Researchers at Panda Security have uncovered a cyber campaign targeting the maritime oil transport industry with cyber attacks that are undetectable by most defence tools.
Panda reported uncovering the campaign in its Operation Oil Tanker The Phantom Menace (PDF) threat advisory, warning that the attack is atypical as it steals data by manipulating the Windows registry and legitimate applications.
The researchers said that the lack of malware means the attacks are capable of bypassing most company's legacy signature-based defences and lets the hackers spend significant amounts of time in victims' systems.
"No malware is ever used in the attack. The hack makes use of legitimate tools and different scripts to perform the aforementioned actions," read the report.
"[This means that] no antivirus was capable of detecting it. Furthermore, its peculiarities seem to indicate that the proactive protection layers included in most antivirus solutions would not be able to detect its apparently harmless behaviour.
"This was confirmed when we accessed the FTP server that the stolen data was sent to, and found that the oldest files dated back to August 2013."
The campaign is one of many to see hackers maintain a consistent presence in victims' networks. For instance Darktrace revealed to V3 that hackers had successfully breached an unnamed financial service and stolen data for six months before being detected.
Early analysis of the Phantom Menace campaign showed that the criminals had stolen significant amounts of data, and that the hacks had the hallmarks of a targeted attack.
"We were surprised by the large number of files stored on the FTP server: over 80,000 text files with stolen credentials from other firms," read the report.
"We discarded duplicate files and ended up with 860 unique files. The files belonged to some 10 companies, all of them in the oil and gas maritime transport sector.
"It was clear that the hack was indeed a targeted attack, but we still didn't know what the attackers were really after or what their final objective was."
Despite the sophistication of the data extraction technique, the Phantom Menace attacks use basic phishing to initially infect systems.
Phishing is a problem facing businesses of all sizes. Verizon reported in its latest Data Breach Investigations Report that a staggering one in four phishing attacks result in success.
The Panda researchers said that, while the lack of malware makes attribution difficult, the firm has uncovered evidence that the oil transport hackers are based in Nigeria.
"There was a weak spot in the attack: the FTP connection used to send out the stolen credentials. It turns out that Ikeja is the name of a suburb in Lagos, the capital city of Nigeria," read the report.
The report suggests that the hackers are using stolen the information to defraud oil buyers rather than harm the affected companies.
Panda listed this as a possible reason why none of the victims has reported the breaches and attacks to law enforcement, leaving the Phantom Menace free to continue its operations.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away