TLP: White

1. Executive Summary

On 20 July, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory AA21-201A on a Chinese state–sponsored spear-phishing and intrusion campaign that targeted U.S. oil and natural gas (ONG) pipeline companies from 2011 to 2013.¹ The advisory identified 23 U.S. natural gas pipeline operators that were targeted during that time; out of those, 13 were confirmed compromised, 3 were not impacted, and 8 experienced an intrusion of unknown depth.

Based on the data that the actors stole and the tactics, techniques, and procedures (TTPs) used in the campaign, CISA and the FBI assessed that the purpose of the intrusions was to gain strategic access to the industrial control system (ICS) networks to prepare for future operations, rather than to merely steal intellectual property. The advisory provides information on the TTPs and lists the indicators of compromise (IOCs) related to the campaign.

The advisory from CISA and the FBI was published a day after the White House’s official statement accusing the People’s Republic of China (PRC) of hiring malicious actors to conduct, in early March 2021, cyber espionage operations that exploit zero-day vulnerabilities in Microsoft Exchange Servers.² On 19 July, the FBI and CISA published a joint advisory on the Chinese Advanced Persistent Threat APT40, as well as an advisory on trends in cyber espionage activities they observed across various Chinese state–sponsored cyber actors.^3,4

2. Analysis

2.1. Campaign

From 9 December 2011 through at least 29 February 2012, the actors delivered spear-phishing emails with malicious attachments to ONG organizations’ employees. The actors also called employees of the network engineering departments and attempted to collect information about their organizations’ network security practices. In one incident, the employees received phone calls immediately after they identified and mitigated malicious activity in their network. The malicious phone caller used an unidentifiable caller ID and posed as a cybersecurity firm employee conducting a survey about security practices. The caller inquired about the organization’s firewall practices and settings, software for network security, and intrusion detection and prevention systems.

CISA and the FBI provided incident response and remediation support to the victims. In addition, CISA and the FBI discovered that the actors specifically collected and exfiltrated ICS information and scanned document repositories for the following data types:

• • Supervisory control and data acquisition (SCADA)-related documents
  • Lists of personnel
  • Usernames and passwords
  • Information about dial-up access
  • System manuals
  • Remote terminal unit (RTU) sites

The actors obtained information about ICS permission groups, and they compromised remote access systems designed to transfer data and allow access between corporate and ICS networks. Although these systems are legitimate business tools, it is possible the actors repurposed them to conduct malicious activities that could have physical repercussions. According to CISA and the FBI, there is no evidence that the actors attempted to modify the gas pipeline operations after accessing its systems. Due to a lack of log data, CISA and the FBI are unsure about the depth of intrusion for at least 8 (35 percent) of the 23 cases identified in the campaign.

Across multiple U.S. natural gas pipeline companies, the actors gained access to SCADA systems, which many industrial organizations use to collect, analyze, and visualize equipment data.

The actors also exfiltrated information specific to dial-up access (such as phone numbers, usernames, and passwords) and used this data to access the organizations’ operational technology (OT) systems. Some ONG organizations still use dial-up modems to access ICS networks; because these modems lack security and monitoring features, they can be attractive attack vectors for cyber criminals.

One targeted organization constructed a honeypot that contained two types of decoy documents: those appearing to have SCADA-related and sensitive organizational content, and those with fake financial and business information. Minutes after the honeypot went online, the actors exfiltrated only the files with SCADA-related and sensitive organizational content. Based on this experiment and the campaign TTPs, CISA and the FBI believe that the objective of the campaign was to help China develop cyberattack capabilities against U.S. pipeline companies so they could later use these capabilities to physically damage gas pipelines or disrupt pipeline operations, rather than to merely steal intellectual property.

2.2. TTPs

The actors that conducted the spear-phishing and intrusion campaign used multiple TTPs to infiltrate the companies’ networks and then use the stolen credentials to obtain sensitive information. CISA and the FBI are sharing the following TTPs (based on the MITRE ATT&CK framework) that were used in the campaign:

Tactic	Technique
Reconnaissance [TA0043]	Phishing for Information [T1598]
Initial Access [TA0001]	Phishing: Spearphishing Link [T1566.002]
Execution [TA0002]	User Execution: Malicious File [T1204.002]
Discovery [TA0007]	Peripheral Device Discovery [T1120]
Collection [TA0009]	Information from Document Repositories [T1213]
Exfiltration  [TA0010]

 2.3. Mitigations

CISA and the FBI strongly recommend that operators of ONG organizations’ networks and of other critical infrastructure networks implement network segmentation between IT and ICS/OT systems. CISA and the FBI also recommend that organizations (1) practice measures that would strengthen their security posture and (2) commit to a layered approach that would reduce the risk of compromise and severe degradation of operations. We are providing all of these recommendations below:

