In mid-February, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc., according to research shared exclusively with Bloomberg News.
The attacks targeted companies involved with the production of liquefied natural gas, or LNG, and they were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity Inc., which discovered the operation. They occurred on the eve of Russia’s invasion of Ukraine, when energy markets were already roiled by tight supplies.
Resecurity’s investigation began last month when the firm’s researchers spotted a small number of hackers, including one linked to a wave of attacks in 2018 against European organizations that Microsoft Corp. attributed to Strontium, the company’s nickname for a hacking group associated with Russia’s GRU military intelligence service.
The hackers were looking to pay top dollar on the dark web for access to personal computers belonging to workers at large natural gas companies in the U.S., which were used as a back door into company networks, Yoo said. The researchers located the hackers’ servers and found a vulnerability in the software, which allowed them to obtain files from the machines and see what the attackers had already done, Yoo said.
Some of those files were shared with Bloomberg, providing a rare view into a live hacking operation. They show that in a two-week blitz in February, the attackers gained access to more than 100 computers belonging to current and former employees of 21 major energy companies. In some cases, the hackers compromised the target machines themselves, and in others they bought access to specific computers that were already infected by others, offering as much as $15,000 for each one, Yoo said.
The motive of the operation isn’t known, but the timing coincides with broader changes in the energy industry that have been accelerated by Russia’s war. Yoo said he believed the attack was carried out by state-sponsored hackers, but he declined to speculate further.
Yoo described the hackers’ actions as “pre-positioning,” or using the hacked machines as a springboard into protected corporate networks. For that kind of operation, computers belonging to former employees can be just as valuable as those used by current workers, because many companies are slow or fail to cut off remote access when someone leaves, he said.
LNG is a form of super-chilled fuel that can be shipped nearly anywhere in the world by tanker. Demand has soared in recent months amid tight winter fuel supplies and the buildup to Russia’s invasion of Ukraine on Feb. 24, which has roiled the energy market and caused Germany and other European countries, which are dependent on Russian gas, to seek alternatives. In the months before the invasion, the U.S. became the world’s top supplier of LNG, and almost two out of three cargoes sailing from its shores were heading to natural gas-hungry Europe.
Germany, which is Europe’s largest natural gas market, said in response to Russia’s invasion that it is expediting the construction of two LNG import terminals. This is a major change, as it represents the first time Germany will import LNG. Germany also halted the certification process of the Nord Stream 2 pipeline, a system of natural gas pipelines from Russia that is completed but not yet operational.
It’s not clear whether the attacks are directly related to the invasion of Ukraine, but Resecurity said the hacks began about two weeks before the invasion, after U.S. officials had urged critical infrastructure operators to “adopt a heightened state of awareness” for Russian state-sponsored attacks.