The Phantom Menace, who targeted the oil tankers?

Panda Security firm released a report regarding a hacking campaign dubbed “Operation Oil Tanker: The Phantom Menace” that targeted oil tankers.

Security researchers at Panda Security have released a report on a hacking campaign dubbed “Operation Oil Tanker: The Phantom Menace” that targeted oil tankers.

According to Panda Security the attacks on oil cargos began in August 2013, despite the firm first discovered them in January 2014. The attackers operated with the primary intent to steal information and credentials to hit oil brokers.

The researchers explained that victims of the attack, dubbed “The Phantom Menace”, haven’t reported the incident, avoiding the disclosure of the existence of security flaws in their networks.

The Phantom Menace appears as a highly sophisticated attack, according to Panda Security no antivirus engine was able to detect the malicious code when it was spotted for the first time. The attackers used legitimate tools in conjunction with a number of self-made scripts that allowed them to bypass defensive measures.


The discovery of the Phantom Menace was casual, the experts spotted it after a secretary opened a nonspecific email attachment. Panda Security observed the use of the same malicious agent among ten different companies in the oil and gas maritime transportation sector.

“Initially this looked like an average non-targeted attack. Once we dug deeper, though, it became clear that this was a systematic, targeted attack against a specific sector in the oil industry,” explained Luis Corrons, PandaLabs Technical Director of Panda Security, and report author. “We can limit the impact of this potentially catastrophic cyber-attack, but only if the victimized companies are willing to come forward”.

After an initial investigation, experts at Panda discovered that bad actors made an incredible error in managing the campaign, the Phantom Menace used FTP connection to exfiltrate data. By analyzing the FTP connection used by the hackers, PandaLabs was able to identify both an email address and name of the responsible.

The report includes interesting details on the investigation, it seems that scammers were from Nigeria, in the registration form for the free FTP service they used, bad actors provided the name “Ikeja,”a suburb in Lagos, also known as the “Computer Village” as it hosts the nation’s largest market cluster of technology products.

“This information could also be false, but the fact that whoever opened the account was familiar with that name meant that they were from Nigeria themselves or knew the country very well.”

 we were surprised by the large number of files stored on the FTP server: over 80,000 text files with stolen credentials from other firms.” states the report.

The experts tried to analyze the nature of the attack, despite the Phantom Menace targeted companies in a specific sector, the researchers speculate the Phantom Menace was operated by a criminal crew that adopted a variant of the Nigerian scam.

“However, the Nigerian scam industry is large and varied. Some variants are almost unknown and affect all kinds of sectors, including the oil industry” continues the report.

“the scammer contacts a broker/middleman and offers them a large amount of BLCO, one to two million barrels, at a very competitive price.” “If the potential buyer is interested, they will ask for documentary evidence that the product exists (Proof of Product). There are different types of documents that can be provided: a quality certificate, a certificate of origin, a cargo manifest, or the letter of ATS (Authority to Sell) issued by the NNPC. To close the deal, the buyer must pay a significant amount of money -from $50,000 to $100,000- in advance. However, once they pay the money they are met with the nasty surprise that there is no oil.”

At this point, once identified the individual behind the attack, another disconcerting thing happened, none of the alleged victims reported the incident to the police.

Panda Security issued the report to encourage victims to report the attacks and shed light on The Phantom Menace and its TTPs.

“none of the victims of this attack is willing to report it.” states the report.

Enjoy the report!

Pierluigi Paganini

May 27, 2015

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

11th Anniversary Exclusive Top Global CISO Conference & Innovators Showcase - October - 2023