Hackers posed as Egyptian oil contractor in apparent spy campaign ahead of OPEC meeting

The number of attempted attacks surged before a highly anticipated meeting between Saudi Arabia, Russia and other oil-producing nations.
Agent Tesla

Hackers are trying to infect organizations throughout the world with a popular strain of malware by sending emails that appear to be from an Egyptian oil company.

In research published Tuesday, Romanian antivirus company BitDefender noted a surge in attempted phishing attacks that try to trick users into downloading malware by masquerading as Enppi, an oil company owned by the Egyptian government. The malware, known as Agent Tesla, is a spyware tool which enables hackers to monitor keystrokes, steal data about file downloads and collect username and password credentials from internet browsers, among other capabilities.

The number of attacks spiked in the weeks before the world’s top oil producers debated whether to cut output during a meeting between the OPEC+ alliance and the Group of 20 nations, which suggests interest in specific countries’ strategies around an international standoff that’s had ramifications for the global economy. BitDefender researchers said hackers used the tool against energy organizations in the U.S., Malaysia, Iran, South Africa, Oman, Turkey and elsewhere.

The company did not speculate on who may have been behind the espionage effort.


The malicious emails highlighted by BitDefender demonstrate an amount of care that’s uncommon in other phishing efforts. The message, apparently from a major Egyptian oil company, invites recipients to submit a bid for a contract that seemingly involves equipment and materials for a project involving Burullus, another legitimate oil and gas company.

“Enppi is globally recognized as a major engineering, EPC main contractor, and management contractor, with decades of experience in onshore and offshore projects in the oil and gas, refining and petrochemical industries,” the message said, according to BitDefender.

The Agent Tesla malware has existed in some form since at least 2014, according to BitDefender, though it’s emerged as a popular remote administration tool (RAT) during the coronavirus pandemic. In recent weeks, hackers also have used Agent Tesla in a coronavirus-themed phishing campaign in which they posed as World Health Organization representatives, according to IBM. Unknown attackers also used the RAT to try to steal data from the international shipping sector, including movement of container ships, BitDefender said.

The nature of Agent Tesla could make it difficult to understand who is behind each campaign. More than 6,300 customers had enlisted in Agent Tesla’s subscription hacking service when KrebsOnSecurity investigated in 2018, with prices ranging from $15 to $69, depending on the capabilities.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts