China Breached Dozens of Pipeline Companies in Past Decade, U.S. Says
The Biden administration on Tuesday disclosed previously classified details of the scale of state-sponsored cyberattacks on U.S. oil and gas pipelines over the past decade, as part of a warning to pipeline owners to increase the security of their systems to avoid future attacks.
From 2011 to 2013, China-backed hackers targeted and in many cases raped nearly two dozen companies that own such pipelines, the FBI and Department of Homeland Security said in an alert on Tuesday. For the first time, the agencies said they felt the “intrusions were likely intended to gain strategic access” to industrial control networks that operate the pipelines “for future operations rather than for theft of intellectual property.” In other words, hackers were preparing to take over the pipelines, rather than just stealing the technology that made them work.
Of 23 pipeline operators who were subjected to a form of email fraud known as spear phishing, the agencies said 13 had been successfully compromised, while three were “near misses.” The extent of the intrusions into seven operators was unknown due to the lack of data.
The disclosures come as the federal government tries to galvanize the pipeline industry after a Russia-based ransomware group easily forced the shutdown of a pipeline network that supplies nearly half of the gasoline, jet fuel and diesel going up the east coast. This attack on Colonial Pipeline – targeting the company’s business systems, not the operations of the pipeline itself – led the company to halt its shipments for fear of not knowing what the attackers would be capable of next. Long gas lines and shortages followed, underscoring for President Biden the urgency to defend US pipelines and critical infrastructure from cyberattacks.
The declassified report on China’s activities accompanied a security directive that requires owners and operators of pipelines deemed critical by the Transportation Security Administration to take specific measures to protect themselves against ransomware and other attacks, and to put in place a emergency and recovery plan. The exact steps were not made public, but officials said they were looking to address some of the huge shortcomings found during the review of the colonial pipeline attack. (The company, which is privately held, has said little about the vulnerabilities in its systems being exploited by hackers.)
The directive follows another in May that required companies to report significant cyber attacks to the government. But it did nothing to seal the systems.
The recently declassified report was a reminder that nation-backed hackers were targeting oil and gas pipelines before cybercriminals found new ways to hold their operators hostage for ransom. Ransomware is a form of malware that encrypts data until the victim pays. The attack on Colonial Pipeline caused it to pay around $ 4 million in cryptocurrency, some of which was recovered by the FBI after criminals left some of the money visible in cryptocurrency wallets. . But it was, as one law enforcement official put it, a “lucky break.” Weeks later, another ransomware attack extracted $ 11 million from JBS, a producer of beef products; none of this was recovered.
Almost 10 years ago, the Department of Homeland Security said in the declassified report that it had started responding to trespassing on pipelines and power operators at “an alarming rate.” The authorities managed to trace some of these attacks in China, but in 2012, its motivation was not clear: were the hackers looking for trade secrets? Or were they positioning themselves for a future attack?
“We’re still trying to figure it out,” a senior US intelligence official told The New York Times in 2013. “They could have done both.”
But Tuesday’s alert said the aim was to “endanger the infrastructure of US pipelines.”
“This activity was ultimately intended to help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations,” the alert said.
The alert was triggered by new concerns about the cyber defense of critical infrastructure, highlighted with the attack on Colonial Pipeline. The breach set off alarms at the White House and the Department of Energy, which found that the nation could only have afforded three more days of downtime before public transport and chemical refineries collapsed. ‘stop.
Mandiant, a division of security firm FireEye, said the advice was consistent with the China-backed intrusions it tracked on several pipeline companies and other critical operators from 2011 to 2013. But the company added a disturbing detail, noting that he “strongly” believed that in one instance Chinese hackers had gained access to the controls, which could have shut down a pipeline or potentially triggered an explosion.
Although the directive did not name the victims of the pipeline intrusion, one of the companies infiltrated by Chinese hackers during the same period was Telvent, which monitors more than half of the oil and gas pipelines in America. North. He discovered hackers in his computer systems in September 2012, only after they had been prowling there for months. The company shut down its remote access to customer systems over concerns that it could be used to shut down American’s infrastructure.
The Chinese government has denied being responsible for the Telvent violation. Congress failed to pass cybersecurity legislation that would increase the security of pipelines and other critical infrastructure. And the country seemed to move forward.
Nearly a decade later, the Biden administration says the threat of a hack into U.S. oil and gas pipelines has never been greater. “The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure against evolving threats,” Homeland Security Secretary Alejandro N. Mayorkas said on Tuesday.
The May directive set a 30-day period to “identify deficiencies and associated corrective actions to address cybersecurity risks” and report them to the TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. .
Shortly after taking office, Biden promised improving cybersecurity would be a top priority. This month, he met with top advisers to discuss options for responding to a wave of Russian ransomware attacks against U.S. companies, including one on July 4 against a Florida company that supplies software to companies that run the virus. technology for small businesses.
And on Monday, the White House said the Chinese Ministry of State Security, which oversees intelligence, was behind an unusually aggressive and sophisticated attack in March on tens of thousands of victims who depended on the servers. Microsoft Exchange mailbox.
Separately, the Justice Ministry on Monday unveiled the indictments of four Chinese citizens for coordinating the hacking of trade secrets from companies in the aviation, defense, biopharmaceuticals and other industries.
According to the indictments, Chinese hackers operate from shell companies, including some on Hainan Island, and use Chinese universities not only to recruit hackers into government ranks, but also to run operations. key business, such as payroll. This decentralized structure, according to U.S. officials and security experts, is intended to offer plausible deniability to China’s State Security Ministry.
The indictments also revealed that China’s “government-affiliated” hackers have gone into their own for-profit businesses, carrying out ransomware attacks that extort millions of dollars from businesses.
Eileen Sullivan contributed reports.
#China #Breached #Dozens #Pipeline #Companies #Decade