Newsletter

Leaked Pentagon Document Claims Russian Hacktivists Breached Canadian Gas Pipeline Company

The document, part of a cache of leaks recently circulated on the internet, suggests the hackers had the ability to cause an explosion and sought instruction from the FSB.

Kim Zetter

Apr 9, 2023 • 6 min read

Gasfield pipeline in Alberta Canada. Getty Images

A pro-Russia hacktivist group claims to have breached the network of a Canadian gas pipeline company in February and caused damage that resulted in loss of profits, according to a document found among a tranche of US classified intelligence assessments leaked online recently.

In the leaked briefing, seen by Zero Day, actors with the Russian hacking group known as Zarya shared screenshots with an FSB officer on February 25th purporting to show their access to the Canadian facility and indicating that they had the ability to increase valve pressure, disable alarms, and initiate an emergency shutdown of the facility. The US intelligence briefing didn’t identify the Canadian victim, writing that the screenshot was of an “unspecified gas distribution station.”

The briefing indicates that the hacking group was “receiving instructions” from someone presumed to be an FSB officer — who ordered them to maintain their network access — and that the hackers were on “standby” for further instructions from the FSB.

The document states that the FSB officer “anticipated a successful operation would cause an explosion” at the gas distribution station and that the FSB was “monitoring Canadian news reports for indications of an explosion.” But it’s not clear what the hackers did to the facility or planned to do. They claimed they had already done “sufficient damage” to the Canadian firm “to cause profit loss to the company,” but their intention was “not to cause loss of life” only “loss of income for Canadians.”

It’s not clear if US authorities ever verified the claims or identified and notified the Canadian firm in question. Zero Day was unable to independently verify the claims.

The Canadian Communications Security Establishment, which operates like the Cybersecurity and Infrastructure Security Agency in the US to help safeguard critical infrastructure, declined to comment.

“Generally, we do not comment on specific cyber security incidents, nor do we confirm businesses or critical infrastructure partners that we work with,” a spokeswoman wrote in an email. “We further do not comment, whether to confirm or deny, on allegedly leaked intelligence.”

Two days after this Zero Day story published, however, Canadian Prime Minister Justin Trudeau appeared to confirm that a cyberattack occurred, but said “no physical damage” was done.

“In regards to the reports of cyberattacks against Canadian energy infrastructure, I can confirm that there was no physical damage to any Canadian energy infrastructure following cyberattacks,” Trudeau told reporters.

A US government source who closely follows critical infrastructure incidents in the US said they heard chatter a while back that something had occurred at a Canadian gas facility, but was not aware of anyone confirming that any “physical impact” had occurred.

“People were looking, but I don’t know if they ever got confirmation that something actually happened,” the source told Zero Day

The revelation appears in a cache of about 50 documents that someone posted to a Discord gaming channel in early March but that only made headlines last week after the New York Times obtained them and published a story about them. The documents reveal a broad array of information that the US intelligence community and its partners have collected about Russia’s war plans in Ukraine — including detailed maps — and about Ukraine’s defense vulnerabilities. The documents reveal information about other countries as well, such as Iran’s nuclear program and North Korea’s testing of missiles.

Officials at the Pentagon and national security agencies have indicated they believe the documents are authentic and have launched investigations into the leaks. Aric Toler, of the open-source intelligence group Bellingcat, says the leaks appeared in early March on a Discord channel popular among people who play the Minecraft computer game and on a Discord channel for fans of a YouTuber who goes by the name WowMao. But some of the documents may have been posted on other Discord channels in January. Once they appeared on the Minecraft channel, they migrated to the 4Chan group forum and then to pro-Russia Telegram channels and Twitter, before reporters at the Times wrote about them.

The revelation about the alleged cyberattack in Canada appears in just two paragraphs on a page that provides brief summaries of intelligence about other countries and regions. The document states that the information came from signals intelligence (SIGINT) — indicating that the US or an intelligence partner from another country intercepted the communications between the hacking group and the FSB officer.

The unidentified author of the US intel report notes in the write-up that if the hackers succeeded to cause an explosion, “it would mark the first time the IC has observed a pro-Russia hacking group execute a disruptive attack against Western industrial control systems.”

But it’s not clear that the Zarya group has the ability to engage in destructive operations against critical infrastructure as described.

Zarya CyberFront web site (Screenshot captured by Radware)

Lesley Carhart, director of incident response for North America at the industrial cybersecurity firm Dragos, said that hackers have compromised Canadian oil and gas facilities in the past — including ransomware attacks that affected operations — but expressed skepticism that Zarya had the ability to cause an explosion.

“How many times do things get inflated because somebody wants to look good to their boss?” she said. “There’s a very large gap between having access to a controller like an HMI, and being able to actually cause a physical, kinetic, purposeful impact in the world. It requires knowledge of so many other things that are going on in that complicated process — it requires understanding of the controls in place, both human and digital, and the process and how it’s configured.”

Jeffrey Bardin, chief intelligence officer at Treadstone 71, says he has never seen Zarya make similar claims about hacking industrial control systems before. But he notes that Zarya is affiliated with another Russian hacking group called XakNet, which some have claimed is supported by Russia’s military intelligence agency — the GRU. The GRU was responsible for sophisticated attacks that took out parts of Ukraine’s power grid in 2015 and 2016.

“My opinion. Zarya is XakNet and as such XakNet is very capable [of conducting destructive attacks against control systems],” he said.

But Daniel Smith, head of cyber threat intelligence research for Radware, told Zero Day that if the claims are true, it would indicate a significant shift in Zarya’s tactics which have focused until now on DDoS and leaks.

“If Zarya hacked a Canadian gas company and gained the ability to make changes to the environment, it would signal an escalation in tactics from the threat group.”

In an advisory earlier this year Radware said that Zarya had been expanding its capabilities, though didn’t mention it was branching out into industrial control systems.

The group, whose name comes from the Russian word for “dawn,” is said to be an offshoot of another hacking group called Killnet that has used DDoS and other attacks against countries that support Ukraine in its defense against Russian aggression. Killnet has spawned a number of other hacking groups over the last year, who all work to support Russia and target countries working against Russia in the war, and Zarya began as a special forces unit under Killnet in March 2022 and has mostly engaged in DDoS attacks and stolen data leaks.

In a recruiting announcement posted last year, Zarya said it targets state services — such as military and intelligence agencies — and “all possible strategic objects of Ukraine,” including factories, transportation services, airfields, large administrative-political organizations, industrial centers and energy hubs. But the group said their “goal is not sabotage of objects, but industrial espionage.”

The group insisted that they are not terrorists and do not “carry out any attacks on vital enterprises.”

“We do not sabotage the work of the services on which the lives of the civilian population depend: ambulance, fire service and even the police. We do not post the data of ordinary citizens in the public domain, we have never stolen and will not steal money from the accounts of charitable foundations.”

Updates: To add comment from Canadian Prime Minister Justin Trudeau.

See Also: