Power plant at dusk showing cyber attack on natural gas producers

Cyber Attack Targeted 21 Natural Gas Producers on the Eve of the Russian Invasion of Ukraine

A new report says that hackers executed a major cyber attack campaign against multiple natural gas producers in the United States ahead of Russia’s invasion of Ukraine.

Bloomberg News reported that the cyber attacks targeted at least 21 companies involved in the production, exportation, and distribution of liquified natural gas.

The cyberattack targeted major energy companies, including Chevron, Cheniere Energy, and Kinder Morgan.

The outlet reported that the hackers gained access to at least 100 computers belonging to current and former employees two weeks before the invasion. Most of the victims were mid-level employees, including technology workers and control system engineers.

Cyber attack against natural gas producers intended to disrupt the energy sector

Gene Yoo, CEO of security firm Resecurity told Bloomberg that the campaign was the “first stage” in an effort to disrupt the energy industry.

Although apparent, Yoo declined to confirm whether Russia was responsible for attacking natural gas producers, he believes that nation-state actors were responsible for the cyber attack.

Similarly, many companies declined to respond to Bloomberg’s request for comment. Coincidentally, the cyber attack campaign kicked off a day before Russia invaded Ukraine and when the energy markets were anticipating price hikes.

“It’s not clear whether the attacks are directly related to the invasion of Ukraine, but Resecurity said the hacks began about two weeks before the invasion after U.S. officials had urged critical infrastructure operators to “adopt a heightened state of awareness” for Russian state-sponsored attacks,” Bloomberg reported.

According to the U.S. intelligence community’s threat assessment report, Russia views cybersecurity as a foreign policy tool to shape the decisions of other countries.

GRU-linked threat groups targeted natural gas producers

Based on the report, Resecurity detected a small cyber attack campaign by hackers linked to Strontium, a cyber threat group associated with Russian intelligence group GRU. Earlier, the cybersecurity firm had detected an active recruitment drive by Strontium for individuals capable of infiltrating personal computers for natural gas producers.

Resecurity experts had exploited a software vulnerability on the hackers’ servers and obtained files detailing their activities. Using the obtained information, Resecurity determined that the cyber attack compromised 100 computers belonging to current and former employees of at least 21 natural gas producers.

During the operation, the hackers relied on various tactics including buying initial access for up to $15,000 each or exploiting the machines themselves. These hacked machines acted as entry points into the natural gas producers’ protected corporate networks.

According to Resecurity, the hackers stole the email addresses and passwords of Kinder Morgan’s employees. However, the natural gas producer’s spokesman clarified that the attacks occurred on personal computers, and the leaked credentials were associated with personal accounts.

Similarly, Resecurity claimed that the cyber attack exposed the credentials of 45 individuals at Chevron. However, the energy company did not shed more light on the suspected cyber attack and claimed to have implemented CISA’s security recommendations.

Meanwhile, Biden had banned the importation of Russian oil to deal a debilitating blow to the Russian economy’s “main artery.”