On 20 July, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory AA21-201A on a Chinese state\u2013sponsored spear-phishing and intrusion campaign that targeted U.S. oil and natural gas (ONG) pipeline companies from 2011 to 2013.1<\/sup> The advisory identified 23 U.S. natural gas pipeline operators that were targeted during that time; out of those, 13 were confirmed compromised, 3 were not impacted, and 8 experienced an intrusion of unknown depth.<\/p>\n Based on the data that the actors stole and the tactics, techniques, and procedures (TTPs) used in the campaign, CISA and the FBI assessed that the purpose of the intrusions was to gain strategic access to the industrial control system (ICS) networks to prepare for future operations, rather than to merely steal intellectual property. The advisory provides information on the TTPs and lists the indicators of compromise (IOCs) related to the campaign.<\/p>\n The advisory from CISA and the FBI was published a day after the White House\u2019s official statement accusing the People\u2019s Republic of China (PRC) of hiring malicious actors to conduct, in early March 2021, cyber espionage operations that exploit zero-day vulnerabilities in Microsoft Exchange Servers.2<\/sup> On 19 July, the FBI and CISA published a joint advisory on the Chinese Advanced Persistent Threat APT40, as well as an advisory on trends in cyber espionage activities they observed across various Chinese state\u2013sponsored cyber actors.3<\/sup>,<\/sup>4<\/sup><\/p>\n From 9 December 2011 through at least 29 February 2012, the actors delivered spear-phishing emails with malicious attachments to ONG organizations\u2019 employees. The actors also called employees of the network engineering departments and attempted to collect information about their organizations\u2019 network security practices. In one incident, the employees received phone calls immediately after they identified and mitigated malicious activity in their network. The malicious phone caller used an unidentifiable caller ID and posed as a cybersecurity firm employee conducting a survey about security practices. The caller inquired about the organization\u2019s firewall practices and settings, software for network security, and intrusion detection and prevention systems.<\/p>\n CISA and the FBI provided incident response and remediation support to the victims. In addition, CISA and the FBI discovered that the actors specifically collected and exfiltrated ICS information and scanned document repositories for the following data types:<\/p>\n The actors obtained information about ICS permission groups, and they compromised remote access systems designed to transfer data and allow access between corporate and ICS networks. Although these systems are legitimate business tools, it is possible the actors repurposed them to conduct malicious activities that could have physical repercussions. According to CISA and the FBI, there is no evidence that the actors attempted to modify the gas pipeline operations after accessing its systems. Due to a lack of log data, CISA and the FBI are unsure about the depth of intrusion for at least 8 (35 percent) of the 23 cases identified in the campaign.<\/p>\n Across multiple U.S. natural gas pipeline companies, the actors gained access to SCADA systems, which many industrial organizations use to collect, analyze, and visualize equipment data.<\/p>\n The actors also exfiltrated information specific to dial-up access (such as phone numbers, usernames, and passwords) and used this data to access the organizations\u2019 operational technology (OT) systems. Some ONG organizations still use dial-up modems to access ICS networks; because these modems lack security and monitoring features, they can be attractive attack vectors for cyber criminals.<\/p>\n One targeted organization constructed a honeypot that contained two types of decoy documents: those appearing to have SCADA-related and sensitive organizational content, and those with fake financial and business information. Minutes after the honeypot went online, the actors exfiltrated only the files with SCADA-related and sensitive organizational content. Based on this experiment and the campaign TTPs, CISA and the FBI believe that the objective of the campaign was to help China develop cyberattack capabilities against U.S. pipeline companies so they could later use these capabilities to physically damage gas pipelines or disrupt pipeline operations, rather than to merely steal intellectual property.<\/p>\n The actors that conducted the spear-phishing and intrusion campaign used multiple TTPs to infiltrate the companies\u2019 networks and then use the stolen credentials to obtain sensitive information. CISA and the FBI are sharing the following TTPs (based on the MITRE ATT&CK framework) that were used in the campaign:<\/p>\n2. Analysis<\/h3>\n
2.1. Campaign<\/h4>\n
\n
\n
2.2. TTPs<\/h4>\n