The Biden administration disclosed previously classified details on Tuesday about the breadth of state-sponsored cyberattacks on American oil and gas pipelines over the past decade, as part of a warning to pipeline owners to increase the security of their systems to stave off future attacks.
From 2011 to 2013, Chinese-backed hackers targeted, and in many cases breached, nearly two dozen companies that own such pipelines, the F.B.I. and the Department of Homeland Security revealed in an alert on Tuesday. For the first time, the agencies said they judged that the “intrusions were likely intended to gain strategic access” to the industrial control networks that run the pipelines “for future operations rather than for intellectual property theft.” In other words, the hackers were preparing to take control of the pipelines, rather than just stealing the technology that allowed them to function.
Of 23 operators of natural gas pipelines that were subjected to a form of email fraud known as spear phishing, the agencies said that 13 were successfully compromised, while three were “near misses.” The extent of intrusions into seven operators was unknown because of an absence of data.
The disclosures come as the federal government tries to galvanize the pipeline industry after a ransomware group based in Russia easily forced the shutdown of a pipeline network that provides nearly half the gasoline, jet fuel and diesel that flows up the East Coast. That attack on Colonial Pipeline — aimed at the company’s business systems, not the operations of the pipeline itself — led the company to shut off its shipments for fear that it did not know what the attackers would be capable of next. Long gasoline lines and shortages followed, underscoring for President Biden the urgency of defending the United States’ pipelines and critical infrastructure from cyberattacks.
The declassified report on China’s activities accompanied a security directive that requires owners and operators of pipelines deemed critical by the Transportation Security Administration to take specific steps to protect against ransomware and other attacks, and to put in place a contingency and recovery plan. The exact steps were not made public, but officials said they sought to address some of the huge deficiencies found as they conducted reviews of the Colonial Pipeline attack. (The company, which is privately held, has said little about the vulnerabilities in its systems that the hackers exploited.)
The directive follows another in May that required companies to report significant cyberattacks to the government. But that did nothing to seal the systems up.
The newly declassified report was a reminder that nation-backed hackers targeted oil and gas pipelines before cybercriminals devised new ways of holding their operators hostage for ransom. Ransomware is a form of malware that encrypts data until the victim pays. The attack on Colonial Pipeline led it to pay about $4 million in cryptocurrency, some of which the F.B.I. seized back after the criminals left part of the money visible in cryptocurrency wallets. But that was, as one law enforcement official said, a “lucky break.” Another ransomware attack a few weeks later extracted $11 million from JBS, a producer of beef products; none of it was recovered.
Nearly 10 years ago, the Department of Homeland Security said in the declassified report, it began responding to intrusions on oil pipelines and electric power operators at “an alarming rate.” Officials successfully traced a portion of those attacks to China, but in 2012, its motivation was not clear: Were the hackers trolling for industrial secrets? Or were they positioning themselves for some future attack?
“We are still trying to figure it out,” a senior American intelligence official told The New York Times in 2013. “They could have been doing both.”
But the alert on Tuesday asserted that the goal was “holding U.S. pipeline infrastructure at risk.”
“This activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations,” the alert said.
The alert was prompted by new concerns over the cyberdefense of critical infrastructure, brought to the fore with the attack on Colonial Pipeline. That breach set off alarms at the White House and the Energy Department, which found that the nation could have afforded only three more days of downtime before mass transit and chemical refineries came to a halt.
Mandiant, a division of the security firm FireEye, said the advisory was consistent with the Chinese-backed intrusions it tracked on multiple natural gas pipeline companies and other critical operators from 2011 to 2013. But the firm added one unnerving detail, noting that it “strongly” believed that in one case, Chinese hackers had gained access to the controls, which could have enabled a pipeline shutdown or could potentially set off an explosion.
While the directive did not name the victims of the pipeline intrusion, one of the companies infiltrated by Chinese hackers over that same time frame was Telvent, which monitors more than half the oil and gas pipelines in North America. It discovered hackers in its computer systems in September 2012, only after they had been loitering there for months. The company closed its remote access to clients’ systems, fearing it would be used to shut down American’s infrastructure.
The Chinese government denied it was behind the breach of Telvent. Congress failed to pass cybersecurity legislation that would have increased the security of pipelines and other critical infrastructure. And the country seemed to move on.
Nearly a decade later, the Biden administration says the threat of a hacking on America’s oil and gas pipelines has never been graver. “The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” Alejandro N. Mayorkas, the homeland security secretary, said in a statement on Tuesday.
The May directive set a 30-day period to “identify any gaps and related remediation measures to address cyber-related risks” and report them to the T.S.A. and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Shortly after taking office, Mr. Biden promised that improving cybersecurity would be a top priority. This month, he met with top advisers to discuss options for responding to a wave of Russian ransomware attacks on American companies, including one on July 4 on a Florida company that provides software to businesses that manage technology for smaller firms.
And on Monday, the White House said that China’s Ministry of State Security, which oversees intelligence, was behind an unusually aggressive and sophisticated attack in March on tens of thousands of victims that relied on Microsoft Exchange mail servers.
Separately, the Justice Department unsealed indictments of four Chinese citizens on Monday for coordinating the hackings of trade secrets from companies in aviation, defense, biopharmaceuticals and other industries.
According to the indictments, China’s hackers operate from front companies, some on the island of Hainan, and tap Chinese universities not only to recruit hackers to the government’s ranks, but also to manage key business operations, like payroll. That decentralized structure, American officials and security experts say, is intended to offer China’s Ministry of State Security plausible deniability.
The indictments also revealed that China’s “government-affiliated” hackers had engaged in for-profit ventures of their own, conducting ransomware attacks that extort companies for millions of dollars.
Eileen Sullivan contributed reporting.