Chinese state hackers breached over a dozen US pipeline operators
Chinese state-sponsored attackers have breached 13 US oil and natural gas (ONG) pipeline companies between December 2011 to 2013 following a spear-phishing campaign targeting their employees.
The end goal of the attacks was to help China develop cyberattack capabilities that would allow future intrusions to physically damage targeted pipelines or disrupt US pipeline operations.
This was revealed Tuesday in a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
Chinese-backed threat actors targeted 23 US pipeline operators
“Overall, the US Government identified and tracked 23 US natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 7 had an unknown depth of intrusion,” the advisory reads.
“CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access.”
The attackers’ end goal of gaining access to ICS networks was evident in at least one compromise incident when they ignored sensitive decoy documents, including financial and business-related info, planted on a honeypot.
The tactics, techniques, and procedures (TTPs) shared in the joint advisory are still relevant and can help US critical infrastructure (CI) organizations protect their network from similar attacks.
Operators of Energy Sector and other CI networks are urged to be cautious of potential attacks and implement network segmentation between their IT and industrial control system (ICS)/operational technology (OT) networks to reduce the risk of compromise and operational disruption stemming from intrusion attempts.
CISA and the FBI also provide a list of mitigations Energy Sector and other CI owners and operators should implement for better defense.
Threat level increased by Colonial Pipeline ransomware attack
This joint advisory follows the DarkSide ransomware attack against the networks of Colonial Pipeline, a company managing the most extensive US pipeline system and supplying roughly half of all the fuel on the US East Coast.
After the incident, Colonial Pipeline was forced to shut down its entire infrastructure to contain the threat, followed by the Department of Transportation’s Federal Motor Carrier Safety Administration (FMCSA) declaring a state of emergency in 17 states and the District of Columbia.
The same month, in May, the Department of Homeland Security (DHS) announced new pipeline cybersecurity requirements directing critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to CISA.
The new security directive makes it easier for the DHS to identify, protect against, and respond to cybersecurity threats directly targeting US critical pipeline sector companies.
In somewhat related news, the US and its allies, including the European Union, the United Kingdom, and NATO, have officially accused China of coordinating this year’s worldwide Microsoft Exchange hacking campaign.
On the same day, the Department of Justice also announced criminal charges against four Chinese state hackers regarding a multi-year campaign targeting governments around the world and organizations from critical sectors.