Pro-Russian group reportedly claimed a Canadian pipeline operator was hacked. Canadians are skeptical

To shared

Three Canadian experts in cybersecurity are skeptical of a claim by a pro-Russian hacktivist that they have breached and damaged the operational technology (OT) network of a Canadian gas pipeline company.

“It’s almost certainly disinformation,” David Swan, Alberta-based cyber intelligence director of the Center for Strategic CyberSpace and International Studies, said in an email.

The claim was made in leaked classified documents from the Pentagon posted on the internet. U.S. officials say they are authentic, and the Justice Department has opened an investigation into the theft.

According to CNN, the posts are photos of crumpled documents. They cover a wide range of highly sensitive subjects including weaknesses in Ukrainian weaponry, air defense, and battalion sizes, the degree to which the U.S. has penetrated the Russian Ministry of Defense, and a conversation between two South Korean officials.

According to the news site Zero Day, they also include a page, apparently from a U.S. intelligence briefing, with two paragraphs about the alleged cyberattack by the Russian hacking group called Zarya on an unnamed Canadian energy company.

To prove its claim, Zarya allegedly shared screenshots with an officer of the Russian counterintelligence Federal Security Bureau (FSB) showing it had accessed the Canadian pipeline operator and had the ability to increase valve pressure, disable alarms, and initiate an emergency shutdown of the facility. Zero Day, which saw the stolen document, says the U.S. intelligence briefing didn’t identify the Canadian victim, writing that the screenshot was of an “unspecified gas distribution station.”

Zero Day says the U.S. briefing document it saw indicates that the hacking group was “receiving instructions” from someone presumed to be an FSB officer who ordered them to maintain their network access, and that the hackers were on “standby” for further instructions from the FSB.

The document states that the FSB officer “anticipated a successful operation would cause an explosion” at the gas distribution station and that the FSB was “monitoring Canadian news reports for indications of an explosion.” But, the Zero Day news story adds, it’s not clear what the hackers did to the facility or planned to do. The document says Zarya claimed they had already done “sufficient damage” to the Canadian firm “to cause profit loss to the company,” but their intention was “not to cause loss of life,” only “loss of income for Canadians.”

Zero Day said the Canadian Communications Security Establishment (CSE), which helps critical infrastructure firms safeguard IT and OT networks, refused to comment on the document.

After reading the news story, Swan dismissed the intelligence report. “Russia has been working on disinformation strategies and tactics since 1996 – that we know of,” he said. “It is a preferred tactic as it costs little and (when successful) causes disruption in the target.”

“It is highly unlikely that there was a disruption in pipeline operations. Between  environmental groups and an upcoming provincial election, a cover-up would be extraordinarily difficult.”

Eric Byres, founder and chief technology officer of Vancouver-based software supply chain visibility provider aDolus, said in an email that it is “possible Zarya might have limited access to a Canadian facility and maybe initiated a brief emergency shutdown of the facility (which I doubt).

“But a physical impact (like an explosion) seems very unlikely. Thanks to decades of safety engineering to prevent accidental and mechanical failures from causing serious issues, it is a massive undertaking to impact a gas distribution system physically. It is something that foreign government agencies with significant teams haven’t successfully pulled off yet. For example, the Triton attacks on the refinery safety systems in the Middle East in 2017 were detected before they achieved any significant objective, and the time and resources the attackers poured into that project was significant.

The Pipedream attacks last year are another example. Attacking OT systems successfully requires the resources of a nation-state and even then, it rarely fully succeeds (just ask the team who created Stuxnet).
“It is likely the attackers found some HMI [human machine interface] screenshots in a poorly secured computer (say a contractor’s laptop) and exaggerated their find into having actual access and control of an OT system,” Byres concludes.

“I don’t believe the claim,” Brett Callow, British Columbia-based threat analyst for Emsisoft, said in an email. “In fact, the entire leak seems like a disinfo op.”

Zero Day quotes Lesley Carhart, director of incident response for North America at the industrial cybersecurity firm Dragos, as saying hackers compromised Canadian oil and gas facilities in the past — including ransomware attacks that affected operations. But he was skeptical Zarya had the ability to cause an explosion.

The Globe and Mail today quotes the CEO of the Canadian Gas Association saying he isn’t aware of any compromised gas distribution infrastructure here.

There are differing opinions about the leaked Pentagon documents. Some experts have been quoted as saying many look authentic but suspect certain details have been altered.

CNN quotes Pentagon deputy press secretary Sabrina Singh on Sunday saying the Department of Defense continues to review and assess the validity of the documents.

In a February report, cybersecurity firm Radware said Zarya is a pro-Russian hacktivist group that emerged in March 2022. Initially, the group operated as a special unit under the command of Killnet, a well-known hacktivist group. After the Russian invasion of Ukraine, Zarya left Killnet and focused on recruiting skilled hackers from other pro-Russian threat groups. But in May 2022, Zarya rejoined Killnet as part of a larger project which translates as ‘Legion,’ then became independent again last August.

The group is primarily known for denial-of-service attacks, website defacement campaigns,
and data leaks, the Radware report says. These tactics have been leveraged to support the group’s pro-Russian agenda and have significantly disrupted targeted organizations and individuals.

The leaked documents appeared online last month on the social media platform Discord and began to be publicized last week.


To shared