known as an adversary in the middle (AiTM) attack.

Earlier this year, Microsoft warned that AiTM campaigns targeting cloud collaboration platforms such as Microsoft SharePoint and OneDrive were on the rise.

The tech giant specifically highlighted energy companies among those at highest risk of targeting.

At the time, Microsoft’s Defender Research Team said attackers were abusing SharePoint file sharing services to deliver phishing payloads, and had succeeded in compromising a number of accounts.

In terms of mitigation, because the sign-in session is compromised, simply resetting passwords doesn't work. The company outlined a series of steps that organizations should take to mitigate risks, including:

• Using conditional access policies, especially risk-based access policies
• Implementing continuous access evaluation
• Investing in advanced anti-phishing solutions
• Continuous monitoring for suspicious or anomalous activities

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.