What to Expect from #OpPetrol

Given that the #OpPetrol has made the news, we felt that we should provide our view of the operation.



#OpPetrol is a new hacktivist campaign targeting several countries (the US, Canada, England, Israel, Saudi Arabia, China, Italy, France, Germany, Kuwait and Qatar) and the Petroleum industry.


#OpPetrol was announced on May 10, 2013 via this pastebin - http://pastebin.com/8KWUwJdy


It was restated on May 11, 2013 via this pastebin - http://pastebin.com/0Yr6kyWA


According to the announcement, the operation will “engage” on June 20, 2013. As we know from past events, actors may be compromising sites now only to release the results as part of the operation. Potential targets may have already seen activity that could later be associated with this announcement.


We have seen support for this operation from the following notable actors:


        Anon Ghost

The list of actors is fluid and will most likely change throughout the event.


As you can see below, social activity spiked the day of the announcement and sharply declined afterward:  


OpPetrol Tweet graph1.jpg 


What to Expect?

Given the trends so far, we anticipate that this operation will mirror #OpUSA. We do not anticipate #OpPetrol to be a large success. However, targets should still prepare for the worst as these campaigns could be used as cover for serious threats. Our recommendations from OpUSA Lessons Learned are applicable to this event:


Mitigation guidance provided by the government:

  1. Compromised hosts should be wiped and restored to a known good image. Users and administrators should be vigilant about applying the latest patches and anti-virus updates. An infected host endangers the availability, confidentiality,and integrity of data on networks. 
  2. DEP – Data Execution Prevention (DEP) should be enabled where ever possible (to help prevent buffer overflow exploits).
  3. Defend against compromised CA and web site certificates. 
  4. Have layers of defense to mitigate phishing and drive-by downloads.
  5. Make sure strong authentication has been enforced wherever possible and limit remote access.
  6. Harden your infrastructure. For instance: remove unused network interfaces, keep gear patched, ensure strong authentication, limit management access to internal devices, etc.
  7. Be prepared to minimize the effect of SQLi and XSS attacks.
  8. Verify that firewall rules are tuned and that unused rules are removed for both IPv6 and v4 networks.


In addition to the federal recommendations, we recommend the following (high level summary):

  1. Make sure to use a CDN for external web presence. CDN's help mitigate  DDoS threats substantially.
  2. Be prepared ahead of time. Work with your up-stream Internet provider to ensure they can redirect and scrub DDoS related traffic or be prepared to redirect traffic to a company such as Prolexic.
  3. Ensure that all DDoS features are tuned and enabled across all security and infrastructure devices. Firewalls, routers, IPS, gateways, etc.  Each of these has a part in defending against the attack and each have specific strengths.
  4. Be prepared to identify and block zero day threats.
  5. Using your visibility solutions, vigilantly monitor for exfiltration and anomalous behavior. Expect that someone will penetrate your perimeter.


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.