Ukraine's cyber unit allegedly accessed the Russian energy giant's network and exfiltrated thousands of documents.
According to Jeff Carr, internationally known cybersecurity advisor, cyber operators at the Main Directorate of Intelligence at the Ministry of Defense of Ukraine (GURMO) have been conducting computer network operations (CNO) against Gazprom.
As a result of the breach, they were able to engineer a hack of the pipeline's pressurization controls that would cause a pipeline to rupture, resulting in a fire.
"To date, two pipelines have experienced rupture events that were directly the result of a computer network attack. These are the first publicly known examples of a computer network attack against an OT [operational technology] system resulting in a kinetic effect during wartime operations," Carr, who is in close collaboration with the GURMO cyber unit, writes in his latest blog post.
At the time of writing, Cybernews could not verify Carr's claims.
Ukraine has not officially confirmed it is behind the attacks on Russian operational technology systems.
According to Carr, the cyber operation was launched on 1 April when a fire broke out at an oil depot in Belgorod, Russia. The fuel depot is owned by the Russian oil firm Rosneft. According to Russian state-owned news agency RIA Novosti, the fire resulted from an “attack by two Ukrainian helicopters that entered Russian airspace at low altitude.”
According to Reuters, defense ministry spokesman Oleksandr Motuzyanyk said he would neither confirm nor deny a Ukrainian role in the alleged attack.
"Ukraine is currently conducting a defensive operation against Russian aggression on the territory of Ukraine, and this does not mean that Ukraine is responsible for every catastrophe on Russia's territory."
On 3 April, Russian state oil and gas company Sakhatransneftegaz JSC discovered an underground leak from the high-pressure gas pipeline in Verkhnevilyuysk, Yakutia.
The following day, a section of the main gas pipeline, Urengoy-Center-2, is said to have ruptured, causing a large fire in the Lysvensky district. The incident wasn't widely reported - only a local Russian newspaper covered it.
According to Carr, there were no casualties in any of the above incidents, but Radio Free Europe quoted Belgorod Governor Vyacheslav Gladkov as saying that two employees were injured during the fire in Belgorod.
"It's unlikely that the company [Gazprom] will acknowledge either the breach of their documents or the successful attacks against its SCADA [Supervisory Control and Data Acquisition] systems," Carr said. He releases details on the Computer Network Exploitation attack along with samples of documents taken by GURMO's cyber team.
According to Carr, GURMO exfiltrated almost 1.5 TB of valuable data. Carr himself has been authorized to share over 300MB of data from that breach, and only his paid subscribers are entitled to download that data.
“The data includes administrative files for Gazprom management, communication requirements for the plants, maps, a massive 3,600 page .pdf on all of the requirements for construction of a new pipeline facility, a work order for an overhaul of the relay protection and automation devices, information on the assignment of the primary communications network of the pipeline as well as the digital radio-relay communication line (CRRL), and much, much more,” Carr said.
“A person familiar with pipeline security told me that the typical focus is on the compressor stations where the attacker would change the set points for high and low pressure, and modify the flow rate measuring units,” Carr added.
More from Cybernews:
Subscribe to our newsletter