US says Chinese hackers breached 13 pipeline operators between 2011 and 2013

Chinese state-sponsored hackers breached the networks of at least 13 oil and natural gas pipeline operators between 2011 and 2013, the US government said today.

The previously unreported campaign targeted 23 pipeline operators, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) said in a joint report published today.

"Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 8 had an unknown depth of intrusion," the two agencies said, citing the lack of logs for the eight pipeline operators.

The operation was described as a spear-phishing campaign, followed by intrusions into the internal networks of the pipeline operators, from where the threat actors exfiltrated data.

"According to the evidence obtained by CISA and FBI, the Chinese state-sponsored actors made no attempts to modify the pipeline operations of systems they accessed," the two agencies said.

However, the threat actors appear to have heavily focused on collecting SCADA-related information, personnel lists, credentials, and system manuals.

CISA and the FBI assess that these actors were specifically targeting US pipeline infrastructure for the purpose of holding US pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations.

New @CISAgov & @FBI alert on Chinese cyber targeting pipelines. Notable line: “CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft.” https://t.co/a29Vs2yiYa

— Chris Krebs (@C_C_Krebs) July 20, 2021

CISA, FBI attribute five other ICS hacking campaigns

But the formal attribution of this 2011-2013 campaign to Chinese threat actors was just one of six similar joint announcements made today by CISA and the FBI.

The two agencies also formally attributed five other hacking campaigns to foreign governments, including:

• Attributing the Shamoon (DistTrack) malware strain to Iranian nation-state actors.
• Attributing the Havex malware to Russian nation-state actors.
• Attributing the CrashOverRide malware (used in attacks against Ukrainian critical infrastructure) to Russian nation-state actors.
• Attributing the December 2015 cyber-attacks against Ukrainian critical infrastructure to Russian nation-state actors.
• Attributing a sophisticated hacking campaign aimed at the US ICS sector that took place between 2011 and 2016 and utilized the BlackEnergy v2 and v3 malware strains to Russian nation-state actors.

All of the hacking campaigns listed above are broadly known and documented by private cybersecurity companies.

However, today, the US government doubled the attributions made by security firms and formally blamed the attacks on Iran and Russia.

The joint announcements came minutes after the Department of Homeland Security also announced new cybersecurity requirements for US oil and natural gas pipeline operators, following the devastating ransomware attack that crippled Colonial Pipeline in May.