Exclusive: Cyberattack leaves natural gas pipelines vulnerable to sabotage
Cyberspies linked to China鈥檚 military targeted nearly two dozen US natural gas pipeline operators over a recent six-month period, stealing information that could be used to sabotage US gas pipelines, according to a restricted US government report and a source familiar with the government investigation.
From December 2011 through June 2012, cyberspies targeted 23 gas pipeline companies with e-mails crafted to deceive key personnel into clicking on malicious links or file attachments that let the attackers slip into company networks, says the Department of Homeland Security (DHS) report.
The report does not mention China, but the digital signatures of the attacks have been identified by independent cybersecurity researchers as belonging to a particular espionage group recently linked to China鈥檚 military.
The confluence of these factors 鈥 聽along with the sensitive operational and technical details that were stolen 鈥 make the cyberbreaches perhaps among the most serious so far, some experts say. The stolen information could give an adversary all the insider knowledge necessary to blow up not just a few compressor stations but perhaps many of them simultaneously, effectively holding the nation鈥檚 gas infrastructure hostage. Nearly 30 percent of the nation鈥檚 power grid now relies on natural gas generation.
鈥淭his theft of key information is about hearing the footsteps get closer and closer,鈥 says William Rush, a retired scientist formerly with the Gas Technology Institute who chaired the effort to create a cybersecurity standard applicable to the gas pipeline industry.
鈥淎nyone can blow up a gas pipeline with dynamite. But with this stolen information, if I wanted to blow up not one, but 1,000 compressor stations, I could,鈥 he adds. 鈥淚 could put the attack vectors in place, let them sit there for years, and set them all off at the same time. I don鈥檛 have to worry about getting people physically in place to do the job, I just pull the trigger with one mouse click.鈥
The report comes at a time of growing US-China tensions over cyberespionage. President Obama called for tighter cybersecurity of critical US infrastructure in his State of the Union speech. This month, the White House also released an executive order that attempts to bolster cybersecurity among agencies that regulate electric utilities and other key industries. Congress, however, continues to resist legislation to mandate that such companies meet specific cybersecurity performance standards.
The attacks chronicled in the new DHS report were first reported in an exclusive Monitor article in May 2012, but the report offers confirmation, as well as further details and insights. Of the natural-gas pipeline operators targeted, 10 were infiltrated, another 10 cases are still being investigated, and three were 鈥渘ear misses,鈥 in which the companies narrowly avoided infiltration of their networks, according to the report, titled 鈥淎ctive Cyber Campaigns Against the US Energy Sector鈥 and compiled by DHS鈥檚 Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
What was stolen
Sensitive files were stolen that could give a cyberintruder the ability to control, or alter the operation of the pipelines, including usernames, passwords, personnel lists, system manuals, and pipeline control system access credentials, the report says.
鈥淭he data exfiltrated could provide an adversary with the capability to access US [oil and natural gas industrial-control systems], including performing unauthorized operations,鈥 the report concludes. The stolen files were part of a 鈥渟ophisticated attack shopping list.鈥
According to a source familiar with the DHS investigation, hackers could use the data to directly reset computer-controlled pipeline systems, sabotaging them through extreme pipeline pressures or unsafe valve settings that could result in explosions or other critical failures.
鈥淭hese are not children or politically motivated hackers upset with someone鈥檚 rhetorical position on something,鈥 says the individual, who was not permitted to speak to the press and so requested anonymity. 鈥淭hese are educated, motivated, well-funded operatives 鈥 and they鈥檙e working toward something specific. If they exfiltrate credentials, they can log back in as system-level users and do whatever they want 鈥 even blow something up.鈥
The cyberspies installed custom malware to search pipeline companies鈥 networks for any computer files with the letters 鈥淪CAD,鈥 which stand for supervisory control and data acquisition (SCADA). These are the special computerized control systems that software companies create to monitor and operate natural gas pipeline pumping stations, valves, communications, and other systems. Files the malware found and stole are just the sort of information necessary for an attacker to locate and operate compressors, valves, switches, pressure settings, and other pipeline operations, says Robert Huber, a cybersecurity expert at Critical Intelligence, a control-system security firm based in Idaho Falls, Idaho.
For example, among 28 computer files stolen from the gas pipeline operators鈥 networks were lists of dialup modem access numbers for critical devices called RTUs, which are scattered across miles of pipeline and give operators the ability to monitor and control their networks 鈥 including pipeline pressure. This is the greatest concern to Dr. Rush.
鈥淚f you can use this information to reset things 鈥 either equipment or the pipeline鈥檚 control system 鈥 that鈥檚 a serious penetration,鈥 he says. 鈥淚f you鈥檙e getting dialup access information to the RTUs through the phone lines, that鈥檚 the one that鈥檚 pretty scary, very serious.鈥
China suspected
Natural gas pipelines are crucial to national security, says John Bumgarner, research director for the US Cyber Consequences Unit, a nonprofit group that studies cyberattacks.
