In mid-February, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc., according to research shared exclusively with Bloomberg News.
The attacks targeted companies involved with the production of liquefied natural gas, or LNG, and they were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity Inc., which discovered the operation. They occurred on the eve of Russia’s invasion of Ukraine, when energy markets were already roiled by tight supplies.
Resecurity’s investigation began last month when the firm’s researchers spotted a small number of hackers, including one linked to a wave of attacks in 2018 against European organizations that Microsoft Corp. attributed to Strontium, the company’s nickname for a hacking group associated with Russia’s GRU military intelligence service.
The hackers were looking to pay top dollar on the dark web for access to personal computers belonging to workers at large natural gas companies in the U.S., which were used as a back door into company networks, Yoo said. The researchers located the hackers’ servers and found a vulnerability in the software, which allowed them to obtain files from the machines and see what the attackers had already done, Yoo said.
Some of those files were shared with Bloomberg, providing a rare view into a live hacking operation. They show that in a two-week blitz in February, the attackers gained access to more than 100 computers belonging to current and former employees of 21 major energy companies. In some cases, the hackers compromised the target machines themselves, and in others they bought access to specific computers that were already infected by others, offering as much as $15,000 for each one, Yoo said.
The motive of the operation isn’t known, but the timing coincides with broader changes in the energy industry that have been accelerated by Russia’s war. Yoo said he believed the attack was carried out by state-sponsored hackers, but he declined to speculate further.
Yoo described the hackers’ actions as “pre-positioning,” or using the hacked machines as a springboard into protected corporate networks. For that kind of operation, computers belonging to former employees can be just as valuable as those used by current workers, because many companies are slow or fail to cut off remote access when someone leaves, he said.
LNG is a form of super-chilled fuel that can be shipped nearly anywhere in the world by tanker. Demand has soared in recent months amid tight winter fuel supplies and the buildup to Russia’s invasion of Ukraine on Feb. 24, which has roiled the energy market and caused Germany and other European countries, which are dependent on Russian gas, to seek alternatives. In the months before the invasion, the U.S. became the world’s top supplier of LNG, and almost two out of three cargoes sailing from its shores were heading to natural gas-hungry Europe.
Germany, which is Europe’s largest natural gas market, said in response to Russia’s invasion that it is expediting the construction of two LNG import terminals. This is a major change, as it represents the first time Germany will import LNG. Germany also halted the certification process of the Nord Stream 2 pipeline, a system of natural gas pipelines from Russia that is completed but not yet operational.
It’s not clear whether the attacks are directly related to the invasion of Ukraine, but Resecurity said the hacks began about two weeks before the invasion, after U.S. officials had urged critical infrastructure operators to “adopt a heightened state of awareness” for Russian state-sponsored attacks.
“Recent tensions around Nord Stream 2, global market changes, as well as conflict in Ukraine are obvious catalysts,” Yoo said.
The infected machines appear to be a mix of home and corporate-owned computers. Yoo said the distinction has become essentially meaningless with the rise of remote work, as hackers have the ability to hijack virtual private network connections into corporate networks.
According to the documents provided by Resecurity, the companies whose workers were affected include Houston-based Cheniere Energy, the biggest U.S. exporter of LNG; San Ramon, California-based Chevron, a major oil producer that also owns and operates the Gorgon LNG export terminal in Australia; Pittsburgh, Pennsylvania-based EQT Corp., the largest natural gas driller and producer in the U.S.; and Houston-based Kinder Morgan, the top natural gas pipeline operator in the U.S. and the operator of the Elba Island LNG export terminal in Georgia.
At Kinder Morgan, the data showed seven current and former employees whose computers were hacked and were being accessed as part of this campaign, and whose corporate email addresses and passwords were stolen. A company spokesperson said: “We have confirmed that most of those emails were assigned to former employees. The few that are current have not been compromised.” The company declined to answer additional questions.
At Chevron, the number was 45 people, according to Resecurity. Chevron declined to answer specific questions. A spokesperson said: “Chevron takes the threat of malicious cyber activity very seriously. We have implemented the United States government’s recommendations into our cybersecurity safeguards to protect Chevron’s computing environment.”
At an investor conference March 1, Chevron Chief Executive Officer Mike Wirth said that cyberattacks are the biggest risk facing the company. “It’s a never-ending challenge out there right now,” he said. “We’re in a high-risk environment right now from a cyber standpoint, and we’re in an industry that is a high profile, high-value target for bad actors. So that’s the thing in the short term that I probably would say, in my view is the risk I worry about the most.”
Cheniere declined to comment. An EQT spokesperson didn’t return messages. However, Chief Executive Officer Toby Rice told Bloomberg TV on Monday that cyberattacks targeting the company had gone up “significantly” since the start of the invasion.
The attacks come at a time when the FBI and other federal agencies are on high alert. The FBI’s Internet Crime Complaint Center has issued dozens of alerts over the past six years documenting attacks by Russia and other state-sponsored hackers against targets including the oil and natural gas industry. The agency is concerned about increased attacks following Russia’s invasion of Ukraine, said Jason Leigh, a special agent on the FBI Houston’s cyber task force.
“In a normal day, prior to the invasion, the U.S. could experience attacks from Russian entities,” Leigh said. “We expect that the invasion may escalate in terms of volume or the number of attacks and the manners in which they attack.”
The files shared with Bloomberg identify each of the hacking group’s victims. The information includes their corporate email addresses and passwords, and the internet addresses of the infected computers the hackers can access. Many victims are mid-level employees, in occupations ranging from information technology staff and control system engineers to research scientists and managers, the documents show.