The Cybersecurity and Infrastructure Security Agency (CISA) issued on July 20, 2021, an alert (AA-22-2021A) addressing the successful Chinese intrusion of the United States oil and natural gas pipeline companies from 2011 to 2013. In its alert, CISA shares the frequency with which the attacks occurred, number of confirmed compromises, number of near misses, and the number of attacks whose depth of intrusion was undetermined.
Chinese fingers in the infrastructure pie
Attribution is an art form and one of the most difficult to achieve given the ever-evolving methods and techniques used by the attacking entity, especially when the determined entity is a nation-state with seemingly unlimited resources. CISA, together with the FBI is unambiguous in the determination and attribution of these attacks to Chinese state-sponsored actors. The target was Supervisory Control and Data Acquisition (SCADA) networks.
Not surprising to CISOs the attacks were tied to a successful spear-phishing campaign that started in December 2011 and continued until February 2012. Four separate MITRE ATT&AK tactic collections were highlighted in the CISA alert:
- TA009 – (October 2018 updated July 2019) Adversary techniques to gather information and sources of information
- TA0010 – (October 2018 updated July 2019) Adversary exfiltration techniques as they try to steal data
- T1213 – (October 2018 last updated April 2021) Adversary leverage of information repositories to mine information. Of note is the value that the seemingly mundane data is to adversaries and all CISOs would be well served to remind users that the following types of information highlighted in T1213, when compromised, provide the adversaries targeting team with a plethora of data to facilitate future attacks.
- Policies, procedures, and standards
- Physical/logical network diagrams
- System architecture diagrams
- Technical system documentation
- Testing/development credentials
- Work/project schedules
- Source-code snippets
- Links to network shares and other internal resources
- T1120 – (May 2017 updated March 2020) Adversaries attempt to gather information about attached peripheral devices
CISA highlights the Chinese compromise of 13 of 23 targeted companies and noted that eight of the 23 companies may have been compromised, but the level of compromise was undetermined. Not exactly what a CISO wants to report to the C-suite/board.
Perhaps most troubling and thus worthy of approbation is the fact that had the Chinese attackers been more successful they could have “impersonated legitimate system operators to conduct unauthorized operations.” The attackers did, however, garner access to “dial-up access,” which remains a mainstay within the energy sector’s industrial control systems (ICS). CISA characterizes this as the Chinese preparation of the environment for “future operations.” In other words, preparing the environment in the event China had a national security reason to disrupt, damage and impede the oil and natural gas distribution networks in the United States.
The CISA alert does not identify which entities in China were responsible for these attacks. ABC News did, however, report in February 2013 on the Mandiant/FireEye attribution of cyberattacks to China’s PLA Unit 61398 located in Pudong, Shanghai. The report alleged Unit 61398 as being responsible for the theft of “hundreds of terabytes of data from at least 141 organizations” since 2006 of which at least 115 were in the US and were spread across multiple sectors, including energy.
China’s not alone, Russia also targeted the energy sector
Not long ago, March 2018, the CISA issued a similar alert highlighting The Russian Federation’s efforts to target commercial entities within the energy sectors ICS using spear-phishing in which they gained “remote access.” During their presence within the network, CISA noted that the Russian intruders “conducted network reconnaissance, moved laterally, and collected information pertaining to the ICS.”
ICS CISOs: Invest in cybersecurity infrastructure
The need for CISOs responsible for industrial control systems to be investing in basic cyber infrastructure has never been more evident than the klaxon calls to move away from the use of dial-up connectivity within their infrastructure given the inherent security weaknesses which these devices present. CISA highlights these as, “direct access into the ICS environment with little or no security and no monitoring” (emphasis added).
This begs the question. If a company does not have access control or the ability to monitor who is accessing their ICS network, how does one determine if they have been penetrated by the Chinese or Russians? The alert highlighted how 35% of the targeted companies were unable to determine the depth of the Chinese penetration into their ICS. Imagine being one of those eight CISO sitting there in the dark and unable to answer the question: “What did the adversary do once they compromised our network?”
CISOs should take this to the bank and use this as evidence of nation state interest, as well as justification for the infusion of resources to augment and adjust their current security posture.