June 26, 2022 By Pierluigi Paganini
A Russian hacking group may be responsible for a cyber attack against a liquefied natural gas plant in Texas that led to its explosion on June 8.
The explosion took place at the Freeport Liquefied Natural Gas (Freeport LNG) liquefaction plant and export terminal on Texas’ Quintana Island. The June 8 incident will have a lasting impact on Freeport LNG’s operations.
Preliminary investigations suggested that the incident resulted from the overpressure and rupture of a segment of an LNG transfer line, leading to the rapid flashing of LNG and the release and ignition of the natural gas vapor cloud.
At this time it is not clear why the safety mechanisms in place did not prevent the explosion. Experts speculate a cyber attack may have turned off the industrial safety controls at the natural gas facility.
ICS malware like TRITON, which experts associated with Russia-linked APT group XENOTIME, has offensive capabilities to shut down industrial safety controls and cause extensive damages to industrial facilities.
“On March 24 the U.S. Department of Justice brought charges against four Russian nationals suspected of using TRITON malware in cyber attacks on behalf of the Russian government between 2012 and 2018. That same day, the FBI issued an advisory warning that TRITON malware tools still remain a major threat to industrial systems around the world.” reported the American Military News website.
The Washington Times national security writer Tom Rogan confirmed that the explosion at the Freeport LNG facility could be consistent with a hacking campaign conducted by APT groups like XENOTIME.
Rogan added that the company does have in place the Operation Technology/Industrial Control Systems network detection systems.
At this time, Freeport LNG denied the theory that sees a cyber attack as the root cause of the incident.
“Unless Freeport LNG has OT/ICS network detection systems deployed appropriately and has completed a forensics investigation, a cyberattack cannot be ruled out,” Rogan wrote.
“Two more sources who spoke with Rogan said that around the time of Russia launched its invasion of Ukraine, a cyber unit of Russia’s GRU military intelligence service conducted targeting-reconnaissance operations against Freeport LNG.” continues the American Military News