Categories
Selected Articles

Did Russian hackers blow up a Texas LNG pipeline on June 8?

?url=http%3A%2F%2Fmediadc-brightspot.s3.

June 23, 3:15 p.m. Eastern Standard Time update. On Thursday, Freeport LNG provided the Washington Examiner with a statement: “While our ongoing investigation continues, a cyberattack was ruled out as the cause within days of the incident. After a thorough assessment of our network, our internal cyber detection systems have been confirmed to have been functioning properly and do not indicate any manipulation or compromise of our security solutions.” However, I understand that Freeport LNG does not have the Operation Technology/Industrial Control Systems network detection systems necessary to detect XENOTIME’s ICS-targeting TRITON malware. I asked Freeport LNG whether it has OT/ICS systems. Freeport did not respond to that specific inquiry, instead stating that its original statement “Stands. Nothing further.” Considering XENOTIME’s use of TRITON (reemphasized in an April 22 notice by the U.S. and its closest allies), unless Freeport LNG has OT/ICS network detection systems deployed appropriately and has completed a forensics investigation, a cyberattack cannot be ruled out. I understand that the federal government continues to investigate the incident. Update ends.

According to two sources, around the time of Russia’s late February invasion of Ukraine, a cyber unit of Russia’s GRU military intelligence service again conducted targeting-reconnaissance operations against a major U.S. liquefied natural gas exporter, Freeport LNG.

U.S. LNG exports have long been a priority concern for Russia, viewed by Russian President Vladimir Putin as a means for the United States to undercut Russia’s domination of the European gas market.

On June 8, Freeport LNG suffered an explosion at its liquefaction plant and export terminal on Texas’s Quintana Island. The damage suffered means the facility is not expected to resume major operations until late 2022. The June 8 disruption had an immediate impact in spiking already soaring European gas prices and has reinforced Russia’s ability to hold gas supplies to Europe at risk in retaliation for the European Union sanctions imposed on Russia over the war in Ukraine. U.S. LNG futures have fallen significantly since the explosion.

One source tells me that the FBI is investigating the cause of the explosion. Responding to a question as to whether the FBI and its Cyber Division were involved in the investigation, the FBI told the Washington Examiner, “We can neither confirm nor deny the existence of an investigation into this matter.”

But what actually happened on June 8?

Well, a June 14 press release from Freeport LNG notes that “the incident occurred in pipe racks that support the transfer of LNG from the facility’s LNG storage tank area to the terminal’s dock facilities. … Preliminary observations suggest that the incident resulted from the overpressure and rupture of a segment of an LNG transfer line, leading to the rapid flashing of LNG and the release and ignition of the natural gas vapor cloud. Additional investigation is underway to determine the underlying precipitating events that enabled the overpressure conditions in the LNG piping.” The statement added that federal authorities were assisting with its investigation.

However, what was not explained is how a critical overpressure event could have occurred without safety systems kicking into action. Two LNG pipeline experts I talked to, who both asked to remain anonymous due to potential retaliatory damage to their business interests, say that pipeline corrosion and other material failures can cause critical incidents. Still, the FBI’s investigative involvement, the specific nature of this explosion, and the scale of damage incurred do raise major questions. The experts suggested that piping from a storage tank to a terminal, as in this explosion, should have extensive safeguards to prevent overpressure events. One expert was highly confident that control of pipeline flows would be undertaken from a networked control facility.

That brings us to the Russian cyber unit involved in the targeting reconnaissance against Freeport LNG.

Named XENOTIME by researchers, the unit has utilized boutique TRITON/TRISIS malware developed by the Russian Ministry of Defense’s Central Scientific Research Institute of Chemistry and Mechanics. That malware is designed for the seizure of industrial control systems and the defeat of associated safety systems. In 2017, GCHQ (Britain’s NSA-equivalent signals intelligence service) outlined the need for network compartmentalization to protect safety systems against this malware better. In March 2022, the FBI warned that TRISIS malware remained a threat.

