China Breached Dozens of Pipeline Companies in Past Decade, U.S. Says

The Biden administration disclosed on Tuesday previously classified details about the breadth of state-sponsored cyberattacks on American oil and gas pipelines over the past decade, as part of a warning to pipeline owners to increase the security of their systems to stave off future attacks.

From 2011 to 2013, Chinese-backed hackers targeted, and in many cases breached, nearly two dozen companies that own such pipelines, the F.B.I. and the Department of Homeland Security revealed in an alert on Tuesday.

Of 23 operators of natural gas pipelines that were subjected to a form of email fraud known as spearphishing, the agencies said that 13 were successfully compromised, while three were “near misses.” The extent of intrusions into seven operators was unknown because of an absence of data.

The disclosures add to the urgency of defending the United States’ pipelines and critical infrastructure from cyberattacks. For years, nation-backed hackers and, more recently, cybercriminals have targeted oil and gas pipelines, holding their operators hostage with ransomware, a form of malware that encrypts data until the victim pays. The ransomware attack on Colonial Pipeline, the operator of one of the country’s largest pipelines, in May was a wake-up call, but officials say it was only the most visible consequence of a digital threat that has been consuming critical infrastructure for a decade.

Nearly 10 years ago, the Department of Homeland Security said, it began responding to intrusions on oil pipelines and electric power operators at “an alarming rate.” Officials successfully traced a portion of those attacks to China, but in 2012, its motivation was not clear: Were the hackers trolling for industrial secrets? Or were they positioning themselves for some future attack?

“We are still trying to figure it out,” a senior American intelligence official told The New York Times in 2013. “They could have been doing both.”

But the alert on Tuesday asserted that the goal was “holding U.S. pipeline infrastructure at risk.”

“This activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations,” the alert said.

The alert was prompted by new concerns over the cyberdefense of critical infrastructure, brought to the fore with the attack on Colonial Pipeline, whose pipeline carries refined gasoline and jet fuel from Texas and up the East Coast to New York. That breach grounded nonstop flights and led to gas shortages, setting off alarms at the White House and the Energy Department, which found that the nation could have afforded only three more days of downtime before mass transit and chemical refineries came to a halt.

Mandiant, a division of the security firm FireEye, said the advisory was consistent with the Chinese-backed intrusions it tracked on multiple natural gas pipeline companies and other critical operators from 2011 to 2013. But the firm added one unnerving detail, noting that it “strongly” believed that in one case, Chinese hackers had gained access to the controls, which could have enabled a pipeline shutdown or could potentially set off an explosion.

While the directive did not name the victims of the pipeline intrusion, one of the companies infiltrated by Chinese hackers over that same time frame was Telvent, which monitors more than half the oil and gas pipelines in North America. It discovered hackers in its computer systems in September 2012, only after they had been loitering there for months. The company closed its remote access to clients’ systems, fearing it would be used to shut down American infrastructure.

The Chinese government denied it was behind the breach of Telvent. Congress failed to pass cybersecurity legislation that would have increased the security of pipelines and other critical infrastructure. And the country seemed to move on.

Nearly a decade later, the Biden administration says the threat of a hacking on America’s oil and gas pipelines has never been graver. “The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” Alejandro N. Mayorkas, the homeland security secretary, said in a statement on Tuesday.

A security directive issued Tuesday requires owners and operators of pipelines deemed critical by the Transportation Security Administration to take specific steps to protect against ransomware and other attacks, and to put in place a contingency and recovery plan.

The directive follows another in May that required companies to report significant cyberattacks to the government in a bid to shore up security after the breach on Colonial Pipeline, which forced it to shut down 5,500 miles of pipeline.

The May directive set a 30-day period to “identify any gaps and related remediation measures to address cyber-related risks” and report them to the T.S.A. and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Shortly after taking office, President Biden promised that improving cybersecurity would be a top priority. This month, he met with top advisers to discuss options for responding to a wave of Russian ransomware attacks on American companies, including one on July 4 on a Florida company that provides software to businesses that manage technology for smaller firms.

And on Monday, the White House said that China’s Ministry of State Security, which oversees intelligence, was behind an unusually aggressive and sophisticated attack in March on tens of thousands of victims that relied on Microsoft Exchange mail servers.

Separately, the Justice Department unsealed indictments of four Chinese citizens on Monday for coordinating the hackings of trade secrets from companies in aviation, defense, biopharmaceuticals and other industries.

According to the indictments, China’s hackers operate from front companies, some on the island of Hainan, and tap Chinese universities not only to recruit hackers to the government’s ranks, but also to manage key business operations, like payroll. That decentralized structure, American officials and security experts say, is intended to offer China’s Ministry of State Security plausible deniability.

The indictments also revealed that China’s “government-affiliated” hackers had engaged in for-profit ventures of their own, conducting ransomware attacks that extort companies for millions of dollars.

Eileen Sullivan contributed reporting.