• • Harden the IT/corporate network to reduce the risk of initial compromise.
    • Update all software, including operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system.
    • Replace all end-of-life software and hardware devices.
    • Restrict and manage remote access software. Remote access tools are a common method for threat actors to gain initial access and persistence on target networks.
      • Manage and restrict users and groups who are permitted to access remote capabilities. Permissions should be limited to users that require the capability to complete their duties.
      • Require multi-factor authentication (MFA) for remote access.
      • Limit access to resources over networks, especially by restricting Remote Desktop Protocol (RDP). If RDP is operationally necessary, restrict the originating sources and require MFA.
    •   Enable strong spam filters to prevent phishing emails from reaching end users.
    • Implement unauthorized execution prevention by:
      • Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
      • Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common malware locations, such as temporary folders supporting popular internet browsers.
    • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.
    • Set antivirus/antimalware programs to regularly scan IT network assets using up-to-date signatures.
  • Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised.
    • Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology (NIST) Special Publication 800-82: Guide to ICS Security.
    • Use one-way communication diodes to prevent external access, whenever possible.
    • Set up demilitarized zones (DMZs) to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
    • Employ reliable network security protocols and services where feasible.
    • Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access.
  • Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally.
    • Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and filter routers and switches.
    • Implement network monitoring at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services).
    • Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).
    • Configure security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
  • Implement the following additional ICS environment best practices:
    • Update all software. Use a risk-based assessment strategy to determine which ICS network and assets and zones should participate in the patch management program.
      • Test all patches in off-line text environments before implementation.
    • Implement application allowlisting on human machine interfaces.
    • Harden field devices, including tablets and smartphones.
    • Replace all end-of-life software and hardware devices.
    • Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).
    • Restrict and manage remote access software. Require MFA for remote access to ICS networks.
    • Configure encryption and security for ICS protocols.
    • Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
    • Do not allow vendors to connect their devices to the ICS network. Use of a compromised device could introduce malware.
    • Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies.
    • Ensure robust physical security is in place to prevent unauthorized personnel from accessing controlled spaces that house ICS equipment.
    • Regularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be taken offline.
    • Manage the supply chain by adjusting the ICS procurement process to weigh cybersecurity heavily as part of the scoring and evaluation methodology. Additionally, establish contractual agreements for all outsourced services that ensure proper incident handling and reporting, security of interconnections, and remote access specifications and processes.
  • Implement the following additional best practices:
    • Implement IP geo-blocking, as appropriate.
    • Implement regular, frequent data backup procedures on both the IT and ICS networks. Data backup procedures should address the following best practices:
      • Ensure backups are regularly tested.
      • Store backups separately, i.e., backups should be isolated from network connections that could enable spread of malware or lateral movement.
      • Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt.
      • Retain backup hardware to rebuild systems in the event that rebuilding the primary system is not preferred.
    • Implement a user training program to train employees to recognize spear-phishing attempts, discourage users from visiting malicious websites or opening malicious attachments, and reinforce appropriate user response to spear-phishing emails.

3. Indicators of Compromise

The table below contains a list of IOCs related to the spear-phishing and intrusion campaign described in this report. The advisory released by the FBI and CISA contains the full list of IOCs and additional information about emails.

Indicator	Description
05476307f4beb3c0d9099270c504f055 124ad1778c65a83208dbefcec7706dc6 17199ddac616938f383a0339f416c890 3d28651bb2d16eeaa6a35099c886fbaa 4a8854363044e4d66bf34a0cd331d93d 52294de74a80beb1e579e5bca7c7248a 54db65a27472c9f3126df5bf91a773ea 5e6a033fa01739d9b517a468bd812162 60456fe206a87f5422b214369af4260e 6818a9aef22c0c2084293c82935e84fe 7361a1f33d48802d061605f34bf08fb0 7caf4dbf53ff1dcd5bd5be92462b2995 84873fae9cdecb84452fff9cca171004 99b58e416c5e8e0bcdcd39ba417a08ed a46a7045c0a3350c5a4c919fff2831a0 d6eaadcbcf9ea9192db1bd5bb7462bf8 e12ce62cf7de42581c2fe1d7f36d521c e62afe2273986240746203f9d55496db ea1b46fab56e7f12c4c2e36cce63d593 ed92d1242c0017668b93a72865b0876b f0a00cfd891059b70af96b807e9f9ab8 fcbbfadc992e265c351e54598a6f6dfb	MD5 hashes related to malicious files
AcroRD32.exe AdobeUpdater.exe Solarworldsummary.exe ccApp1.exe fslist.exe gh.exe iTunesHelper.exe iass.dll inn.exe ins.exe kkk.exe moonclient2.exe niu.exe ntshrui.dll px.exe slm.exe smss.exe spoolsvd.exe u.exe	Names of malicious files
(Company Name)_Summary.zip (Company Name)_to_Sell_RNGMS_to_(Company Name).zip 01-12-RATEALERT.zip Debt_Crisis_Hits_US.zip Election_2012_Analysis.pdf Gift-Winter.zip Happy_New_Year.zip How_Can_Steelmakers_Compete_for_Growth_in_the_Steel_Sector_in_2012.zip Solarworldsummary.zip	Names of email attachments
fni[.]itgamezone[.]net fpso[.]bigish[.]net	Domains found in email bodies
<victim_company_name>@yahoo.com	Email sender address
18center[.]com <victim_company_name>[.]arrowservice[.]net <victim_company_name>[.]arrowservice[.]net <victim_company_name>[.]businessconsults[.]net <victim_company_name>[.]federalres[.]org balancefitstudio[.]com bargainblog[[.]com[.]au blackcake[.]net energyreview[.]strangled[.]net etrace-it[.]com idahoanad[dot]org infosupports[.]com milk[.]crabdance[.]com mitchellsrus[.]com picture[.]wintersline[.]com res[.]federalres[.]org un[.]linuxd[.]org wish[.]happyforever[.]com	Possible C2 domains
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)	Browser user agents

Endnotes

1. CISA AA21-201A: https://us-cert.cisa.gov/ncas/alerts/aa21-201a
2. The White House Statement on PRC Malicious Cyber Activities: https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/
3. CISA AA21-200A: https://us-cert.cisa.gov/ncas/alerts/aa21-200a
4. CISA AA21-200B: https://us-cert.cisa.gov/ncas/alerts/aa21-200b