Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

U.S. Government Attributes ICS Attacks to Russia, China, Iran

China ICS pipeline hacking

Hacking Operation Sought to Help China Develop Cyberattack Capabilities for Damaging and Disrupting U.S. Pipelines

China ICS pipeline hacking

Hacking Operation Sought to Help China Develop Cyberattack Capabilities for Damaging and Disrupting U.S. Pipelines

The U.S. government on Tuesday attributed several past attacks involving industrial control systems (ICS) to Russian, Chinese and Iranian state-sponsored threat actors.

The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued a new joint advisory on a gas pipeline intrusion campaign allegedly conducted by Chinese state-sponsored hackers between 2011 and 2013. In addition, CISA has updated five advisories released between 2012 and 2017 to attribute malware and malicious activity to various nation states.

The new advisory describes a spear-phishing and intrusion campaign carried out between December 2011 and 2013 by Chinese hackers against oil and natural gas pipeline companies in the United States.

According to CISA and the FBI, of the 23 targeted organizations, 13 were confirmed to be compromised, three were “near misses,” and eight had an “unknown depth of intrusion.”

“CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations,” the agencies said.

During their investigations into these attacks, CISA and the FBI discovered that the attackers had sought and exfiltrated information related to ICS, and they were likely successful in accessing supervisory control and data acquisition (SCADA) networks at some of the targeted natural gas pipeline companies. They also targeted information related to dial-up access (dial-up modems are still used in the energy sector), remote terminal units (RTUs), and system manuals.

The hackers were apparently focusing on ICS-related information and they seemed to ignore financial and other business-related files.

Advertisement. Scroll to continue reading.

“The Chinese actors also exfiltrated information pertaining to ICS permission groups and compromised jump points between corporate and ICS networks. The totality of this information would allow the actors to access ICS networks via multiple channels and would provide sufficient access to allow them to remotely perform unauthorized operations on the pipeline with physical consequences,” the agencies said.

The advisory contains indicators of compromise (IoCs), as well as recommendations for the energy sector and other critical infrastructure owners on how to secure their systems against such attacks.

CISA has also updated a 2012 advisory on the Shamoon (DistTrack) malware to note that the U.S. government attributes it to Iranian state-sponsored actors who have used it against industrial organizations — although there is no evidence of targeted attacks aimed at ICS components or government organizations in the United States.

The other four ICS-related advisories that were updated by CISA on Tuesday attribute malware and malicious activity to Russian nation-state threat actors. The list includes the Havex malware that targeted energy organizations worldwide, the Crashoverride (Industroyer) malware used to attack Ukraine’s power grid in 2016, and the BlackEnergy malware used in various operations, including the 2015 attack on Ukraine’s power grid.

Cybersecurity companies and researchers have previously made these attributions, and the U.S. government also linked some of these pieces of malware to the respective countries, including Industroyer and BlackEnergy last year when it announced charges against six Russian intelligence officers. However, the attributions made on Tuesday specifically focus on attacks aimed at industrial systems.

Related: U.S., Allies Officially Accuse China of Microsoft Exchange Attacks

Related: More Countries Officially Blame Russia for SolarWinds Attack

Related: UK, US, Canada Accuse Russia of Hacking Virus Vaccine Trials

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...