China Compromised U.S. Pipelines in Decade-Old Cyberattack, U.S. Says

Previously, senior administration officials had warned that China, Russia and others were capable of such cyber intrusions. But rarely has so much information been released about a specific and apparently successful campaign.

Chinese state-sponsored hackers between 2011 and 2013 had targeted nearly two dozen U.S. oil and natural gas pipeline operators with the specific goal of “holding U.S. pipeline infrastructure at risk,” the Federal Bureau of Investigation and the Department of Homeland Security said in Tuesday’s joint alert.

Of the known targets, 13 were successfully compromised and an additional eight suffered an “unknown depth of intrusion,” which officials couldn’t fully assess because the victims lacked complete computer log data, the alert said. Another three targets were described as “near misses” of the Chinese campaign, which relied heavily on spear phishing attacks.

“This activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations,” the alert said. It added that the Chinese appeared to be carrying out the attack as part of an overarching goal to gain “strategic access” to industrial control systems for “future operations rather than for intellectual property theft.”

The FBI and DHS said they first became aware of multiple targeted attacks on oil-and-gas companies in April 2012 and provided remediation services to known affected victims in 2012 and 2013.

Dan Coats, who served as director of national intelligence under former President Donald Trump, provided a public warning in January 2019 that China was capable of launching cyberattacks that could disable U.S. critical infrastructure “such as disruption of a natural gas pipeline for days to weeks.” Mr. Coats’s testimony was referring at least in part to the hacking campaign exposed in greater detail in Tuesday’s alert, a person familiar with the matter said.

On Monday, the Biden administration publicly blamed hackers affiliated with China’s main intelligence service for a far-reaching cyberattack on Microsoft Corp. email software this year, part of a global effort by dozens of nations to condemn Beijing’s malicious cyber activities. The public shaming, however, didn’t include punitive measures, such as sanctions or diplomatic expulsions by the U.S.

Chinese officials said U.S. findings detailed on Monday were “groundless attacks.” Chinese officials didn’t immediately respond to a request for comment on the U.S. allegations concerning pipeline intrusions.

The latest details of China’s hacking operations came Tuesday as the Biden administration separately issued new cybersecurity requirements for U.S. pipeline operators intended to help guard against ransomware and other forms of disruptive hacking. The requirements were announced months after a Russia-based criminal hacking group forced a major fuel conduit on the East Coast to shut down for nearly a week.

The Transportation Security Administration directive is the first of its kind to mandate certain pipeline operators designated by the federal government as critical to adopt specific cybersecurity standards. It follows an earlier TSA directive in May that required pipelines to notify federal authorities when they are targets or victims of cyberattacks.

“The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” Homeland Security Secretary Alejandro Mayorkas said in a statement. “Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security.”

The directive is the latest sign that the Biden administration intends to insert itself into pipeline security more directly than the Trump, Obama and Bush administrations, which deferred to the pipeline industry’s desire to avoid regulations for physical security and cybersecurity and instead favored a more collaborative approach.

Biden administration officials didn’t make the text of the directive immediately available. In a statement, DHS said it would require owners and operators of TSA-designated critical pipelines to “implement specific mitigation measures to protect against ransomware attacks and other known threats” and to provide for recovery plans.

Critical infrastructure cybersecurity grew as an area of concern for Biden administration officials following the Colonial Pipeline ransomware attack in May, which was followed by a rapid series of other high-profile ransomware episodes traced to criminal groups in Russia, including one that briefly disrupted a major meat processing company.

U.S. intelligence officials have been warning for years about the potential that a foreign adversary could jeopardize national or economic security with a destructive cyberattack on banks, hospitals or the energy sector. In 2018, for example, the Trump administration accused the Russian government of years of cyberattacks that targeted American energy infrastructure, including nuclear and water facilities, that in some cases led to remote access into some compromised computer networks.

The decade-old Chinese campaign against pipelines appears to be one of the most successful operations ever mounted. Tuesday’s alert said the Chinese hackers stole documents from victims, including passwords and system manuals, and compromised so-called jump points between corporate networks and operational networks that control pipelines.

“The totality of this information would allow the actors to access (industrial control system) networks via multiple channels and would provide sufficient access to allow them to remotely perform unauthorized operations on the pipeline with physical consequences,” it said.

Write to Dustin Volz at [email protected]