Chinese hackers used spear-phishing to infiltrate networks of 13 US pipeline companies. All the attacks took place between December 2011 to 2013.
The goal was to develop cyber capabilities that could allow China to conduct more sophisticated attacks against US pipeline infrastructure, according to a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
The agencies warned the public about the dangers of cyber crimes, gave recent examples, and stressed the need to improve the response to such attacks. The contents of the joint advisory are relevant to organizations that operate critical infrastructure networks and can help them protect their networks from similar attacks.
In total, the Chinese threat actors targeted 23 US pipeline operators.
The US Department of Homeland Security has identified and tracked 23 pipeline operators targeted by the Chinese threat actors in the spearphishing campaign from 2011 to 2013. Of the known targets, 13 were confirmed compromises, 3 were “near misses,” and 7 had “an unknown depth of intrusion,” the agencies said.
Based on “the content of the data that was being exfiltrated and the TTPs used to gain that access,” the CIA and the FBI believe that these intrusions were designed to gain strategic access to the ICS networks of critical infrastructure facilities for “future operations rather than for intellectual property theft.”
The attackers’ ultimate goal was confirmed in one instance when attackers ignored sensitive decoy documents purposely planted on a honeypot.
The CISA and FBI have compiled a list of mitigations for energy sector and other CI operators.
In response to the increasing number of attacks on industrial networks, operators of Energy Sector networks are urged by the agencies to implement network segmentation to minimize the risk of exploitation.
The joint advisory comes after the DarkSide ransomware attack on the networks of Colonial Pipeline which forced the company to shut down its entire supply chain. The incident prompted the federal agencies to issue a state of emergency in several states.
In the same month, the Department of Homeland Security issued new pipeline cybersecurity requirements designed to improve the response to pipeline incidents. The new security directive issued by the DHS makes it easier for the agency to identify, protect against and respond to cyber threats against critical infrastructure companies.