XENOTIME is assessed by the U.S. and British governments as a critical infrastructure-focused, advanced persistent threat actor. The unit’s modus operandi involves targeting industrial control systems and supervisory control systems in order to effect unilateral control of a network. XENOTIME has caused specific concern in Western security circles for its targeting of safety systems that would otherwise mitigate threats to life during a cyberattack. XENOTIME’s activity has escalated in 2022. Evincing as much, an April 13 U.S. government cybersecurity warning noted, “By compromising and maintaining full system access to [industrial control system]/[safety] devices, [threat] actors could elevate privileges … and disrupt critical devices or functions.”

This concern is not theoretical.

In 2020, the U.S. Treasury Department sanctioned the Central Scientific Research Institute of Chemistry and Mechanics, linking it to a 2017 attack on a Saudi oil facility. Experts believe that the attack would have caused loss of life had the hackers not made coding errors that enabled their detection. But the threat remains. A 2018 presentation on XENOTIME by the Dragos cybersecurity firm notes that TRISIS/TRITON capability is not specific to one safety system, such as the Schneider Electric system involved in the 2017 Saudi incident. Dragos also notes that XENOTIME is a highly patient actor, focused on establishing an ability to operate across a server to effect maximum compromise of key systems.

While the Freeport LNG explosion remains under investigation, multiple sources told me they were struck by the overpressure event along a key pipeline transit route and the evident failure of safety systems to engage. This fits with XENOTIME’s modus operandi. Again, U.S. energy networks are a very high priority target for all three of the major Russian intelligence services: GRU, FSB, and the SVR. All run operations across a range of relevant concerns, with the SVR taking the lead for political influence and covert funding of green organizations, and the FSB and GRU for direct action.

But if Russia is responsible for the Freeport LNG incident, it breached explicit warnings from President Joe Biden against critical infrastructure attacks. Technically, it would also have conducted an act of war on U.S. soil. The question is: Will we ever know what happened? If Freeport LNG was unable to detect a major cyber intrusion and the capture of its systems, attributing Russian culpability may be extraordinarily difficult. Deficient cyber forensics is an issue that afflicts many private sector organizations.

?url=http%3A%2F%2Fmediadc-brightspot.s3.

June 23, 3:15 p.m. Eastern Standard Time update. On Thursday, Freeport LNG provided the Washington Examiner with a statement: “While our ongoing investigation continues, a cyberattack was ruled out as the cause within days of the incident. After a thorough assessment of our network, our internal cyber detection systems have been confirmed to have been functioning properly and do not indicate any manipulation or compromise of our security solutions.” However, I understand that Freeport LNG does not have the Operation Technology/Industrial Control Systems network detection systems necessary to detect XENOTIME’s ICS-targeting TRITON malware. I asked Freeport LNG whether it has OT/ICS systems. Freeport did not respond to that specific inquiry, instead stating that its original statement “Stands. Nothing further.” Considering XENOTIME’s use of TRITON (reemphasized in an April 22 notice by the U.S. and its closest allies), unless Freeport LNG has OT/ICS network detection systems deployed appropriately and has completed a forensics investigation, a cyberattack cannot be ruled out. I understand that the federal government continues to investigate the incident. Update ends.

According to two sources, around the time of Russia’s late February invasion of Ukraine, a cyber unit of Russia’s GRU military intelligence service again conducted targeting-reconnaissance operations against a major U.S. liquefied natural gas exporter, Freeport LNG.

U.S. LNG exports have long been a priority concern for Russia, viewed by Russian President Vladimir Putin as a means for the United States to undercut Russia’s domination of the European gas market.

On June 8, Freeport LNG suffered an explosion at its liquefaction plant and export terminal on Texas’s Quintana Island. The damage suffered means the facility is not expected to resume major operations until late 2022. The June 8 disruption had an immediate impact in spiking already soaring European gas prices and has reinforced Russia’s ability to hold gas supplies to Europe at risk in retaliation for the European Union sanctions imposed on Russia over the war in Ukraine. U.S. LNG futures have fallen significantly since the explosion.

