{
	"id": "2004491f-47b2-469d-a726-ec57ef86a09b",
	"created_at": "2026-04-06T01:28:57.182253Z",
	"updated_at": "2026-04-10T03:34:42.432359Z",
	"deleted_at": null,
	"sha1_hash": "f674d441aca2d043ff4027d0cc6a3939bd37846f",
	"title": "Russian hackers may be behind Texas natural gas plant explosion: report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36335,
	"plain_text": "Russian hackers may be behind Texas natural gas plant explosion:\r\nreport\r\nBy Ryan Morgan\r\nPublished: 2022-06-24 · Archived: 2026-04-06 01:01:04 UTC\r\nA Russian hacking group may have targeted the industrial controls at a liquefied natural gas plant in Texas,\r\nleading to its explosion on June 8, a new report revealed this week.\r\nOn June 8, an explosion erupted at the Freeport Liquefied Natural Gas (Freeport LNG) liquefication plant and\r\nexport terminal on Texas’ Quintana Island and damaged the facility. According to a June 14 statement by the\r\ncompany, the incident was caused by “overpressure and rupture of a segment of an LNG transfer line, leading to\r\nthe rapid flashing of LNG and the release and ignition of the natural gas vapor cloud.” The company didn’t\r\nexplain why safety systems didn’t kick in.\r\nTwo LNG pipeline experts who spoke with the Washington Times national security writer Tom Rogan on Tuesday\r\nsaid such pipelines should have had extensive safety mechanisms in place. One of the sources said he is confident\r\npipeline flows at the facility would be undertaken from a networked control facility.\r\nBased on assessments of these two LNG pipeline experts and multiple other sources, Rogan theorized this week\r\nthat the industrial safety controls at the natural gas facility could have been hacked and turned off by malicious\r\nactors. Since 2017, western intelligence officials and cybersecurity experts have been aware of a set of malware\r\ntools known as TRITON or TRISIS. A hacking group of suspected Russian origins, known as XENOTIME, has\r\nused these tools to shut off safety instrumented systems to damage industrial facilities.\r\nOn March 24 the U.S. Department of Justice brought charges against four Russian nationals suspected of using\r\nTRITON malware in cyber attacks on behalf of the Russian government between 2012 and 2018. That same day,\r\nthe FBI issued an advisory warning that TRITON malware tools still remain a major threat to industrial systems\r\naround the world.\r\nRogan theorized that the June 8 explosion at the Freeport LNG facility could be consistent with this type of\r\nhacking behavior. Freeport LNG has denied Rogan’s theory, saying, “While our ongoing investigation continues, a\r\ncyberattack was ruled out as the cause within days of the incident. After a thorough assessment of our network,\r\nour internal cyber detection systems have been confirmed to have been functioning properly and do not indicate\r\nany manipulation or compromise of our security solutions.”\r\nWhile Freeport LNG denied the hacking theory overall, Rogan wrote that the company does not employ the\r\nOperation Technology/Industrial Control Systems network detection systems necessary to determine whether they\r\nwere targeted with TRITON or similar malware. Rogan noted that in response to this line of questioning Freeport\r\nLNG only said that their original dismissal of the hacking theory “Stands” adding “Nothing further.”\r\nhttps://americanmilitarynews.com/2022/06/russian-hackers-may-be-behind-texas-natural-gas-plant-explosion-report/\r\nPage 1 of 2\n\n“Unless Freeport LNG has OT/ICS network detection systems deployed appropriately and has completed a\r\nforensics investigation, a cyberattack cannot be ruled out,” Rogan wrote.\r\nIn addition to possessing the means to carry out such an attack, Rogan noted Russia also possesses the motive.\r\nTwo more sources who spoke with Rogan said that around the time of Russia launched its invasion of Ukraine, a\r\ncyber unit of Russia’s GRU military intelligence service conducted targeting-reconnaissance operations against\r\nFreeport LNG.\r\nRogan also noted that U.S. LNG exports have long been a concern of Russia’s as they undercut Russia’s own gas\r\nexports throughout the European market. Ever since Russia launched its invasion of Ukraine, the U.S. and its\r\nallies have tried to cut off the flow of Russian oil and gas products. Rogan wrote that European gas prices spiked\r\nafter the June 8 explosion at the Freeport LNG facility.\r\nThe June 8 incident will also have a lasting impact on Freeport LNG’s operations. In their June 14 statement,\r\nFreeport LNG said that with the damage caused by the explosion, it won’t be finished with all of its necessary\r\nrepairs and return to operations until the end of 2022.\r\nSource: https://americanmilitarynews.com/2022/06/russian-hackers-may-be-behind-texas-natural-gas-plant-explosion-report/\r\nhttps://americanmilitarynews.com/2022/06/russian-hackers-may-be-behind-texas-natural-gas-plant-explosion-report/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://americanmilitarynews.com/2022/06/russian-hackers-may-be-behind-texas-natural-gas-plant-explosion-report/"
	],
	"report_names": [
		"russian-hackers-may-be-behind-texas-natural-gas-plant-explosion-report"
	],
	"threat_actors": [
		{
			"id": "5fb9f77b-1273-4658-884e-49f5f511dcd7",
			"created_at": "2022-10-25T15:50:23.591795Z",
			"updated_at": "2026-04-10T02:00:05.383475Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"TEMP.Veles",
				"XENOTIME"
			],
			"source_name": "MITRE:TEMP.Veles",
			"tools": [
				"Mimikatz",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c",
			"created_at": "2023-01-06T13:46:39.001286Z",
			"updated_at": "2026-04-10T02:00:03.1772Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"Xenotime",
				"G0088",
				"ATK91"
			],
			"source_name": "MISPGALAXY:TEMP.Veles",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20012494-3f05-48ce-8c0f-92455e46a4f9",
			"created_at": "2022-10-25T16:07:24.319939Z",
			"updated_at": "2026-04-10T02:00:04.934107Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"ATK 91",
				"G0088",
				"Xenotime"
			],
			"source_name": "ETDA:TEMP.Veles",
			"tools": [
				"Cryptcat",
				"HatMan",
				"Mimikatz",
				"NetExec",
				"PsExec",
				"SecHack",
				"TRISIS",
				"TRITON",
				"Trisis",
				"Triton",
				"Wii"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438937,
	"ts_updated_at": 1775792082,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f674d441aca2d043ff4027d0cc6a3939bd37846f.pdf",
		"text": "https://archive.orkl.eu/f674d441aca2d043ff4027d0cc6a3939bd37846f.txt",
		"img": "https://archive.orkl.eu/f674d441aca2d043ff4027d0cc6a3939bd37846f.jpg"
	}
}