Several hackers were able to gain access to computers belonging to current and former employees at nearly a dozen major US natural gas suppliers and exporters in mid-February, including on the eve of Russia's invasion of Ukraine, Bloomberg reports.
The targets included Chevron, Cheniere Energy, and Kinder Morgan according to Resecurity CEO Gene Yoo, which discovered the operation and shared its research with Bloomberg. The attacks focused on companies involved with the production of liquefied natural gas (LNG) - "and they were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry," per the report.
Resecurity’s investigation began last month when the firm’s researchers spotted a small number of hackers, including one linked to a wave of attacks in 2018 against European organizations that Microsoft Corp. attributed to Strontium, the company’s nickname for a hacking group associated with Russia’s GRU military intelligence service. -Bloomberg
The attacks occurred as energy markets were already on pins and needles over the Ukraine situation.
According to Yoo, the hackers had been seeking access to the personal computers of employees of major LNG companies in the US - which they then used as back doors into company networks.
Resecurity discovered the activity after identifying a vulnerability in the hackers' servers, which allowed them to obtain files from the machine and see what the hackers had already stolen.
The files show that during a two-week period in February, the hackers accessed more than 100 computers belonging to current and former employees of 21 major energy companies, per Bloomberg, which viewed some of the files.
In some cases, the target machines themselves were compromised, while in others they bought access to computers which had been previously infected with malware, offering as much as $15,000 per target on the dark web.
While the motive of the hackers is unknown, Yoo believes it was carried out by state-sponsored hackers who were "pre-positioning" - a term for using the hacked machines to tunnel into protected corporate networks. Sometimes, the computers of previous employees can be used because companies often fail to cut off remote access when someone leaves, Yoo aded.
The hacks began around two weeks before Russia invaded Ukraine, after US officials had urged operators of critical US infrastructure to "adopt a heightened state of awareness" for Russian state-sponsored attacks.
Of note, the energy sector is one of 16 which US President Joe Biden said he told Russian President Vladimir Putin not to hack during a June 2021 meeting.
"Recent tensions around Nord Stream 2, global market changes, as well as conflict in Ukraine are obvious catalysts," Yoo told Bloomberg.
The infected machines appear to be a mix of home and corporate-owned computers. Yoo said the distinction has become essentially meaningless with the rise of remote work, as hackers have the ability to hijack virtual private network connections into corporate networks.
According to the documents provided by Resecurity, the companies whose workers were affected include Houston-based Cheniere Energy, the biggest U.S. exporter of LNG; San Ramon, California-based Chevron, a major oil producer that also owns and operates the Gorgon LNG export terminal in Australia; Pittsburgh, Pennsylvania-based EQT Corp., the largest natural gas driller and producer in the U.S.; and Houston-based Kinder Morgan, the top natural gas pipeline operator in the U.S. and the operator of the Elba Island LNG export terminal in Georgia. -Bloomberg
Kinder Morgan data showed that seven current and former employees had their computers hacked as part of the campaign.
"We have confirmed that most of those emails were assigned to former employees. The few that are current have not been compromised," said a company spokesperson.
45 Chevron employees were affected according to Resecurity, with a spokesman saying "Chevron takes the threat of malicious cyber activity very seriously. We have implemented the United States government’s recommendations into our cybersecurity safeguards to protect Chevron’s computing environment."
Chevron CEO Mike Wirth said just days ago that cyberattacks were the largest risk facing the company. "It’s a never-ending challenge out there right now," he said at a March 1 investor conference. "We’re in a high-risk environment right now from a cyber standpoint, and we’re in an industry that is a high profile, high-value target for bad actors. So that’s the thing in the short term that I probably would say, in my view is the risk I worry about the most."
The attacks come at a time when the FBI and other federal agencies are on high alert. The FBI’s Internet Crime Complaint Center has issued dozens of alerts over the past six years documenting attacks by Russia and other state-sponsored hackers against targets including the oil and natural gas industry. The agency is concerned about increased attacks following Russia’s invasion of Ukraine, said Jason Leigh, a special agent on the FBI Houston’s cyber task force. -Bloomberg
"In a normal day, prior to the invasion, the U.S. could experience attacks from Russian entities," said Leigh. "We expect that the invasion may escalate in terms of volume or the number of attacks and the manners in which they attack."