The pipelines keep running. The rigs keep drilling. But somewhere in the background, threat actors are quietly doing their own kind of work stealing credentials, probing control systems, and waiting for the right moment to pull the trigger on a ransomware payload. The 2026 threat intelligence picture for the oil and gas sector is not pretty, and if you’re involved in energy security, it deserves your full attention.
This blog breaks down what’s actually happening out there, based on ThreatMon’s latest sector-specific intelligence report.
More than half of all dark web incidents recorded against oil and gas organizations in 2026 around 56% fell into the data breach category. That’s 24 separate incidents involving the exposure of employee records, customer information, authentication credentials, and operational data.
These aren’t abstract statistics. In April 2026, a database linked to Indonesia’s state-owned Pertamina appeared on underground forums, containing employee PII including names, addresses, phone numbers, dates of birth, and family details. Around the same time, roughly 10,000 employee records from Venezuela’s PDVSA including national ID numbers, tax IDs, and email addresses were allegedly dumped online. In Ethiopia, National Oil PLC reportedly lost around 800 GB of ERP data covering financials, salaries, and client records.
These incidents share a common thread: once data enters underground circulation, it doesn’t disappear. It gets resold, repackaged, and used in follow-on attacks months or even years later.
Distributed denial-of-service attacks accounted for about 37% of observed activity, targeting public-facing infrastructure of refineries, national oil companies, and energy ministries. The goal isn’t always to cause lasting damage it’s to disrupt, embarrass, and demonstrate capability.
The most active actor in this space was a group called Keymous Plus, responsible for roughly a quarter of all tracked threat actor incidents. In March 2026, they launched coordinated campaigns against ADNOC (UAE), SOMO (Iraq), Tatweer Petroleum (Bahrain), Petroleum Development Oman, and Kuwait’s Ministry of Oil all in a single operation. A week later, they were back, hitting Dragon Oil, PDO, and Tatweer again.
NoName057(16) followed the same playbook, consistently targeting critical infrastructure across the Middle East as part of what appears to be a politically motivated disruption campaign.
The ransomware numbers tell a story of a well-organized, globally distributed threat. Over the course of 2026, 45 confirmed ransomware attacks were recorded against oil and gas targets, carried out by 24 distinct threat groups spanning operations in 21 countries.
The group Qilin led the pack, responsible for nearly 18% of all attacks, with a focus on LNG companies, fuel suppliers, and oilfield engineering firms. Close behind were Nightspire, TheGentlemen, Handala, and Akira.
Some of the individual incidents stand out:
A handful of incidents during the reporting period moved beyond data theft into something more concerning claimed access to industrial control systems.
In January 2026, a group calling itself Z-PENTEST ALLIANCE posted video footage allegedly showing access to a SCADA interface at a U.S. oil and gas facility. The footage showed tubing pressure, casing pressure, separator controls, valve configurations, and production data. Whether or not the access was genuine, the demonstration was deliberate and calculated.
In May 2026, OpUSA claimed interference with oil well control systems including pressure regulation, flow controls, and pumping equipment, describing changes that resulted in forced shutdowns and alarm activations.
These claims require careful scrutiny threat actors exaggerate. But the technical detail in some of these posts is specific enough to take seriously, and the overall pattern of probing OT environments is real.
Across all the stealer log analysis conducted for this report covering Aramco, ExxonMobil, Shell, TotalEnergies, and Chevron one malware family dominated everything: Lumma Stealer.
At Aramco, Lumma accounted for 62% of all detected malware variants. At ExxonMobil, 72.6%. At TotalEnergies, 86.5%. The pattern is consistent.
What makes this particularly dangerous isn’t just the credential theft. It’s the session cookies. Stealer logs from critical endpoints like login.aramco.com, vpn.aramco.com, and Chevron’s Okta infrastructure contained not just usernames and passwords but valid browser session tokens. That means MFA can be bypassed entirely through session hijacking the attacker doesn’t need to know the second factor because they’re borrowing an already-authenticated session.
The downstream risk is significant. These logs don’t just sit in a criminal’s archive. They get sold to Initial Access Brokers, who then package and resell them to ransomware affiliates and espionage actors who have the capability and motivation to turn a credential dump into a full network compromise.
The threats highlighted in this report leave traces long before they become incidents. From stealer logs and underground forums to ransomware leak sites and Telegram channels, the challenge is not the lack of signals it’s the ability to identify and act on them in time.
ThreatMon continuously monitors the dark web, surface web, underground communities, and threat actor channels to provide early warning of credential exposure, data leaks, threat actor activity, and emerging risks targeting your organization.
The stealer log findings involving major oil and gas companies in this report demonstrate the type of exposure ThreatMon helps identify before it can be exploited.
For critical infrastructure organizations, proactive visibility is no longer optional. ThreatMon helps close that intelligence gap.
More posts
Share this article
Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
Subscribe to our blog newsletter to follow the latest posts
