If you want to overcome your adversaries you must know both yourself and your enemies, and fully understand your enemies’ intentions. Hunt & Hackett has observed a discerning increase of activity of Advanced Persistent Threat groups (APTs) in the energy sector. In this series of blogs, the threat posed by APTs to energy industries is analyzed and it is explained what motives lie behind these cyberattacks. In this and the next part of the series, the strategic motives of the most active nations are scrutinized along with their APTs key statistics, starting off with China and Russia.
China is the world’s largest energy consumer and its hunger for energy is ever growing. Mass-migration into big cities, rapid economic growth and a massive manufacturing industry have all contributed to the increase in the need for power. Currently, China relies greatly on coal as its energy source. The huge consumption of coal is the main reason for China’s position as the greatest contributor to global warming, emitting around one-quarter of all greenhouse gasses. The Chinese government has expressed the will to cut down these numbers and transferring away from coal to cleaner sources of energy. At the same time, China is by far the world’s leading country in renewable energy sources, such as wind and solar power, and has ambitious plans for nuclear energy. Besides from the beneficial long-term effects on the halting of global warming that come with the transfer from non-renewable to renewable sources, the Chinese population can also benefit on the short-term. The cities they live in are dealing with extreme air pollution; of the 100 most polluted cities worldwide, 48 are Chinese. Clean energy sources have the ability to improve quality of life and public health for the Chinese. To get to the point that China can call itself carbon-neutral, the Chinese government has formulated a plan in which science and new technologies have dominant roles1.
That is the part where China’s vast offensive cyber-capabilities come in. China has active policy in place to acquire western technology and intellectual property as part of the grand strategy Made in China 2025. China's cyberspace operations are part of a complex, multipronged technology development plan that uses licit and illicit methods to achieve its goals, as shown in figure 1. This strategy applies to the energy industry as well. The science and new technologies China needs to reach it long-term goals in the energy sector would take years of development and huge sums of money. If these can’t be achieved through licit ways such as academic collaborations, building start- and scaleup ecosystems, the merging of companies or joint ventures, why not use their highly skilled APTs instead? This saves loads of time and money while the chances of getting caught and facing consequences are low. In this way, China can get its hands on the most valuable and sensitive business information.
Figure 1 – China’s strategy on acquiring foreign technology and intellectual property.
Even though China’s main focus has been on espionage and information theft, recent reports have also outed suspicions of Chinese attacks on critical infrastructure with the goal of disruption2. Only last year, India fell victim to a cyber-attack on their power grid. There are signs that this was done by China, with whom India is in a border conflict, to send a threatening message to their enemy3. Incidents of disruptive cyber-attacks are more frequently outed by the victims or governments, partly because of their sometimes immediate impact on society. Information on incidents of cyber-espionage is less eagerly being communicated by the organizations that fell victim to them, wanting to protect their integrity. However, this doesn’t mean that there are less espionage attacks – they are just harder to find.
Hunt & Hackett outwits hostile APTs by tracking and anticipating their preferred attack methods (TTPs) and tools. Hunt & Hackett is aware of 69 APT-groups that have been linked to China and are currently or previously targeting energy or related businesses. It's worth noting that some of them are no longer operational or haven't been detected by other security providers in the last few years. Hunt & Hackett has identified 489 TTPs and 490 Tools used by these 69 Chinese APTs.
THREAT RECORD SHEET - CHINA - ENERGY INDUSTRY
|"The Advancingly Powerful Threat"|
|Full Name||People's Republic of China|
|Known Aliases (total of 69)||APT 10; APT40; APT41; Night Dragon; etc.|
|Known Tools Used||732|
|Known Methods Used||524|
|EXCERPT OF PREVIOUS THREAT HISTORY|
|Date of Crime||Description Offence||Motivation|
|2011-2013||Chinese hackers infiltrated US critical energy infrastructure||Disruption|
|2014-2020||APT10 infiltrated critical energy infrastructure all over the world||Espionage / Information Theft|
|October 2020||Chinese hacker group caused black-out by infiltrating Mumbai, India||Disruption|
Table 1 - Threat Record of China in the Global Energy and Related Industries.
