“The data exfiltrated could provide an adversary with the capability to access US [oil and natural gas industrial-control systems], including performing unauthorized operations,” the report concludes. The stolen files were part of a “sophisticated attack shopping list.”
According to a source familiar with the DHS investigation, hackers could use the data to directly reset computer-controlled pipeline systems, sabotaging them through extreme pipeline pressures or unsafe valve settings that could result in explosions or other critical failures.
“These are not children or politically motivated hackers upset with someone’s rhetorical position on something,” says the individual, who was not permitted to speak to the press and so requested anonymity. “These are educated, motivated, well-funded operatives – and they’re working toward something specific. If they exfiltrate credentials, they can log back in as system-level users and do whatever they want … even blow something up.”
The cyberspies installed custom malware to search pipeline companies’ networks for any computer files with the letters “SCAD,” which stand for supervisory control and data acquisition (SCADA). These are the special computerized control systems that software companies create to monitor and operate natural gas pipeline pumping stations, valves, communications, and other systems. Files the malware found and stole are just the sort of information necessary for an attacker to locate and operate compressors, valves, switches, pressure settings, and other pipeline operations, says Robert Huber, a cybersecurity expert at Critical Intelligence, a control-system security firm based in Idaho Falls, Idaho.
For example, among 28 computer files stolen from the gas pipeline operators’ networks were lists of dialup modem access numbers for critical devices called RTUs, which are scattered across miles of pipeline and give operators the ability to monitor and control their networks – including pipeline pressure. This is the greatest concern to Dr. Rush.