Exclusive: Cyberattack leaves natural gas pipelines vulnerable to sabotage
A government report says a cyberattack against 23 natural gas pipeline operators stole crucial information that could compromise security. Experts strongly suspect China's military.
(Page 2 of 3)
“The data exfiltrated could provide an adversary with the capability to access US [oil and natural gas industrial-control systems], including performing unauthorized operations,” the report concludes. The stolen files were part of a “sophisticated attack shopping list.”Skip to next paragraph
Subscribe Today to the Monitor
According to a source familiar with the DHS investigation, hackers could use the data to directly reset computer-controlled pipeline systems, sabotaging them through extreme pipeline pressures or unsafe valve settings that could result in explosions or other critical failures.
“These are not children or politically motivated hackers upset with someone’s rhetorical position on something,” says the individual, who was not permitted to speak to the press and so requested anonymity. “These are educated, motivated, well-funded operatives – and they’re working toward something specific. If they exfiltrate credentials, they can log back in as system-level users and do whatever they want … even blow something up.”
The cyberspies installed custom malware to search pipeline companies’ networks for any computer files with the letters “SCAD,” which stand for supervisory control and data acquisition (SCADA). These are the special computerized control systems that software companies create to monitor and operate natural gas pipeline pumping stations, valves, communications, and other systems. Files the malware found and stole are just the sort of information necessary for an attacker to locate and operate compressors, valves, switches, pressure settings, and other pipeline operations, says Robert Huber, a cybersecurity expert at Critical Intelligence, a control-system security firm based in Idaho Falls, Idaho.
For example, among 28 computer files stolen from the gas pipeline operators’ networks were lists of dialup modem access numbers for critical devices called RTUs, which are scattered across miles of pipeline and give operators the ability to monitor and control their networks – including pipeline pressure. This is the greatest concern to Dr. Rush.
“If you can use this information to reset things – either equipment or the pipeline’s control system – that’s a serious penetration,” he says. “If you’re getting dialup access information to the RTUs through the phone lines, that’s the one that’s pretty scary, very serious.”
Natural gas pipelines are crucial to national security, says John Bumgarner, research director for the US Cyber Consequences Unit, a nonprofit group that studies cyberattacks.
“The natural gas pipeline industry is near the top of the US critical infrastructure list, so of course they would be a military target,” he says. “The Chinese would want to get in and understand how the system communicates, how it works, and everything else. Yes, it’s also about gathering business intelligence to improve processes in a foreign country. But those same digital pathways could also be used as a jumping off point for an attack.”
The new link to China comes from the “indicators of compromise” reported by DHS to the industry. Independent experts say these IOCs point to perpetrators who were identified earlier this month as being part of China’s People’s Liberation Army. The Feb. 19 report by Mandiant, a leading cybersecurity firm in Arlington, Va., traced attacks on 141 companies worldwide to “Unit 61398,” which works out of a 12-story building in Shanghai.
“The IOCs put out by Mandiant and the IOCs put out by ICS-CERT are the same as the IOCs involved in the natural gas pipelines,” says the person familiar with the investigation.
Others researchers come to the same conclusion: All signs point to Unit 61398, which has also been dubbed “APT1” and “Comment Crew.”
“With the gas-pipeline attacks, we know those indicators are associated with APT1,” says Mr. Huber of Critical Intelligence. “We’ve seen this group operating before.”