China Breached Dozens of Pipeline Firms in Previous Decade, U.S. Says


The Biden administration earlier announced secret details on Tuesday about the breadth of government-sponsored cyberattacks on American oil and gas pipelines over the past decade as part of a warning to pipeline owners to heighten the security of their systems to ward off future attacks.

From 2011 to 2013, China-backed hackers targeted and in many cases injured nearly two dozen companies that own such pipelines, the FBI and the Department of Homeland Security said in a warning on Tuesday.

Of 23 natural gas pipeline operators exposed to a form of email scam called spearphishing, authorities said 13 were successfully compromised while three were “near misses”. The extent of the penetration into seven operators was not known due to a lack of data.

The disclosures increase the urgency to protect the United States’ pipelines and critical infrastructure from cyberattacks. For years, nationwide supported hackers and, more recently, cybercriminals have targeted oil and gas pipelines and held their operators hostage with ransomware, a form of malware that encrypts data until the victim pays. The ransomware attack on Colonial Pipeline, the operator of one of the largest pipelines in the country, in May was a wake-up call, but according to official sources, it was only the most visible aftermath of a digital threat that has claimed critical infrastructure for a decade.

Almost 10 years ago, the Department of Homeland Security began responding to break-ins in oil pipelines and power companies at an “alarming rate”. Officials have successfully traced some of these attacks back to China, but in 2012 the motivation wasn’t clear: were the hackers trolling for industrial secrets? Or were they positioning themselves for a future attack?

“We’re still trying to find out,” a senior American intelligence official told the New York Times in 2013. “You could have done either.”

However, Tuesday’s warning said the goal was to “compromise the US pipeline infrastructure.”

“This activity should ultimately help China develop cyberattack capabilities against US pipelines to physically damage pipelines or disrupt pipeline operations,” the warning said.

The alert was triggered by new cyber defense concerns of critical infrastructure brought to the fore by the attack on the Colonial Pipeline, whose pipeline transports refined gasoline and kerosene from Texas across the east coast to New York. This breach resulted in non-stop flights and gas shortages, triggering alarms at the White House and Department of Energy, which determined the country could have afforded only three more days of downtime before local transportation and chemical refineries came to a standstill.

Mandiant, a division of security firm FireEye, said the advice was in line with the China-backed break-ins it tracked at several natural gas pipeline companies and other critical operators from 2011 to 2013. But the company added a troubling detail, noting that it “strongly” believed that, in one case, Chinese hackers had gained access to controls, which could have triggered a pipeline shutdown or possibly an explosion.

While the policy did not name the victims of the pipeline break-in, Telvent was one of the companies infiltrated by Chinese hackers monitoring more than half of the oil and gas pipelines in North America during the same period. She discovered hackers in her computer systems in September 2012, only after hanging around there for months. The company closed its remote access to its customers’ systems because it feared it could shut down American infrastructure.

The Chinese government denied that it was behind the Telvent break. Congress failed to enact cybersecurity law that would have made pipelines and other critical infrastructure safer. And the country seemed to be moving on.

Almost a decade later, the Biden administration says the threat of hacking on America’s oil and gas pipelines has never been greater. “The lives and livelihoods of the American people depend on our collective ability to protect our country’s critical infrastructure from evolving threats,” Homeland Security Secretary Alejandro N. Mayorkas said in a statement Tuesday.

A security policy enacted on Tuesday requires owners and operators of pipelines that are classified as critical by the Transportation Security Administration to take specific measures to protect against ransomware and other attacks, and to develop a contingency and recovery plan.

The policy follows another in May that required companies to report significant cyberattacks to the government in order to maintain safety following the breach of the Colonial Pipeline that forced them to shut down a 5,500-mile pipeline.

The May policy set a 30-day period to “identify any gaps and associated remedial actions to address cyber risks” and report them to the TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Shortly after taking office, President Biden promised that improving cybersecurity would be a top priority. That month, he met with top advisors to discuss ways to respond to a wave of Russian ransomware attacks targeting American companies, including a July 4th company in Florida that provides software for companies that manage technology for smaller businesses .

And on Monday the White House announced that the Chinese Ministry of State Security, which oversees the secret service, was behind an unusually aggressive and sophisticated attack on tens of thousands of victims who relied on Microsoft Exchange mail servers in March.

Separately, the Justice Department on Monday unsealed charges against four Chinese citizens for coordinating trade secret hacking by companies in the aerospace, defense, biopharmaceutical and other industries.

According to the charges, China’s hackers operate from bogus companies, some on Hainan Island, and tap into Chinese universities to not only recruit hackers for the government, but also to manage critical business operations such as payroll. This decentralized structure, say American officials and security experts, is intended to offer the Chinese Ministry of State Security a plausible denial.

The charges also revealed that China’s “pro-government” hackers ran their own for-profit ventures and carried out ransomware attacks that extorted millions of dollars from companies.

Eileen Sullivan contributed to the coverage.