September 30, 2022

The Biden administration earlier announced secret details on Tuesday about the breadth of government-sponsored cyberattacks on American oil and gas pipelines over the past decade as part of a warning to pipeline owners to heighten the security of their systems to ward off future attacks.

From 2011 to 2013, China-backed hackers targeted and in many cases injured nearly two dozen companies that own such pipelines, the FBI and the Department of Homeland Security said in a warning on Tuesday. For the first time, authorities said they believed the “burglaries were likely designed to gain strategic access” to the industrial control networks that operate the pipelines “for future operations, not for intellectual property theft.” In other words, the hackers were preparing to take control of the pipelines instead of just stealing the technology that made them work.

Of 23 natural gas pipeline operators exposed to a form of email scam called spear phishing, authorities said 13 were successfully compromised while three were “near misses”. The extent of the penetration into seven operators was not known due to a lack of data.

The revelations come as the federal government tries to mobilize the pipeline industry after a Russia-based ransomware group lightly forced the closure of a pipeline network that supplies nearly half of the gasoline, kerosene and diesel that flows up the east coast . This attack on the Colonial Pipeline – which targeted the company’s business systems, not the operations of the pipeline itself – caused the company to shut down shipments for fear of not knowing what the attackers would be able to do next. Long gas lines and bottlenecks followed, underscoring the urgency of President Biden’s efforts to protect the United States’ pipelines and critical infrastructure from cyberattacks.

The released report on China’s activities accompanied a security policy that obliges owners and operators of pipelines that have been classified as critical by the Transportation Security Administration to take specific measures to protect against ransomware and other attacks and to draw up a contingency and recovery plan. The exact steps were not made public, but officials said they tried to address some of the major shortcomings identified in the review of the Colonial Pipeline attack. (The privately owned company said little about the vulnerabilities in its systems that the hackers exploited.)

The policy follows another one in May that requires companies to report significant cyberattacks to the government. But that didn’t seal the systems.

The recently released report recalled that nationwide backed hackers targeted oil and gas pipelines before cybercriminals devised new ways to hold their operators hostage to extort ransom. Ransomware is a form of malware that encrypts data until the victim pays. The attack on the Colonial Pipeline resulted in it paying about $ 4 million in cryptocurrency, some of which the FBI confiscated after the criminals left some of the money in cryptocurrency wallets. But, as one police officer said, it was a “blissful break”. Another ransomware attack a few weeks later cost JBS, a manufacturer of beef products, for $ 11 million. none of it was restored.

Nearly 10 years ago, the Department of Homeland Security said in the released report it had begun to respond to oil pipeline break-ins and electricity operators at an “alarming rate”. Officials have successfully traced some of these attacks back to China, but in 2012 the motivation wasn’t clear: were the hackers trolling for industrial secrets? Or were they positioning themselves for a future attack?

“We’re still trying to find out,” a senior American intelligence official told the New York Times in 2013. “You could have done either.”

However, Tuesday’s warning said the goal was to “compromise the US pipeline infrastructure.”

“This activity should ultimately help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations,” the warning said.

The alert was triggered by new cyber defense concerns of critical infrastructure that were brought to the fore with the attack on the Colonial Pipeline. The violation triggered an alert at the White House and Department of Energy, which determined the country could have afforded only three days of downtime before local transport and chemical refineries came to a standstill.

Mandiant, a division of security firm FireEye, said the advice was in line with the China-backed break-ins it tracked at several natural gas pipeline companies and other critical operators from 2011 to 2013. But the company added a troubling detail, noting that it “strongly” believed that, in one case, Chinese hackers had gained access to controls, which could have triggered a pipeline shutdown or possibly an explosion.

While the policy did not name the victims of the pipeline break-in, Telvent was one of the companies infiltrated by Chinese hackers monitoring more than half of the oil and gas pipelines in North America during the same period. She discovered hackers in her computer systems in September 2012, only after hanging around there for months. The company closed its remote access to its customers’ systems because it feared it could shut down American infrastructure.

The Chinese government denied that it was behind the Telvent break. Congress failed to enact cybersecurity law that would have made pipelines and other critical infrastructure safer. And the country seemed to be moving on.

Almost a decade later, the Biden administration says the threat of hacking on America’s oil and gas pipelines has never been greater. “The lives and livelihoods of the American people depend on our collective ability to protect our country’s critical infrastructure from evolving threats,” Homeland Security Secretary Alejandro N. Mayorkas said in a statement Tuesday.

The May policy set a 30-day period to “identify any gaps and associated remedial actions to address cyber risks” and report them to the TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Shortly after taking office, Mr Biden promised that improving cybersecurity would be a top priority. That month, he met with top advisors to discuss ways to respond to a wave of Russian ransomware attacks targeting American companies, including a July 4th company in Florida that provides software for companies that manage technology for smaller businesses .

And on Monday the White House announced that the Chinese Ministry of State Security, which oversees the secret service, was behind an unusually aggressive and sophisticated attack on tens of thousands of victims who relied on Microsoft Exchange mail servers in March.

Separately, the Justice Department on Monday unsealed charges against four Chinese citizens for coordinating trade secret hacking by companies in the aerospace, defense, biopharmaceutical and other industries.

According to the charges, China’s hackers operate from bogus companies, some on Hainan Island, and tap into Chinese universities to not only recruit hackers for the government, but also to manage critical business operations such as payroll. This decentralized structure, say American officials and security experts, is intended to offer the Chinese Ministry of State Security a plausible denial.

The charges also revealed that China’s “pro-government” hackers ran their own for-profit ventures and carried out ransomware attacks that extorted millions of dollars from companies.

Eileen Sullivan contributed to the coverage.