According to the American cyber security company Dragos, which specializes in securing industrial companies, two groups of hackers are actively snooping around the Dutch LNG terminals.
Those groups, Xenotime and Kamacite, have ties to Russia, the FBI and other cyber researchers say, among others.
MEP Groothuis is also aware of the signals from Russian hacker groups probing the LNG terminals’ systems. He calls for increased cyber security before malicious hackers can actually sabotage or otherwise attack.
“Gas is Russia’s weapon of choice against the EU. Causing chaos in the energy market and manipulating this market is a clear geopolitical goal.”
Groothuis cites the blowing up of the Nordstream pipeline as an example of disruptive sabotage. There is still no conclusive evidence that Russia is behind it, but experts point in that direction. “But much easier, faster and with comparable effects is an attack with cyber resources.”
Why are LNG terminals so important?
LNG is important for the Netherlands now that the Russian gas tap has been closed due to the war in Ukraine. If those terminals stop for some reason, the gas production capacity will be lost, says René Peters, director of gas technology at TNO.
Capacity in Rotterdam will be expanded to 16 billion cubic meters per year. While Eemshaven now produces 8 billion cubic meters per year. Together, they account for more than half of the Dutch gas consumption of 40 billion cubic meters of gas per year.
“If we lose that capacity for a short time, we don’t immediately have a problem. Because we still have 14 billion cubic meters in stock, and we still have our small fields.”
Groothuis advocates a program to better protect vital infrastructure. “Making gas installations’ IT systems more resilient can prevent a lot of misery. To be safe, the government should do its best and offer cyber experts to lock things down from hackers,” says Groothuis.
The Dragos researchers point to two groups scanning the Dutch LNG terminals. One of the groups is Xenotime. This group of hackers is linked to the Russian government by the US Cyber Security Service. The group is held responsible for an attack on a petrochemical plant in Saudi Arabia in 2017.
There, they attempted to disable security systems using hacking software, which could have led to leaks or even life-threatening explosions.
It didn’t happen because there error in the code of the malware, but the attack still cost the factory owner millions of dollars because the factory could not run for days.
Kamacite: Spy and gain access
The second group is called Kamacite by the researchers. This group tries to get a picture of how companies are organized, who works there and what devices are connected to the Internet. In addition, they actually try to get into the computer systems and networks. They are testing on a large scale whether they can log into devices connected to the Internet.
They do this with stolen or leaked employee passwords, the most used passwords, or by exploiting software bugs that have not been fixed. Once inside, they share that access with others so they can eventually strike.
In this way, they were previously involved in a number of major attacks on vital infrastructure. Such as the two digital attacks that destroyed part of the Ukrainian capital Kiev in 2015 and 2016 ran out of power.
Specialized in sabotage
The Xenotime hackers have been conducting research and reconnaissance at the LNG terminal in Rotterdam, Dragos researchers say. And that group usually has disruptive intentions, according to them.
They specialize in creating malware for industrial control systems that look beyond computers or servers in an office.
They focus specifically on the control and operation systems that drive large machines and equipment, such as water treatment plants and energy companies. The targeted systems usually keep the machines safe and functioning properly.
Potential targets around LNG
The Xenotime hackers have already shown in 2017 that they can sabotage advanced control systems in the Saudi petrochemical industry.
If the attackers are actually interested in disrupting or sabotaging the LNG terminals in the Netherlands, they can attack the cooling systems, pumps and valves in the processes where the liquid LNG is converted into gas, explains Jos Wetzels from Secura.
The cooling systems, for example, ensure that the gas remains liquid in the storage tanks. “If attackers tamper with the temperature sensors and cooling systems, this can lead to gas formation and overpressurization in the tanks, which can destroy the entire process.”
In addition, there is always the risk that attackers choose simpler ransomware attacks, where disruptions in IT systems can still lead to the shutdown of physical processes, such as with the 2021 Colonial pipeline hack.
‘The longer war lasts, the more attractive’
With the knowledge the hackers get, they can do three things, says Brooks of Dragos.
They can see through which entrances they can access the company’s network and systems. Another option is to approach staff in a highly targeted manner to obtain login information via phishing emails or to trick staff into installing malware. In addition, they can develop malware with which they can sabotage machines.
‘There is risk’
But by scanning the LNG terminals’ systems, the hacker groups cannot immediately carry out such a final attack. “The risk is there,” says Brooks, “but it’s not very big. They then have to invest a lot in quickly developing ways to cause damage. But the longer the war goes on, the more attractive LNG terminals become as targets.”
It is also possible that the LNG terminal in Rotterdam is not the real target of the hackers, says Brooks. They can also use their knowledge to launch attacks elsewhere.
NCTV: raise the dikes and be aware
Since the start of the war, Western intelligence agencies have warned that vital infrastructure is an interesting target for Russian state hackers.
And also the National Coordinator for Counter-Terrorism and Security (NCTV) says further that state actors take digital preparatory actions for actual disruption and sabotage.
That warning still stands, even now that Russian hackers appear to be actively probing. That’s what Pieter-Jaap Aalbersberg from NCTV says.
“That threat has always been high. Whether it’s disruption, disruption of processes or espionage: the latest reports have described it a lot. The war in Ukraine is more of a confirmation than a new intensification.”
The safety of the Dutch vital infrastructure is in order, says de Aalbersberg. “But order today may not be order tomorrow. So it’s a constant concern that we continue to raise the levees and also be aware in the moment.”
New European directives and the government’s cyber strategy must, among other things, ensure that cyber security is increased.