鈥淭he natural gas pipeline industry is near the top of the US critical infrastructure list, so of course they would be a military target,鈥 he says. 鈥淭he Chinese would want to get in and understand how the system communicates, how it works, and everything else. Yes, it鈥檚 also about gathering business intelligence to improve processes in a foreign country. But those same digital pathways could also be used as a jumping off point for an attack.鈥
The new link to China comes from the 鈥渋ndicators of compromise鈥 reported by DHS to the industry. Independent experts say these IOCs point to perpetrators who were identified earlier this month as being part of China鈥檚 People鈥檚 Liberation Army. The Feb. 19 report by Mandiant, a leading cybersecurity firm in Arlington, Va., traced attacks on 141 companies worldwide to 鈥淯nit 61398,鈥 which works out of a 12-story building in Shanghai.
鈥淭he IOCs put out by Mandiant and the IOCs put out by ICS-CERT are the same as the IOCs involved in the natural gas pipelines,鈥 says the person familiar with the investigation.
Others researchers come to the same conclusion: All signs point to Unit 61398, which has also been dubbed 鈥淎PT1鈥 and 鈥淐omment Crew.鈥
鈥淲ith the gas-pipeline attacks, we know those indicators are associated with APT1,鈥 says Mr. Huber of Critical Intelligence. 鈥淲e鈥檝e seen this group operating before.鈥澛犅犅犅犅犅犅犅犅犅犅
Chinese government officials reject accusations that cyberspies connected to its military have scooped up gigabytes of stolen data from pipeline companies. China鈥檚 embassy in Washington did not respond to e-mailed requests for comment by press time. But a spokesman contacted by the Monitor earlier this month rejected Mandiant鈥檚 assertions.
鈥淐yber attacks are transnational and anonymous. Determining their origins is extremely difficult. We don't know how the evidence in this so-called report can be tenable,鈥 Geng Shuang, spokesman at the Chinese Embassy in Washington said in an e-mailed statement. 鈥淐hinese laws prohibit cyber attacks and China has done what it can to combat such activities in accordance with Chinese laws and regulations.鈥
Is it all about 'fracking'?
DHS officials refused to comment on the source of the attacks or answer a list of e-mailed questions, but they noted that the Department actively works with the private sector during cyberincidents to create 鈥渟ituational awareness.
鈥淧rotecting critical infrastructure against growing and evolving cyberthreats requires a layered approach,鈥 DHS spokesman Peter Boogaard said in a statement. The agency actively works with companies 鈥渢o improve the security and resilience of critical infrastructure鈥 and in 鈥渕itigating the impacts of attempted disruptions to the Nation鈥檚 critical cyber and communications networks.鈥
So far, there is no evidence that America's natural gas pipelines have been sabotaged. But experts say China could have a more immediate interest in natural-gas data beyond the longer-term threat of a theoretical cyberwar. The cyberspies are aiming mainly at stealing technology related to hydraulic fracturing or 鈥渇racking鈥 of shale to extract natural gas, says Mr. Huber of Critical Intelligence.
Stealing industrial secrets about fracking could help energy-starved China develop its own technologies to mine natural gas without having to buy equipment or expertise from abroad.
Natural gas pipeline industry officials are concerned.
鈥淥ur industry takes these threats seriously and continues to work with ICS-CERT and other agencies to ensure security,鈥 says Cathy Landry, a spokesman for the Interstate Natural Gas Association of America. 鈥淚t was serious before, it鈥檚 serious now. When you鈥檙e dealing with cybersecurity, it鈥檚 just as important as a physical threat.鈥
Attacks hit suppliers, too
In addition to attacks on pipeline operators, cyberspies have also targeted suppliers of crucial control-system technologies. One notable company highlighted in the DHS report as having been hacked is Telvent Canada, which has a huge footprint in the oil and gas industry 鈥 and a key role in the emerging 鈥渟mart grid鈥 that more efficiently coordinates energy distribution. Its software allows old and new software to speak to each other 鈥 and control critical systems.
If captured, the source code from such a product could be used to far more easily develop potent cyberweapons akin to聽Stuxnet, a hyper-sophisticated software weapon reported to have destroyed 1,000 or more Iranian nuclear centrifuges.
"The attackers used their presence on the Telvent network to download the customer project files for a future attack 鈥 think future Stuxnet," Dale Peterson, a control system security experts wrote in his blog. "If an attacker were going to attack a process in a sophisticated manner they would need time and talent to study the project files and essentially reverse engineer the process."
As with the pipeline hacks, the source of the Telvent attacks appears to be Unit 61398.
鈥淵es, we have indicators that match Telvent鈥 to other hacks traced to Unit 61398, Huber writes in an e-mail. 鈥淪o yes, same group likely.鈥
