The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory stating, State-sponsored Chinese hackers breached 13 US oil and natural gas pipeline operators from 2011 through 2013.
CISA advisory mentions that “ Overall the U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 7 had an unknown depth of intrusion.”
The actors behind this campaign particularly targeting U.S. pipeline infrastructure to hold U.S. pipeline infrastructure at risk.
CISA and the FBI judge that this activity was eventually intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.
Attack on Oil and Natural Gas Pipeline Companies
From the analysis of the malware, this activity was interrelated to a spearphishing campaign. Initially, ONG organizations received spearphishing emails purposely targeting their employees. The emails were constructed with a high level of complexity to induce employees to view malicious files.
The obvious purpose of this intrusion was to gain sensitive information from asset owners. The report says, one of the asset owner-reported saying some employees received multiple phone calls requesting information about their recent network security practices. The caller inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, etc.
Chinese Hackers Actors Specifically Collected Information
- Document searches: “SCAD*”
- Personnel lists
- Dial-up access information
- System manuals
According to the evidence obtained by CISA and FBI, “the Chinese state-sponsored actors made no attempts to modify the pipeline operations of systems they accessed. China was successful in accessing the supervisory control and data acquisition (SCADA) networks at several U.S. natural gas pipeline companies”.
Hackers attempted to search for terms involving “SCAD*,” and the actors exfiltrated documents, including personnel lists, usernames and passwords, dial-up access information, remote terminal unit (RTU) sites, and systems manuals.
Overall, this would allow attackers to access ICS networks via multiple channels and allow them to remotely perform unauthorized operations on the pipeline with physical consequences, reads the joint cybersecurity advisory.
Mitigation for Better Defense
- Harden the IT/corporate network
- Implement and ensure robust network segmentation between IT and ICS networks
- Implement perimeter security between network segments
- Implement additional safety measures in the ICS environment
- Implement IP geo-blocking
- Execute regular, frequent data backup procedures
- Implement a user training program
Therefore, Operators of the Energy Sector and other CI networks are advised to be vigilant of potential attacks and implement network segmentation between their IT and industrial control system (ICS)/operational technology (OT) networks to reduce the risk of compromise and operational disruption stemming from intrusion attempts.