The Joint Cybersecurity recently revealed that Chinese state-sponsored actors targeted domestic oil and natural gas pipeline companies with a spear-phishing and interference attack. The United States Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a notice indicating the action occurred between December 2011 and 2013. Disruption was waged on 23 natural gas pipeline operators. The impact resulted in 13 confirmed breaches, three near misses, and seven resulted in intrusion of an unknown level.
“CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk,” the advisory stated. “Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”
April 2012 brought the first reports of threat activity, and the FBI responded to victims dating back to 2012. Bureau analysis found that the attacks originated from spear-phishing activity that kicked off in December 2011.
“From December 9, 2011, through at least February 29, 2012, organizations received spear-phishing emails specifically targeting their employees,” the advisory said. “The emails were constructed with a high level of sophistication to convince employees to view malicious files.”
The threat group continued on with its campaign and conducted social engineering, trying to obtain sensitive information from asset owners. This included actual phone calls to superiors in the network engineering department requesting security practice information.
“The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset,” said the advisory. “The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices. He inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems. The caller was blocking his caller ID, and when the targeted organization tried to return the call, they reached a number that was not in service.”
Upon compromising their targets, the threat actors utilized their access to infiltrate remote access channels. While they did not appear to alter pipeline operations of the systems accessed, CISA and the FBI indicated they did gain entrance into supervisory control and data retention networks at numerous companies.
“Chinese actors also gained information specific to dial-up access, including phone numbers, usernames, and passwords,” explained the advisory. “Dial-up modems continue to be prevalent in the Energy Sector, providing direct access into the ICS environment with little or no security and no monitoring, which makes them an optimal vector for hold-at-risk operations. The exfiltrated data provided the capabilities for the Chinese cyber actors to access ONG operational systems at a level where they could potentially conduct unauthorized operations.”
The advisory provided indications of compromise and encouraged Energy Sector companies to adhere to an increased state of awareness. Several security measures of mitigation were suggested and included segmenting IT, industrial control systems, and operational technology networks.
According to Gartner Inc, a research and advisory company, they released their own report indicating sobering findings. The firm reported that cyber attackers will have weaponized operational technology to be successful in killing human beings by the year 2025.
“Attacks on OT-hardware and software that monitors or controls equipment, assets, and processes have become more common,” said Gartner. “They have also evolved from immediate process disruption such as shutting down a plant to compromising the integrity of industrial environments with intent to create physical harm. Other recent events like the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.”
Gartner determined the threat actors subscribe to three main motivations: reputational vandalism, commercial vandalism, and actual harm.
“Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023,” said the firm. “Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents.”
Along with the CISA and FBI advisory, the European Union, NATO, the UK, the U.S., and several others during the same week that the People’s Republic of China (PRC) was responsible for a barrage of cyber incidents and a mass-hacking offensive that targeted Microsoft’s Exchange Server software.
“The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world,” said the White House in a statement. “Today, countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activities are bringing them together to call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.”
The White House continued revealing that China’s Ministry of State Security (MSS) participated in ransomware attacks, crypto-jacking, cyber-enabled extortion, and stealing for financial gain.
“In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” said the White House. “The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.”