For further information on SCADAs, please see the following Global Geopolitics entries that were ahead of the curve:
- Security backdoor found in China-made US military chip
- UPDATE 3: U.S. probes cyber attack on water system
“Red Dragon Rising: Communist China’s Military Threat to America” from 1999 is a highly recommended read. The United States is in more vulnerable than most people know, and longer than most people would have thought.
Cyberspies linked to China’s military targeted nearly two dozen US natural gas pipeline operators over a recent six-month period, stealing information that could be used to sabotage US gas pipelines, according to a restricted US government report and a source familiar with the government investigation.
From December 2011 through June 2012, cyberspies targeted 23 gas pipeline companies with e-mails crafted to deceive key personnel into clicking on malicious links or file attachments that let the attackers slip into company networks, says the Department of Homeland Security (DHS) report.
The report does not mention China, but the digital signatures of the attacks have been identified by independent cybersecurity researchers as belonging to a particular espionage group recently linked to China’s military.
The confluence of these factors – along with the sensitive operational and technical details that were stolen – make the cyberbreaches perhaps among the most serious so far, some experts say. The stolen information could give an adversary all the insider knowledge necessary to blow up not just a few compressor stations but perhaps many of them simultaneously, effectively holding the nation’s gas infrastructure hostage. Nearly 30 percent of the nation’s power grid now relies on natural gas generation.
“This theft of key information is about hearing the footsteps get closer and closer,” says William Rush, a retired scientist formerly with the Gas Technology Institute who chaired the effort to create a cybersecurity standard applicable to the gas pipeline industry.
“Anyone can blow up a gas pipeline with dynamite. But with this stolen information, if I wanted to blow up not one, but 1,000 compressor stations, I could,” he adds. “I could put the attack vectors in place, let them sit there for years, and set them all off at the same time. I don’t have to worry about getting people physically in place to do the job, I just pull the trigger with one mouse click.”
The attacks chronicled in the new DHS report were first reported in an exclusive Monitor article in May 2012, but the report offers confirmation, as well as further details and insights. Of the natural-gas pipeline operators targeted, 10 were infiltrated, another 10 cases are still being investigated, and three were “near misses,” in which the companies narrowly avoided infiltration of their networks, according to the report, titled “Active Cyber Campaigns Against the US Energy Sector” and compiled by DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
What was stolen
Sensitive files were stolen that could give a cyberintruder the ability to control, or alter the operation of the pipelines, including usernames, passwords, personnel lists, system manuals, and pipeline control system access credentials, the report says.
“The data exfiltrated could provide an adversary with the capability to access US [oil and natural gas industrial-control systems], including performing unauthorized operations,” the report concludes. The stolen files were part of a “sophisticated attack shopping list.”
According to a source familiar with the DHS investigation, hackers could use the data to directly reset computer-controlled pipeline systems, sabotaging them through extreme pipeline pressures or unsafe valve settings that could result in explosions or other critical failures.
“These are not children or politically motivated hackers upset with someone’s rhetorical position on something,” says the individual, who was not permitted to speak to the press and so requested anonymity. “These are educated, motivated, well-funded operatives – and they’re working toward something specific. If they exfiltrate credentials, they can log back in as system-level users and do whatever they want … even blow something up.”
The cyberspies installed custom malware to search pipeline companies’ networks for any computer files with the letters “SCAD,” which stand for supervisory control and data acquisition (SCADA). These are the special computerized control systems that software companies create to monitor and operate natural gas pipeline pumping stations, valves, communications, and other systems. Files the malware found and stole are just the sort of information necessary for an attacker to locate and operate compressors, valves, switches, pressure settings, and other pipeline operations, says Robert Huber, a cybersecurity expert at Critical Intelligence, a control-system security firm based inIdaho Falls, Idaho.
The new link to China comes from the “indicators of compromise” reported by DHS to the industry. Independent experts say these IOCs point to a perpetrators who were identified earlier this month as being part of China’s People’s Liberation Army. The Feb. 19 report by Mandiant, a leading cybersecurity firm in Arlington, Va., traced attacks on 141 companies worldwide to “Unit 61398,” which works out of a 12-story building in Shanghai.
“The IOCs put out by Mandiant and the IOCs put out by ICS-CERT are the same as the IOCs involved in the natural gas pipelines,” says the person familiar with the investigation.
Others researchers come to the same conclusion: All signs point to Unit 61398, which has also been dubbed “APT1” and “Comment Crew.”
“With the gas-pipeline attacks, we know those indicators are associated with APT1,” says Mr. Huber of Critical Intelligence. “We’ve seen this group operating before.”
Chinese government officials reject accusations that cyberspies connected to its military have scooped up gigabytes of stolen data from pipeline companies. China’s embassy in Washington did not respond to e-mailed requests for comment by press time. But a spokesman contacted by the Monitor earlier this month rejected Mandiant’s assertions.
“Cyber attacks are transnational and anonymous. Determining their origins is extremely difficult. We don’t know how the evidence in this so-called report can be tenable,” Geng Shuang, spokesman at the Chinese Embassy in Washington said in an e-mailed statement. “Chinese laws prohibit cyber attacks and China has done what it can to combat such activities in accordance with Chinese laws and regulations.”
Full article: Exclusive: Cyberattack leaves natural gas pipelines vulnerable to sabotage (The Christian Science Monitor)