The attacks chronicled in the new DHS report were first reported in an exclusive Monitor article in May 2012, but the report offers confirmation, as well as further details and insights. Of the natural-gas pipeline operators targeted, 10 were infiltrated, another 10 cases are still being investigated, and three were “near misses,” in which the companies narrowly avoided infiltration of their networks, according to the report, titled “Active Cyber Campaigns Against the US Energy Sector” and compiled by DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Sensitive files were stolen that could give a cyberintruder the ability to control, or alter the operation of the pipelines, including usernames, passwords, personnel lists, system manuals, and pipeline control system access credentials, the report says.
“The data exfiltrated could provide an adversary with the capability to access US [oil and natural gas industrial-control systems], including performing unauthorized operations,” the report concludes. The stolen files were part of a “sophisticated attack shopping list.”
According to a source familiar with the DHS investigation, hackers could use the data to directly reset computer-controlled pipeline systems, sabotaging them through extreme pipeline pressures or unsafe valve settings that could result in explosions or other critical failures.
“These are not children or politically motivated hackers upset with someone’s rhetorical position on something,” says the individual, who was not permitted to speak to the press and so requested anonymity. “These are educated, motivated, well-funded operatives – and they’re working toward something specific. If they exfiltrate credentials, they can log back in as system-level users and do whatever they want … even blow something up.”