The Cybersecurity and Infrastructure Security Agency (CISA) issued on July 20, 2021, an alert (AA-22-2021A) regarding the successful Chinese intrusion of US oil and natural gas pipeline companies from 2011 to 2013. In its alert , the CISA shares the frequency with which the attacks occurred, the number of confirmed compromises, the number of near misses and the number of attacks with an undetermined depth of intrusion.
Chinese fingers in the infrastructure cake
Attribution is an art form and one of the most difficult to achieve given the constantly evolving methods and techniques used by the attacking entity, especially when the given entity is a nation-state with seemingly resources. unlimited. The CISA, in conjunction with the FBI, is unambiguous in determining and attributing these attacks to Chinese state-sponsored actors. The target was supervisory control and data acquisition networks (SCADA).
Not surprisingly for CISOs, the attacks were linked to a successful spear-phishing campaign that began in December 2011 and continued until February 2012. Four distinct collections of MITER ATT & AK tactics were highlighted in the CISA alert:
- TA009 – (October 2018 updated July 2019) Opponent techniques for gathering information and sources of information
- TA0010 – (October 2018 updated July 2019) Opponent’s exfiltration techniques as they attempt to steal data
- T1213 – (October 2018 last update April 2021) Adverse leverage effect of information repositories to extract information. It should be noted the value that seemingly mundane data is to opponents and all RSSIs would be well served to remind users that the following types of information highlighted in T1213, when compromised, provide the team targeting opponents a plethora of data to facilitate future attacks.
- Policies, Procedures and Standards
- Physical / logical network diagrams
- System architecture diagrams
- System technical documentation
- Test / development identifiers
- Work / project calendars
- Source code snippets
- Links to network shares and other internal resources
- T1120 – (May 2017 updated March 2020) Opponents attempt to gather information about connected devices
CISA highlights the Chinese compromise of 13 of the 23 companies targeted and noted that eight of the 23 companies may have been compromised, but the level of compromise was undetermined. It’s not exactly what an CISO wants to report to the C-suite / board.
Perhaps most troubling and therefore worthy of approval is the fact that if the Chinese attackers had been more successful, they could have “impersonated legitimate system operators to conduct unauthorized operations.” The attackers did, however, gain access to “dial-up access”, which remains a mainstay of industrial control systems (ICS) in the energy sector. CISA characterizes this as China’s preparation of the environment for “future operations”. In other words, preparing the environment in case China has a national security reason to disrupt, damage and hamper the oil and gas distribution networks in the United States.
The CISA alert does not identify which entities in China were responsible for these attacks. ABC News, however, reported in February 2013 of Mandiant / FireEye’s attribution of cyber attacks to Chinese unit PLA 61398 located in Pudong, Shanghai. The report alleged that Unit 61398 was responsible for the theft of “hundreds of terabytes of data from at least 141 organizations” since 2006, including at least 115 in the United States and spread across multiple industries, including energy.
China is not alone, Russia has also targeted the energy sector
Not too long ago, in March 2018, the CISA issued a similar alert highlighting the Russian Federation’s efforts to target business entities in the ICS energy sectors using the phishing scam in which they obtained “remote access”. During their presence in the network, CISA noted that the Russian intruders “scouted the network, moved sideways and collected information relating to the ICS.”
CISO ICS: investing in cybersecurity infrastructure
The need for CISOs responsible for industrial control systems to invest in basic cyber infrastructure has never been more evident than horn calls to move away from using switched connectivity within their infrastructure. , given the inherent security weaknesses of these devices. CISA highlights them as “direct access to the ICS environment with little or no security and no surveillance “ (emphasis added).
This begs the question. If a company does not have access control or the ability to monitor who is accessing its ICS network, how do you determine if it has been entered by the Chinese or the Russians? The alert highlighted how 35% of the targeted companies were unable to determine the depth of Chinese penetration in their ICS. Imagine being one of those eight CISOs sitting there in the dark and unable to answer the question, “What did the adversary do once they compromised our network?” “
CISOs should take this to the bank and use it as evidence of nation-state interest, as well as a justification for injecting resources to augment and adjust their current security posture.
Copyright © 2021 IDG Communications, Inc.