China Hacked Into 13 U.S Oil And Natural Gas Pipeline Companies Between 2011 And 2013: FBI And Homeland Security

A joint cybersecurity alert by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) revealed on Tuesday (Jul 20) that China hacked into American oil and natural gas pipeline companies almost a decade ago.

A joint cybersecurity advisory released by two division of DHS - National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the FBI described in detail over 50 tactics, techniques, and procedures (TTPs) Chinese state-sponsored cyber actors used when targeting U.S. and allied networks.

The advisory disclosed that Chinese government-linked intruders targeted 23 natural gas pipeline operators from 2011 to 2013. Thirteen of those attacks were confirmed intrusions.

"Chinese state-sponsored cyber activity poses a major threat to U.S. and allied systems. These actors aggressively target political, economic, military, educational, and critical infrastructure personnel and organizations to access valuable, sensitive data. These cyber operations support China’s long-term economic and military objectives." the cybersecurity advisory said.

“CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk,” the alert stated.

“Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.” the alert added

According to the alert, Chinese hackers had “sufficient access to allow them to remotely perform unauthorized operations on the pipeline with physical consequences.”

One significant tactic detailed in the advisory includes the exploitation of public vulnerabilities within days of their public disclosure, often in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. This advisory provides specific mitigations for detailed tactics and techniques aligned to the recently released, NSA-funded MITRE D3FEND framework.

The DHS also announced new requirements for U.S. pipeline operators to bolster cybersecurity following a May ransomware attack that disrupted gas delivery across the East Coast.

The DHS said it would require operators of federally designated critical pipelines to implement “specific mitigation measures” to prevent ransomware attacks and other cyber intrusions. Operators must also implement contingency plans and conduct what the department calls a “cybersecurity architecture design review.”

The advisory comes a day after the Biden Administration accused China of carrying out a massive hacking attack against technology giant Microsoft in March earlier this year.

In an unprecedented move, the European Union, the United Kingdom, and NATO also joined the United States in condemning the PRC’s malicious cyber activities.

Hackers working for China's Ministry of State Security played a direct role in using ransomware to extort U.S. businesses, the White House said in a statement released yesterday (Jul 19)

"The United States has long been concerned about the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace. Today, the United States and our allies and partners are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it, as it poses a major threat to U.S. and allies’ economic and national security." a statement released by the White House read.

The U.S accused China's Ministry of State Security of using contract hackers to conduct the attacks, many of which are being done for profit, including via ransomware.

The U.S., NATO, European Union, U.K., Australia, Canada, New Zealand and Japan said that they can now, "with high confidence," attribute the March attack using the Exchange flaw to cyberattackers affiliated with China's state security ministry. That attack crippled thousands of computers around the world.

"PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts." the statement read.