Pro-Russia Hacking Group Executed a Disruptive Attack Against a Canadian Gas Pipeline

Cyber Threat Summary:
Canada confirmed that one of it’s gas pipelines suffered a cyber security incident. The Pro-Russian hacking group Zarya has claimed responsibility for the attack, which reports claim could have resulted in an explosion. Across various forums, Pro-Russian hackers have made known their efforts to target organizations in the critical sector.

The New York Times reported that the cybersecurity incident was revealed in leaked U.S. intelligence documents. One of the leaked top secret files included an alleged intercepted conversation between the hacking group Zarya and an officer at Russia’s Federal Security Service (FSB), a circumstance that suggests that some groups are operating directly under Russian intelligence. “The F.S.B. officers anticipated a successful operation would cause an explosion at the gas distribution station, and were monitoring Canadian news reports for indications of an explosion,” the leaked report said. The authenticity of the document was not confirmed, however, this is the first time that a pro-Russia-hacking group execute a disruptive attack against Western critical infrastructure.

Analyst Comments/Corrections or Suggestions: “According to the Pentagon’s assessment, on Feb. 15, Zarya shared screenshots with the Federal Security Service — the main successor agency to the K.G.B., known by its Russian initials, F.S.B. — that purportedly showed that the attacker had the capability to increase valve pressure, disable alarms and make emergency shutdowns of an unspecified gas distribution station in Canada.” reported the NYT.

Prime minister of Canada Justin Trudeau confirmed the cyber attack against the gas pipeline, but said there was no physical damage to any Canadian energy infrastructure. The Canadian intelligence agency has yet to provide further details on the cyber security incident. This event should however, serve as a reminder that the US critical infrastructure is also in the cross hairs of Russian entities.

“The cyber attack against the unnamed Canadian gas pipeline took place on February 25, it caused sufficient damage with a severe impact on the company’s profits. The leaked document states that the attack was not aimed at causing “loss of life” but economic damage. As of February 27, the report confirmed that the Pro-Russia hacking group had maintained access to the infrastructure of the operator and was waiting for other instructions from Russian intelligence” (Security Affairs, 2023).

Zarya may be related to a larger body of cybercriminals called LEGION. “To date, Intel 471 has observed six separate groups under the LEGION division, with each group carrying out its own attacks. In early July, the group announced that it was dismantling the LEGION division with the aim to restructure and relaunch the division as “LEGION 2.0” in the future. Intel 471 researchers have also observed a team under the name “Zarya” that is specifically set up to conduct hacks separate from the teams responsible for DDoS attacks.” (Intel 471, 2022).