One source tells me that the FBI is investigating the cause of the explosion. Responding to a question as to whether the FBI and its Cyber Division were involved in the investigation, the FBI told the Washington Examiner, “We can neither confirm nor deny the existence of an investigation into this matter.”

But what actually happened on June 8?

Well, a June 14 press release from Freeport LNG notes that “the incident occurred in pipe racks that support the transfer of LNG from the facility’s LNG storage tank area to the terminal’s dock facilities. … Preliminary observations suggest that the incident resulted from the overpressure and rupture of a segment of an LNG transfer line, leading to the rapid flashing of LNG and the release and ignition of the natural gas vapor cloud. Additional investigation is underway to determine the underlying precipitating events that enabled the overpressure conditions in the LNG piping.” The statement added that federal authorities were assisting with its investigation.

However, what was not explained is how a critical overpressure event could have occurred without safety systems kicking into action. Two LNG pipeline experts I talked to, who both asked to remain anonymous due to potential retaliatory damage to their business interests, say that pipeline corrosion and other material failures can cause critical incidents. Still, the FBI’s investigative involvement, the specific nature of this explosion, and the scale of damage incurred do raise major questions. The experts suggested that piping from a storage tank to a terminal, as in this explosion, should have extensive safeguards to prevent overpressure events. One expert was highly confident that control of pipeline flows would be undertaken from a networked control facility.

That brings us to the Russian cyber unit involved in the targeting reconnaissance against Freeport LNG.

Named XENOTIME by researchers, the unit has utilized boutique TRITON/TRISIS malware developed by the Russian Ministry of Defense’s Central Scientific Research Institute of Chemistry and Mechanics. That malware is designed for the seizure of industrial control systems and the defeat of associated safety systems. In 2017, GCHQ (Britain’s NSA-equivalent signals intelligence service) outlined the need for network compartmentalization to protect safety systems against this malware better. In March 2022, the FBI warned that TRISIS malware remained a threat.

XENOTIME is assessed by the U.S. and British governments as a critical infrastructure-focused, advanced persistent threat actor. The unit’s modus operandi involves targeting industrial control systems and supervisory control systems in order to effect unilateral control of a network. XENOTIME has caused specific concern in Western security circles for its targeting of safety systems that would otherwise mitigate threats to life during a cyberattack. XENOTIME’s activity has escalated in 2022. Evincing as much, an April 13 U.S. government cybersecurity warning noted, “By compromising and maintaining full system access to [industrial control system]/[safety] devices, [threat] actors could elevate privileges … and disrupt critical devices or functions.”

This concern is not theoretical.

In 2020, the U.S. Treasury Department sanctioned the Central Scientific Research Institute of Chemistry and Mechanics, linking it to a 2017 attack on a Saudi oil facility. Experts believe that the attack would have caused loss of life had the hackers not made coding errors that enabled their detection. But the threat remains. A 2018 presentation on XENOTIME by the Dragos cybersecurity firm notes that TRISIS/TRITON capability is not specific to one safety system, such as the Schneider Electric system involved in the 2017 Saudi incident. Dragos also notes that XENOTIME is a highly patient actor, focused on establishing an ability to operate across a server to effect maximum compromise of key systems.

While the Freeport LNG explosion remains under investigation, multiple sources told me they were struck by the overpressure event along a key pipeline transit route and the evident failure of safety systems to engage. This fits with XENOTIME’s modus operandi. Again, U.S. energy networks are a very high priority target for all three of the major Russian intelligence services: GRU, FSB, and the SVR. All run operations across a range of relevant concerns, with the SVR taking the lead for political influence and covert funding of green organizations, and the FSB and GRU for direct action.

But if Russia is responsible for the Freeport LNG incident, it breached explicit warnings from President Joe Biden against critical infrastructure attacks. Technically, it would also have conducted an act of war on U.S. soil. The question is: Will we ever know what happened? If Freeport LNG was unable to detect a major cyber intrusion and the capture of its systems, attributing Russian culpability may be extraordinarily difficult. Deficient cyber forensics is an issue that afflicts many private sector organizations.