FBI warns energy sector of likely increase in targeting by Chinese, Russian hackers

Global energy supply changes will likely increase Chinese and Russian hackers’ targeting of critical energy infrastructure, according to an FBI notification sent to the energy industry and obtained by Recorded Future News.

The alert, issued Thursday, cites factors such as increased U.S. exports of liquefied natural gas (LNG); changes in the global crude oil supply chain favoring the U.S.; ongoing Western pressure on Russia’s energy supply; and China’s reliance on oil imports.

The notification does not refer to any specific advanced persistent threat (APT) hacking groups associated with China or Russia, nor does it point to specific cybersecurity incidents involving critical infrastructure. Instead, it broadly notes the attractiveness of U.S. networks for foreign intrusions and reminds recipients that Chinese and Russian hackers are constantly trying to explore key systems and improve their ability to exploit gaps they discover.

“Utilities see probing and low-level attempted attacks everyday by the Russians and PRC,” Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security and now an energy sector executive, said via email.

These low-level intrusions could help hackers understand key elements of specific systems such as where a target has open ports or what firewall rules may be, for example.

“China doesn’t make a lot of noise, but the small localized intrusions are helping build their network attack capabilities, likely for future use,” Harrell said. “There’s no doubt that the energy sector is on the front lines of malicious cyber-activity right now as China preps the battlefield.”

Chinese hackers have targeted U.S. entities by conducting what the notification calls “post-exploitation activity with generic reconnaissance commands using ‘live off the land’ tools.”

"Living off the land" typically refers to an attacker exploiting tools or features that already exist in the target environment. For example, insidious strains of ransomware, such as WannaCry and LockBit, have used a default Windows binary — an existing piece of operating-system code — to cover their tracks and persist inside a given network.

The FBI warning notes that since at least 2020, state-sponsored Chinese hackers have exploited common vulnerabilities to “target US and allied networks and software/hardware companies to steal intellectual property and develop access into sensitive networks to include critical infrastructure, defense industrial base sectors, and private sector organizations.”

The FBI declined to comment on the notification.

The notification also emphasizes how the Russian invasion of Ukraine changed the global energy supply chain, calling Western sanctions a “significant driver” of recent LNG supply chain shifts. The change will likely increase the Russian hackers targeting of the U.S. energy industry, according to the notification.

By mid 2022, 74% of Europe’s LNG imports originated in the U.S. the notification said, noting that the US was able to meet European LNG demand.

The notice said that since at least 2016 Russian hackers have targeted government entities and multiple US critical infrastructure sectors, using “staging targets networks as pivot points and malware repositories when targeting their final intended victims.”

Last week, Bruno Kahl, the head of Germany’s foreign intelligence service, cautioned that state-sponsored hackers could target LNG terminals there.