Skip to content
Link copied to clipboard
Link copied to clipboard

Hackers targeted U.S. LNG producers in run-up to Ukraine war

The hackers offered to pay top dollar on the dark web for access to personal computers of workers at large natural gas companies in the U.S. The offers came on the eve of Russia's Ukraine invasion.

A view of the Chevron refinery under storm clouds in El Segundo, California. In mid-February, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron. (Genaro Molina/Los Angeles Times/TNS)
A view of the Chevron refinery under storm clouds in El Segundo, California. In mid-February, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron. (Genaro Molina/Los Angeles Times/TNS)Read moreGenaro Molina / MCT

In mid-February, hackers gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters, including Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc., according to research shared exclusively with Bloomberg News.

The attacks targeted companies involved with the production of liquefied natural gas, or LNG, and they were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry, according to Gene Yoo, chief executive officer of Los Angeles-based Resecurity Inc., which discovered the operation. They occurred on the eve of Russia's invasion of Ukraine, when energy markets were already roiled by tight supplies.

Resecurity's investigation began last month when the firm's researchers spotted a small number of hackers, including one linked to a wave of attacks in 2018 against European organizations that Microsoft attributed to Strontium, the company's nickname for a hacking group associated with Russia's GRU military intelligence service.

The hackers were looking to pay top dollar on the dark web for access to personal computers belonging to workers at large natural gas companies in the United States, which were used as a back door into company networks, Yoo said. The researchers located the hackers’ servers and found a vulnerability in the software, which allowed them to obtain files from the machines and see what the attackers had already done, Yoo said.

Some of those files were shared with Bloomberg, providing a rare view into a live hacking operation. They show that in a two-week blitz in February, the attackers gained access to more than 100 computers belonging to current and former employees of 21 major energy companies. In some cases, the hackers compromised the target machines themselves, and in others they bought access to specific computers that were already infected by others, offering as much as $15,000 for each one, Yoo said.

The motive of the operation isn't known, but the timing coincides with broader changes in the energy industry that have been accelerated by Russia's war. Yoo said he believed the attack was carried out by state-sponsored hackers, but he declined to speculate further.

Yoo described the hackers’ actions as “pre-positioning,” or using the hacked machines as a springboard into protected corporate networks. For that kind of operation, computers belonging to former employees can be just as valuable as those used by current workers because many companies are slow or fail to cut off remote access when someone leaves, he said.

LNG is a form of super-chilled fuel that can be shipped nearly anywhere in the world by tanker. Demand has soared in recent months amid tight winter fuel supplies and the buildup to Russia's invasion of Ukraine on Feb. 24, which has roiled the energy market and caused Germany and other European countries, which are dependent on Russian gas, to seek alternatives. In the months before the invasion, the U.S. became the world's top supplier of LNG, and almost two out of three cargoes sailing from its shores were heading to natural gas-hungry Europe.

Germany, which is Europe's largest natural gas market, said in response to Russia's invasion that it is expediting the construction of two LNG import terminals. This is a major change, as it represents the first time Germany will import LNG. Germany also halted the certification process of the Nord Stream 2 pipeline, a system of natural gas pipelines from Russia that is completed but not yet operational.

It's not clear whether the attacks are directly related to the invasion of Ukraine, but Resecurity said the hacks began about two weeks before the invasion, after U.S. officials had urged critical infrastructure operators to "adopt a heightened state of awareness" for Russian state-sponsored attacks.

"Recent tensions around Nord Stream 2, global market changes, as well as conflict in Ukraine are obvious catalysts," Yoo said.

The infected machines appear to be a mix of home and corporate-owned computers. Yoo said the distinction has become essentially meaningless with the rise of remote work, as hackers have the ability to hijack virtual private network connections into corporate networks.

According to the documents provided by Resecurity, the companies whose workers were affected include Houston-based Cheniere Energy, the biggest U.S. exporter of LNG; San Ramon, Calif.-based Chevron, a major oil producer that also owns and operates the Gorgon LNG export terminal in Australia; Pittsburgh-based EQT Corp., the largest natural gas driller and producer in the U.S.; and Houston-based Kinder Morgan, the top natural gas pipeline operator in the U.S.

At Kinder Morgan, the data showed seven current and former employees whose computers were hacked and were being accessed as part of this campaign, and whose corporate email addresses and passwords were stolen. A company spokesperson said the attacks were on personal computers and that stolen passwords were associated with personal accounts.

"No Kinder Morgan computers or passwords were compromised," the spokesperson said.

At Chevron, the number was 45 people, according to Resecurity. Chevron declined to answer specific questions.

At an investor conference March 1, Chevron CEO Mike Wirth said that cyberattacks are the biggest risk facing the company. “It’s a never-ending challenge out there right now,” he said.