US says Chinese hackers breached 13 pipeline operators between 2011 and 2013

Chinese state-sponsored hackers breached the networks of at least 13 oil and natural gas pipeline operators between 2011 and 2013, the US government said today.

The previously unreported campaign targeted 23 pipeline operators, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) said in a joint report published today.

"Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 8 had an unknown depth of intrusion," the two agencies said, citing the lack of logs for the eight pipeline operators.

The operation was described as a spear-phishing campaign, followed by intrusions into the internal networks of the pipeline operators, from where the threat actors exfiltrated data.

"According to the evidence obtained by CISA and FBI, the Chinese state-sponsored actors made no attempts to modify the pipeline operations of systems they accessed," the two agencies said.

However, the threat actors appear to have heavily focused on collecting SCADA-related information, personnel lists, credentials, and system manuals.

CISA and the FBI assess that these actors were specifically targeting US pipeline infrastructure for the purpose of holding US pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations.

CISA, FBI attribute five other ICS hacking campaigns

But the formal attribution of this 2011-2013 campaign to Chinese threat actors was just one of six similar joint announcements made today by CISA and the FBI.

The two agencies also formally attributed five other hacking campaigns to foreign governments, including:

All of the hacking campaigns listed above are broadly known and documented by private cybersecurity companies.

However, today, the US government doubled the attributions made by security firms and formally blamed the attacks on Iran and Russia.

The joint announcements came minutes after the Department of Homeland Security also announced new cybersecurity requirements for US oil and natural gas pipeline operators, following the devastating ransomware attack that crippled Colonial Pipeline in May.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.