US warns oil and gas sectors of ‘unsophisticated’ cyberattacks

The federal government on May 6 issued a joint advisory that said it is aware of so-called “unsophisticated” cyber actors targeting industrial systems within the oil and natural gas sectors, specifically in energy and transportation systems.

Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets on these ICS/SCADA systems can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage, according to the federal government.

The joint advisory, released by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Department of Energy (DOE), urged companies in these sectors to focus on their OT and ICS systems.

“The recent joint advisory warning that hackers are targeting ICS and SCADA systems in the oil and gas sector shouldn’t be brushed aside as a routine update,” said Callie Guenther, senior manager, cyber threat research at Critical Start. “Even though the advisory describes the actors as ‘unsophisticated,’ the underlying message is that basic attack methods are still working — and that’s a major problem.”

Guenther, an SC Media columnist, added that if attackers are breaching critical systems with default credentials and poorly secured remote access, the issue isn’t just the attackers’ skill level, it’s systemic negligence in the sector’s cybersecurity practices. She said this reflects long-standing challenges in critical infrastructure: a reliance on legacy systems, weak segmentation between IT and OT networks, and underinvestment in cybersecurity for operational technology.

Lawrence Pingree, vice president at Dispersive, said when it comes to unsophisticated threat actors, AI is providing fuel to an already very accessible hacking scene by educating threat actors, who are just beginning to do nefarious acts, and accelerating them with automation and AI agents.

“The entrance of less sophisticated actors is fully expected due to the benefits from the generative AI wave of agentics combined with the hacking tools readily available online," said Pingree. "When it comes to alerts, the important thing here is to perform an on-demand assessment to explore whether you have any of these devices present in your environment and isolate them properly at the network layer and for remote administrative access.”

Thomas Richards, infrastructure security practice director at Black Duck, pointed out that these alerts are very serious and come from observed actions by these malicious actors compromising critical systems. Richards said the motivation of the malicious actors is irrelevant — if an organization’s exposed sensitive systems are exposed to the internet with no security hardening, they are at risk of a compromise. 

“Many times, these systems are provided internet access for remote connectivity from support teams and vendors, but this creates a major security risk without restricting who can access it and adding proper authentication controls,” said Richards. “Organizations in this space should conduct a complete review of their external attack surface and identify insecure devices that are exposed. Once these devices are identified, controls should be put in place to prevent unauthorized access.”

Critical Start’s Guenther added that the recent alert fits into a broader trend in which hacktivist groups such as Sector 16 and Z-Pentest, reportedly linked to Russian interests, have claimed access to U.S. oil infrastructure, including SCADA systems controlling pumps and storage. Guenther added that CyberAv3ngers, tied to Iran’s Revolutionary Guard Corps, has been conducting similar operations globally, deploying malware designed specifically to target industrial control systems.

“These aren’t isolated events,” said Guenther. “They’re part of a pattern of cyber campaigns aimed at demonstrating access, causing disruption, or laying groundwork for future leverage. There’s a deliberate strategy behind these operations. When groups publicize their exploits, they aren’t just looking for attention – they’re sending a message. By showing they can access sensitive systems, they’re eroding trust in the security of critical infrastructure, creating uncertainty, and signaling potential escalation.”

Another important point: Guenther said the advisory also highlights the blurred lines between hacktivism and state-sponsored activity. Groups presenting themselves as ideological actors may, in fact, be fronts or proxies for nation-states. This ambiguity complicates attribution and response. Guenther said it also raises the stakes: what looks like a nuisance hacktivist campaign may actually be a component of a broader geopolitical strategy.

“For the oil and gas sector, the lesson is clear,” said Guenther. “It’s not enough to focus on sophisticated, nation-state-level attacks. Basic cyber hygiene failures remain a serious risk. Addressing these gaps requires an industry-wide commitment to asset inventory, network segmentation, credential management, and secured remote access. These aren’t cutting-edge solutions — they’re table stakes for operating critical systems in today’s environment.”