Skip to content

Illustration by Security Management

United States Says Chinese State-Sponsored Actors Targeted Oil and Natural Gas Pipeline Companies

Chinese state-sponsored actors conducted a spearphishing and intrusion campaign targeting U.S. oil and natural gas pipeline companies, according to a Joint Cybersecurity Advisory issued on Tuesday.

The advisory, sent out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, said the campaign was conducted between December 2011 and 2013 and impacted 23 natural gas pipeline operators. Of the known targets, the advisory said 13 were confirmed compromises, three were near misses, and seven had an unknown depth of intrusion.

“CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk,” according to the advisory. “Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”

CISA’s predecessor organization first received reports about the activity in April 2012, and the FBI provided incident response to victims from 2012 to 2013. In its analysis of the incidents, the Bureau traced the origins back to spearphishing activity that appears to have begun in December 2011.

“From December 9, 2011, through at least February 29, 2012, (oil and natural gas) organizations received spearphishing emails specifically targeting their employees,” the advisory said. “The emails were constructed with a high level of sophistication to convince employees to view malicious files.”

The threat actors also conducted social engineering on their targets, attempting to gain sensitive information from asset owners—including making phone calls to managers in the network engineering department requesting information on their security practices.

“The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset,” according to the advisory. “The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices. He inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems. The caller was blocking his caller ID and when the targeted organization tried to return the call, they reached a number that was not in service.”

When the threat actors were successful in compromising their targets, they used their access to target remote access channels—systems designed to transfer data and allow access between corporate and industrial control system (ICS) networks. While the state-sponsored actors appeared not to attempt to modify the pipeline operations of systems they accessed, CISA and the FBI assessed that the actors were able to access the supervisory control and data acquisition (SCADA) networks at several organizations.

“Chinese actors also gained information specific to dial-up access, including phone numbers, usernames, and passwords,” the advisory explained. “Dial-up modems continue to be prevalent in the Energy Sector, providing direct access into the ICS environment with little or no security and no monitoring, which makes them an optimal vector for hold-at-risk operations. The exfiltrated data provided the capabilities for the Chinese cyber actors to access ONG operational systems at a level where they could potentially conduct unauthorized operations.”

The advisory included a list of indicators of compromise and encouraged owners and operators in the Energy Sector, as well as other critical infrastructure networks, to “adopt a heightened state of awareness” and implement recommended security mitigations. These include segmenting IT, industrial control system, and operational technology networks.

The threat actors did not use their access to inflict harm on the systems they compromised, according to the evidence obtained by CISA and the FBI. But in a report issued Wednesday, Gartner assessed that cyber attackers will have weaponized operational technology environments to successfully harm or kill humans by 2025. 

“Attacks on OT—hardware and software that monitors or controls equipment, assets, and processes—have become more common,” Gartner said. “They have also evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm. Other recent events like the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.”

Gartner assessed that threat actors that target OT and other cyber-physical systems (CPS) have three primary motivations: reputational vandalism, commercial vandalism, and actual harm.

“Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023,” the firm said. “Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents.”

CISA and the FBI issued the advisory in the same week that the European Union, NATO, the United Kingdom, the United States, and a host of others said the People’s Republic of China (PRC) was responsible for a series of high profile cyber incidents, including a mass-hacking campaign that took advantage of a vulnerability in Microsoft’s Exchange Server software to compromise organizations around the globe.

“The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” according to a White House statement. “Today, countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activities is bringing them together to call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.” 

Along with the Microsoft Exchange Server compromise, the White House said China’s Ministry of State Security (MSS) was responsible for ransomware attacks, crypto-jacking, cyber-enabled extortion, and theft for financial gain, among other activity.

“In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the White House said. “The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.”

The escalation in China’s activity marks a “significant shift in Chinese hackers’ modus operandi, much of which China watchers say can be traced back to the country’s 2015 reorganization of its cyber operations,” WIRED reports. “That’s when it transferred much of the control from the People’s Liberation Army to the MSS, a state security service that has over time become more aggressive both in its hacking ambitions and in its willingness to outsource to criminals.”