Yet another hacking group is targeting oil and gas companies, Dragos says

Researchers have dubbed the group Hexane, and they say it has been particularly active in recent months.
refinergy, oil, gas, energy, cybersecurity, hackers
(Getty Images)

A previously undocumented hacking group has been targeting oil and gas companies along with telecommunications providers from Africa to Central Asia to the Middle East, the industrial cybersecurity company Dragos said Thursday.

The revelation brings to five the number of groups tracked by Dragos that go after the oil and gas sector, highlighting the growing interest shown by well-resourced hackers in probing the industrial control systems (ICS) that underpin energy infrastructure. Oil and gas companies move markets and are strategic national assets, giving cyber operatives plenty of reason to scope them out.

The new hacking group, which Dragos calls Hexane, has been particularly active in recent months, targeting organizations with phishing lures and malware implants.

“It’s definitely stage-one activity with the intent to intrude,” Casey Brooks, senior adversary hunter at Dragos, told CyberScoop. “Whether they were successful or not, we can’t comment on that.”


The far-flung activity underscores the interest that ICS-focused hacking groups, including the one responsible for the infamous Trisis malware, have in infiltrating the supply chain.

Hexane uses some of the same hacking tools as another group known to the cybersecurity industry as OilRig whose activity, other analysts say, aligns with Iranian government interests. For its part, Hexane has reared its head in Kuwait, a country that sits across the Persian Gulf from Iran and has an oil-dependent economy.

The findings add to a body of evidence showing that hackers associated with Iran have not been quiet as tensions with the United States and other countries have risen. In June, Dragos flagged a phishing scheme against U.S. government and financial sectors from another group that outside analysts have linked with Iran.

“While [Hexane] still utilizes some of the same capabilities [as OilRig], they’ve evolved enough and changed enough to where it represents a new activity set,” Brooks said.

“It’s highly likely that they pull from the same resource pool” but are not necessarily directly sharing tools, he said of a handful of hacking groups that cybersecurity analysts have linked with Tehran.


The research started after Dragos analysts found malicious code uploaded to malware repository Virus Total earlier this year. They traced the code back to operations and infrastructure that Hexane has maintained for at least a year.

The more you look, the more you find

The Hexane revelation was part of broader research released by Dragos Thursday that warned that “state-associated actors will increasingly target oil and gas and related industries to further political, economic, and national security goals.”

But groups interested in compromising oil and gas facilities don’t necessarily restrict themselves to that sector. The hackers behind Trisis, which forced a Saudi petrochemical plant to shut down in 2017, have more recently targeted electric utilities in the United States.

While infrastructure owners are getting better at spotting anomalies, the research shows that much more needs to be done on that front.


“Increasing visibility and monitoring is crucial especially for medium to large organizations that are ramping up security and monitoring in their OT [operational technology] environments,” said Selena Larson, an intelligence analyst at Dragos. “As we get greater visibility into ICS-specific networks, especially oil and gas, there’s just fundamentally going to be more activity because we’re going to be noticing it.”

Among the Dragos analysts’ other security recommendations for energy infrastructure owners and operators is to practice plans for responding to a cyberattack and “to integrate cyber investigations into root-cause analysis for all events.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts