Federal agencies say dozens of pipeline companies breached by Chinese hackers in 2011

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) disclosed Tuesday that multiple U.S. natural gas and oil pipeline companies were successfully breached by Chinese hackers for two years beginning in 2011. 

The agencies outlined the campaign, which ended in 2013, in a joint cybersecurity advisory released Tuesday. The agencies noted that 13 companies were successfully breached, three were described as “near misses” and eight others were subject to an “unknown depth of intrusion.”

CISA and the FBI attributed the incidents to Chinese state-sponsored hackers and noted in the advisory that it was a targeted attack likely designed to further develop China’s cyber capabilities.

“CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk,” the agencies wrote. “Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”

According to the two agencies, the breaches began in December 2011, when employees of targeted companies received malicious phishing emails. Others received calls asking about company cybersecurity practices from individuals pretending to be from a large cybersecurity firm. 

The hackers were able to steal personnel lists, usernames and passwords, dial-up information, system manuals, and other information designed to allow them to “remotely perform unauthorized operations on the pipeline with physical consequences,” according to the agencies.

While both CISA and the FBI stressed that no pipeline operations were impacted by the breaches, “with this access, the Chinese state-sponsored actors could have impersonated legitimate system operators to conduct unauthorized operations.”

The disclosure of the decade-old breach came the same day the Transportation Security Administration issued its second directive in two months aimed at strengthening the cybersecurity of pipelines. 

These directives were released in the wake of the devastating ransomware attack on Colonial Pipeline in May, with gas shortages resulting in several states for a week as a result of the incident. 

The security advisory was also released the day after the U.S., the United Kingdom, the European Union and other allied nations jointly attributed the exploitation of vulnerabilities earlier this year in Microsoft’s Exchange Server to Chinese-linked hackers. The vulnerabilities led to thousands of organizations around the world being compromised, including the Norwegian Parliament and other government agencies. 

CISA Executive Director Eric Goldstein stressed Monday following the attribution the need to never underestimate Chinese cyber capabilities.

“The cyber threat from the People’s Republic of China (PRC) continues to evolve and poses a real risk to the nation’s critical infrastructure, as well as businesses and organizations of all sizes at home and around the world,” Goldstein wrote in a blog post.