It’s no secret that the Russian government doesn’t mind playing the role of the bad guy on the world’s stage, and that characterization may be more cogent than ever over the last several years.

Not only are we witnessing genocide in Ukraine, but Russia has been meddling in international politics and conducting global cyberwarfare for decades.

As investigators continue to examine a bizarre natural gas pipeline explosion in Texas, some of the Kremlin’s calling cards are revealing themselves.

According to two sources, around Russia’s late February invasion of Ukraine, a cyber unit of Russia’s GRU military intelligence service again conducted targeting-reconnaissance operations against a major U.S. liquefied natural gas exporter, Freeport LNG.

U.S. LNG exports have long been a priority concern for Russia, viewed by Russian President Vladimir Putin as a means for the United States to undercut Russia’s domination of the European gas market.

Here is where it gets a bit worrisome:

On June 8, Freeport LNG suffered an explosion at its liquefaction plant and export terminal on Texas’s Quintana Island. The damage suffered means the facility is not expected to resume major operations until late 2022. The June 8 disruption had an immediate impact in spiking already soaring European gas prices and has reinforced Russia’s ability to hold gas supplies to Europe at risk in retaliation for the European Union sanctions imposed on Russia over the war in Ukraine. U.S. LNG futures have fallen significantly since the explosion.

One source tells me that the FBI is investigating the cause of the explosion. Responding to a question as to whether the FBI and its Cyber Division were involved in the investigation, the FBI told the Washington Examiner, “We can neither confirm nor deny the existence of an investigation into this matter.”

The series of events that caused the explosion was inexplicably unmolested by the plant’s safety systems, which brings us to the Russian hacking possibility.

Named XENOTIME by researchers, the unit has utilized boutique TRITON/TRISIS malware developed by the Russian Ministry of Defense’s Central Scientific Research Institute of Chemistry and Mechanics. That malware is designed for the seizure of industrial control systems and the defeat of associated safety systems. In 2017, GCHQ (Britain’s NSA-equivalent signals intelligence service) outlined the need for network compartmentalization to protect safety systems against this malware better. In March 2022, the FBI warned that TRISIS malware remained a threat.

XENOTIME is assessed by the U.S. and British governments as a critical infrastructure-focused, advanced persistent threat actor. The unit’s modus operandi involves targeting industrial control systems and supervisory control systems in order to effect unilateral control of a network. XENOTIME has caused specific concern in Western security circles for its targeting of safety systems that would otherwise mitigate threats to life during a cyberattack. XENOTIME’s activity has escalated in 2022. Evincing as much, an April 13 U.S. government cybersecurity warning noted, “By compromising and maintaining full system access to [industrial control system]/[safety] devices, [threat] actors could elevate privileges … and disrupt critical devices or functions.”

While there is no indication that Russians were definitively involved in the attack, the hallmarks of their handiwork continue to appear. It may be only a matter of time until a terrifying new era of cyberwarfare arrives in the west.


Cross-posted with Flag and Cross