FBI, CISA disclose spearphishing activity targeting US oil and natural gas pipeline companies

spearphishing activity

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency disclosed spearphishing activity and intrusion campaigns conducted by state-sponsored Chinese hackers, targeting U.S. oil and natural gas (ONG) pipeline companies.

In April 2012, CISA received reports about targeted attacks directed at multiple ONG pipeline sites; CISA (via a predecessor organization) and FBI provided incident response and remediation support to a number of victims from 2012 to 2013, according to an alert issued on Tuesday. CISA and FBI’s analysis of the malware and threat actor techniques identified that this campaign was related to the spearphishing activity.

The U.S. government identified and tracked 23 U.S. natural gas pipeline operators targeted in this campaign. Of the 23 known targeted entities, 13 were confirmed compromises, 3 were near misses, and 7 had an unknown depth of the intrusion, according to a joint FBI-CISA cybersecurity advisory.

CISA and FBI assess that during these intrusions, China accessed the supervisory control and data acquisition (SCADA) networks at several U.S. natural gas pipeline companies.

Chinese hackers also gained information specific to dial-up access, including phone numbers, usernames, and passwords. Dial-up modems are prevalent in the energy sector, providing direct access into the ICS environment with little or no security and no monitoring, which makes them an optimal vector for hold-at-risk operations. The exfiltrated data provided the capabilities for the Chinese cyber hackers to access ONG operational systems at a level where they could potentially conduct unauthorized operations.

The spearphishing activity appears to have started in late December 2011. From Dec. 9, 2011, through at least Feb. 29, 2012, ONG organizations received spearphishing emails specifically targeting their employees, according to the advisory. The emails were constructed with a high level of sophistication to convince employees to view malicious files.

In addition to the spearphishing activity, CISA and the FBI were made aware of social engineering attempts by malicious attackers believed to be associated with this campaign. The apparent goal was to gain sensitive information from asset owners. One asset owner reported that people in their network engineering department, including managers, received multiple phone calls requesting information about their recent network security practices, the joint cybersecurity advisory said.

Other employees in other departments were not targeted. The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset, the advisory revealed.

The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices and inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems. The caller was blocking his caller ID and when the targeted organization tried to return the call, they reached a number that was not in service.

During the investigation of the spearphishing activity, CISA and FBI personnel discovered that Chinese state-sponsored hackers specifically collected and exfiltrated ICS-related information. The Chinese state-sponsored attackers searched document repositories for various data types including document searches: ‘SCAD,’ personnel lists, usernames or passwords, dial-up access information, and system manuals.

Based on incident data, CISA and FBI assessed that Chinese state-sponsored attackers also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. Though designed for legitimate business purposes, these systems have the potential to be manipulated by malicious cyber hackers if unmitigated.

With the access, the Chinese state-sponsored attackers could have impersonated legitimate system operators to conduct unauthorized operations. According to the evidence obtained by CISA and FBI, the Chinese state-sponsored hackers made no attempts to modify the pipeline operations of systems they accessed.

CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access. One victim organization set up a honeypot that contained decoy documents with content that appeared to be SCADA-related data and sensitive organizational information.

According to the organization, the SCADA-related decoy content was exfiltrated within 15 minutes of the time it was made available in the honeypot. Other sensitive decoy information, including financial and business-related information, was ignored.

CISA and FBI assess that this activity was intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.

“I suspect that it’s a type of burn notice saying, we warned you last time, and we are really warning (reminding) you again – we know its you (or rather a specific unit of individuals) and there will be consequences,” Ron Brash, director of cybersecurity insights at Verve Industrial, wrote in an emailed statement. “Tensions were high in 2013 with President Xi Jinping rising to power, and this might be a continuation of that theme – perhaps he thought Westerners forgot/left it off the table and his team went back to work, OR Biden and company brought it back to life.”

“Once OT starts to get connected to IT environments, it could have disastrous consequences since OT architectures were never built to handle cyberattacks, and often have no way of alerting teams as to what might be happening,” Tim Sadler, CEO of email security company Tessian, said in an emailed statement.

“To protect themselves from falling victim to spear-phishing attacks, organizations first need to update any systems and patch everything. I realize this isn’t always an option, given that many legacy systems are simply not supported anymore and therefore can’t be patched. But that’s the first step,” according to Sadler.

“If the OT and IT environments MUST be connected, it’s imperative that there be strong network/firewalls in place, especially with a micro-segmentation solution,” he added. “You don’t want flat networks where anything can spread if something were to penetrate the perimeter. However, since phishing attacks happen via email, there needs to be a solution in place that can understand the unique context of what is coming through and alert teams to potential threats.”

CISA and the FBI have advised the energy sector and other critical infrastructure owners and operators to harden their IT/corporate networks, in order to reduce the risk of initial compromise, while implementing network segmentation between IT and ICS networks to limit the ability of cyber threat attackers to move laterally to ICS networks if the IT network is compromised. In addition, organizations must bring in perimeter security between network segments to limit the ability of cyber threat hackers to move laterally.

U.S. security agencies disclosed earlier this week in another cybersecurity advisory detailed various Chinese state-sponsored cyber techniques used to target U.S. federal government, state, local, tribal, and territorial (SLTT) governments, critical infrastructure organizations and private industry. The U.S. administration also provided information on an alleged Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40.