Russia’s focus is quite different from China’s. Russia’s economy depends greatly on their fossil sources of energy. The Russian Federation is abundant with non-renewable energy sources. Oil, gas and petroleum products form the most important parts of exports with a share of over 60% of the upbringings of all exports. It’s estimated that over half of the world’s gas and close to half of the world’s coal can be found on and under Russian soil, and the Kremlin has not shown a lot of eagerness to steer away from using them. Russia’s great leader, Vladimir Putin, has spoken about the human impact on global warming in varying tones. One time Putin blamed ‘invisible changes in the galaxy’ for the occurring climate change, another time he stated that humanity is indeed a major contributor to global warming. Whatever he says, in his statements on global warming he has been reluctant to mention Russia’s fossil energy industry to this day. It’s important to note that Russia is the fourth largest greenhouse gas emitter in the world.
“changes of global character, cosmic changes, some invisible moves in the galaxy.”
-Vladimir Putin on what he thinks causes climate change, 20174.
It seems that Russia’s intentions with their energy industry mostly serve economic, geopolitical and military goals. There have been moments that the Russian government has acknowledged the impact humans have on the climate, but its actions have pointed at a completely different agenda. Russia’s vast fossil resources have given them a great geopolitical advantage over Europe and other neighbors. Without Russian energy, Europe is in serious trouble. It has happened multiple times before that Russia has played the energy trump card when in conflict with European nations. The European Union, when sanctioning Russian energy and financial industries in the aftermath of the 2014 Crimea invasion, have shied away from imposing sanctions on the gas industry, wisely bearing into mind that Russia provides around 40% of the EU’s gas supply5.
The motivations mentioned above do not directly relate to cyberattacks, how come Russia ends up second only to China in the most active attacking nations? This is for two reasons. First, Russia is heavily reliant on foreign technologies to modernize their (non-renewable) energy industry. However, due to international sanctions, they have a lot of trouble obtaining the required knowledge and technology for their modernization efforts. Deploying their highly skilled APT-groups helps Russia to get what they want in an illicit way. Second, Russia uses its APTs for the infiltration of critical infrastructure. They do this to assure that when in conflict, they have the ability to disrupt the energy supplies of their adversaries. This doesn’t just have a crippling effect on Russia’s potential enemies, but also deters them from even starting a serious conflict6.
Concluding, the cyber-threat Russia poses is multifaced and serious. Hunt & Hackett is aware of this threat and is currently tracking 27 Russian APTs, active in energy and related industries now or in the past, their preferred attacking methods (254) and the tools (1.086) they use. This forms the basis of Hunt & Hackett’s data-driven approach to protecting its partners and safeguarding them from all cyber-threats.
THREAT RECORD SHEET - RUSSIA - ENERGY INDUSTRY
|"The Sophisticated Destructor"|
|Full Name||Russian Federation|
|Known Aliases (total of 27)||FSB; GRU; SVR|
|Known Tools Used||1086|
|Known Methods Used||254|
|EXCERPT OF PREVIOUS THREAT HISTORY|
|Date of Crime||Description Offence||Motivation|
|2016-2018||Sophisticated attack by Russian government backed APTs on critical energy infrastructure||Disruption|
|2020||Russian hackers probing critcal energy infrastructure||Disruption|
|2020||Danish energy technology stolen and sold to Russia||Espionage / Information Theft|
Table 2 - Threat Record of Russia in the Global Energy and Related Industries.
This blog dealt with the varying motives and intentions of China and Russia with regards to deploying cyber-forces in the energy and related industries. The next blog in this series will deal with number three and four on the list of the most attacking nations: Iran and North Korea.