Feds detail alleged Chinese cyberattacks on American pipelines starting in 2011

The Biden administration has revealed new details of Chinese cyberattacks on American critical infrastructure starting nearly a decade ago, amid an ongoing effort to expose what the U.S. and its allies say is the extent of China’s malicious cyber actions aimed at the U.S. and other foreign targets.

China-sponsored attackers targeted U.S. oil and gas companies from December 2011 to 2013 in order to develop the cyberattack capabilities needed to disrupt and damage U.S. pipeline operations, according to an alert issued Tuesday from FBI and the Cybersecurity and Infrastructure Security Agency. The federal government said it previously informed victims and others of the cyberattacks in 2012 but had not made public the full details until this week.

“Overall, U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign,” read the FBI and CISA alert. “Of the known targeted entities, 13 were confirmed compromises, three were near misses, and eight had an unknown depth of intrusion.”

Spearphishing is a scam that uses electronic communications, frequently email, to gain improper access or trick someone into sharing information.

The new details of China’s alleged attacks offer a wider picture of Beijing’s targets in cyberspace — from private businesses to government institutions — and suggest that Russian-based hackers are not the only ones behind the onslaught against American critical infrastructure.

While the U.S. government has pointed to Russia-based attackers as involved in the ransomware attack on major U.S. fuel provider Colonial Pipeline earlier this year, the details of China’s alleged targeting indicate that the pipeline sector is under assault from several different directions.

The government’s publicizing the decade-old attack from China was distributed alongside another federal government directive urging pipeline companies to take cybersecurity seriously. The Transportation Security Administration’s “Security Directive” issued on Tuesday ordered government-designated critical pipelines to “implement specific mitigation measures” to protect against ransomware attacks.

The TSA previously issued a security directive to the pipeline sector in May, and the agency did not provide details that explain the new cybersecurity measures it was ordering in Tuesday’s announcement.

News of the Chinese cyberattacks on American pipelines was not included in the coordinated global publicity blitz organized by the U.S. and allies in Asia and Europe, blaming China for a hack of Microsoft Exchange servers compromising tens of thousands of computers and for other malicious cyber activity including a ransomware attack.

Microsoft first publicly disclosed the Microsoft Exchange Server hack in March 2021 in an announcement noting that it had “high confidence” the attacker was a state-sponsored group operating from China.

When the federal government officially blamed China more than three months later, a senior Biden administration official said the timing of Monday’s announcement resulted from its desire to have its allies join in the campaign as a warning to Beijing. The official also cited the importance of the U.S. federal government wanting to have “high confidence” about its own assertions and the government’s wanting to provide network information about the alleged Chinese hacking.

Chinese Foreign Ministry spokesperson Zhao Lijian rejected the U.S. government and its allies’ condemnations as “groundless accusations” in a message posted to Twitter.

The FBI and CISA’s alert on Tuesday provided an extensive breakdown of China’s alleged cyberattacks against U.S. pipelines including indicators of compromise and other technical information showing the attackers’ tactics and techniques.