The notification, released on Thursday, lists several contributing causes, including rising LNG exports from the United States, shifts in the global crude oil supply chain favoring the United States, continued Western pressure on Russia's energy supply, and China's reliance on imported oil.
The alert, however, did not mention any particular advanced persistent threat (APT) group linked with China or Russia, nor did it cite any cybersecurity incident targeting critical infrastructure. Instead, it makes general mention of how appealing U.S. networks are to foreign hackers and cautions recipients that Chinese and Russian hackers are always looking to examine important systems and improve their capabilities to exploit vulnerabilities they find.
According to Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security and now an energy sector executive, “Utilities see probing and low-level attempted attacks every day by the Russians and PRC.”
These low-profile attacks help hackers to get an insight into the important aspects of specific systems like where a target has open ports or determine potential firewall restrictions. “China doesn’t make a lot of noise, but the small localized intrusions are helping build their network attack capabilities, likely for future use[…]There’s no doubt that the energy sector is on the front lines of malicious cyber-activity right now as China preps the battlefield,” Harrell added.
As the notification suggests, Chinese hackers have exploited certain US entities by conducting “post-exploitation activity with generic reconnaissance commands using ‘live off the land’ tools.”
“Living off the land,” certainly means an attacker is exploiting tools or features that are already present in the target environment. For instance, sneaky varieties of ransomware like WannaCry and LockBit have covered their tracks and survived inside a network by using a default Windows binary, an existing piece of operating system code.
The warning states that state-backed Chinese hackers have been targeting common vulnerabilities since 2020, in order to, “target US and allied networks and software/hardware companies to steal intellectual property and develop access into sensitive networks to include critical infrastructure, defense industrial base sectors, and private sector organizations.”
However, the FBI declined to comment on the notification.
The notification further highlights how the Russian invasion of Ukraine altered the world's energy supply chain, citing Western sanctions as a "significant driver" of recent changes in the LNG supply chain. According to the notification, the modification will probably lead to an increase in Russian hackers' targeting of the American energy sector.
In 2022, 74% of Europe’s LNG imports originated in the U.S. the notification said, noting that the US was able to meet European LNG demand.
It also added that since 2016, Russian hackers have targeted state agencies and several US-based critical infrastructure sectors by, “staging targets networks as pivot points and malware repositories when targeting their final intended victims.”