Alert: Major cyber attack aimed at natural gas pipeline companies
A major cyber attack is currently under way aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued by the US Department of Homeland Security.
(Page 2 of 2)
Each of the three alerts, for instance, includes detailed descriptions of the cyber threat – much more detailed than previous ICS-CERT warnings over the years, say cyber security experts who have seen the alerts. Those private warnings included computer file names, computer IP addresses, and other key information that a company's cyber security experts could use to check to see if their networks have been infiltrated.Skip to next paragraph
Subscribe Today to the Monitor
"This was far more detail than we've ever received in the past – and the number of alerts in succession was unusual," says one security expert who requested anonymity because he was sharing sensitive material. "It indicated to me this was pretty serious."
Amazingly, he says, companies were also specifically requested in a March 29 alert not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.
"In essence they were saying: 'Do not put in any mitigation or blocks against these active intruders,’ " says the individual who has seen all three confidential alerts. "But if you're telling an investor-owned utility not to do anything, that's pretty unheard of. Step 1 is always block these guys and get them off the system. It's pretty unusual in the commercial world to just let them collect data. Heaven forbid that the intruders gain control. It kind of looks like our intel guys were trying to get more information."
Beyond indicating that multiple companies were targeted and some other systems compromised, neither the alerts nor the public notice indicate just how many companies have been infiltrated. The documents also do not indicate that any companies' pipeline operations – or their vital computerized industrial control systems that run pumps – have yet been affected.
But other cyber security experts familiar with the alerts warn that access to a company's corporate system can eventually allow a hacker to wind through a corporate network and into the vital industrial control processes. Those systems, if infiltrated, could allow hackers to manipulate pressure and other control system settings, potentially reaping explosions or other dangerous conditions.
"There's not enough information available yet to tell exactly what is the target or goal here," says Jonathan Pollet, founder of Red Tiger Security, who specializes in industrial control system security and who has worked extensively in the oil and gas industry. "But it's a concern because if they access the corporate network it's often just a short step to the next level and right into their control system network."
One reason ICS-CERT may have acted, he believes, is because of the large number of companies discovering attackers on their networks. As many as 20 companies have already come forward to tell ICS-CERT of the infiltrations, Mr. Pollet says. That number could not be independently verified. A DHS spokesman was unavailable to comment at press time Saturday.
Even so, there is at least some support for Pollet's assertion.
Sanaz Browarny, chief, intelligence and analysis, of the control systems security program at DHS, told a security conference last month that “on a daily basis, the U.S. is being targeted.” In her presentation, as reported in Homeland Security News Wire, she said that ICS-CERT’s response team had taken 17 trips to private utilities last year, seven of those as a direct result of sophisticated spear-phishing attacks. She did not, however, indicate the attacks were against a specific type of utility.
There are also signs the threat could extend across North America. A Canadian cyber security expert told the Monitor that authorities in his country also are on alert since the US warnings, although it is not clear if any Canadian companies are affected, he said.
At least one confidential US alert, a portion of which was obtained by the Monitor, urged companies to remain on guard – and send back information.
"ICS-CERT has received additional reports involving targeted and compromised organizations within the gas pipeline sector," according to the April 13 alert. "Analysis from those reports, including the analysis of hard drives and logs, has yielded new indicators of compromise…. Organizations are strongly encouraged to review this report and contact ICS-CERT to report their findings."