FacebookTwitterLinkedIn

US Gas Pipelines Hit by Cyberattack

Karolis Liucveikis Written by on (updated)

While the Facebook and Cambridge Analytica saga still dominates most infosec headlines with an estimated 87 million user’s data exploited rather than the initial 50 million, those behind cyber attacks are still active. On April 4, Bloomberg reported that at least four U.S. pipeline companies have seen their electronic systems for communicating with customers shut down over the last few days. Three of those companies report that the shutdown was as a result of a cyber attack.  On Tuesday, Oneok Inc., which operates natural gas pipelines in the Permian Basin in Texas and the Rocky Mountains region, said it disabled its system as a precaution after determining that a third-party provider was the “target of an apparent cyber attack.” Previously, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas reported communications breakdowns, with Eastern Shore saying its outage occurred on March 29.

Few Details Released

As to any substantive details about the attack little is known. A status update was issued by Latitude Technologies unit of Energy Services Group, which Energy Transfer and Eastern Shore both identified as their third-party provider, informed customers that the initial restoration of EDI services had been completed and the company had been working on increasing performance. Latitude also confirmed that it did not believe any customer data had been compromised and no other systems appeared to have been impacted.

us gas pipelines hit by cyberattack

The electronic system affected by the attack was designed to help pipeline customers communicate their needs with operators, using a computer-to-computer exchange of documents. Energy Transfer said the electronic data interchange system provided by Latitude was back up and working Monday night. Eastern Shore Natural Gas’s Latitude system was restored on Monday as well, the company said in a notice to customers. In addition to providing EDI services, Latitude also hosts websites used by about 50 pipelines for posting notices to customers. At least some of the websites went down on March 29 and didn’t start returning until Monday. Despite the obvious inconvenience the shutdowns were not considered “…operationally serious in the sense that it’s stopping the natural gas from moving, but it is serious because it’s causing these companies to use workarounds for communication,” said Rae McQuade, president of the North American Energy Standards Board in Houston, which is responsible for developing industry standards.

Department of Homeland Security Warning

On March 15, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a joint Technical Alert (TA18-074A) warning “network defenders” in critical sector industries that “Russian government cyber actors” have been intentionally targeting U.S. government entities and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since at least March 2016.  The alert interestingly identifies two targets of the ongoing attack: “staging” and “intended” targets. Staging targets are defined as peripheral organizations such as trusted third-party suppliers with less secure networks. The threat actors use the "staging" targets' networks as pivot points and malware repositories when targeting their final intended victims, that being the intended targets. Once compromised, the staging targets are used to download the source code from intended targets' websites and to remotely access infrastructures such as corporate web-based email and virtual private network (VPN) connections. The threat actors ultimately seek to gain information from the intended target on "network and organizational design and control system capabilities within organizations."

The warning also details the observed tactics used by the attackers. The attackers use a combination of spear phishing campaigns, watering-hole domain attacks, and collecting publicly available information. Once the attackers gain access to the network, the DHS and FBI warn they conduct reconnaissance operations within the network, these include identifying and browsing file servers within the intended victim's network. Perhaps most troubling, the DHS and FBI identified in multiple instances “the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities.” This access would allow the threat actors to control operations within the organization, including control of certain energy sectors.

US Gas and Oil Security Lacking

In a report published last year by the Ponemon Institute which was commissioned by German tech giant Siemens, found that the oil and gas industry in the United States is largely unprepared to address cybersecurity risks in operational technology (OT) environments. The study which conducted a survey 377 individuals found that two-thirds admitted having to deal with at least one incident in the past year that resulted in OT disruption or loss of confidential information. Furthermore, there are concerns that some attacks may have gone undetected. Many believe their organization is at a low to medium level when it comes to OT cybersecurity readiness, and only 35 percent believe they are properly prepared. Further, well over half the respondents believe the risk is greater in OT than in IT environments, and 67 percent believe cyber threats have had a significant impact on the risk to Industrial Control Systems (ICS). When comparing IT to OT, only one-third of respondents said cybersecurity operations covering these areas are fully aligned.

Attacks on Industrial Control Systems are a much-feared threat. At their very worst power grids and other important infrastructure systems can be shut down. Taking such attacks seriously is of the utmost importance for the infosec community. This is true not just for the US but other industries globally. This importance can best be illustrated by the same report published by Ponemon which also dealt with oil and gas companies in the Middle East. Nearly 200 respondents completed a survey for that region, in which it was discovered that due to outdated and aging control systems a serious risk is posed to both organizations and the public. The area’s most at risk in Middle Eastern oil and gas companies are believed to be exploratory information, production information, potential partners, financial and organizational reports, operational data, information on drilling sites, and field production data collected by sensors. It is hoped that oil and gas companies strengthen their security procedures as such attacks can have destabilization effects on nation states.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog