There are rumors that the explosion and subsequent fire at the Freeport LNG export terminal in Texas might have been a product of a Russian cyber attack. According to sources, just as Russia was beginning its invasion of Ukraine, there was a targeting-reconnaissance cyber-probe of Freeport LNG’s systems, by a cyber unit of Russia’s GRU Military Intelligence unit.

American LNG exporters have long been a concern for Russia, viewed by Vladimir Putin as a means for the United States to reduce the political leverage Russia gains through its control of the gas supply to Europe.

On June 8th, the Freeport LNG export terminal on Texas’ Quintana Island suffered an explosion which will prevent it from resuming full operations until late 2022. It occurred at a critical time, just as Russia began restricting gas flow to Italy, France, and Germany. The June 8th explosion caused prices to explode in the European LNG markets, and gave Russia even more leverage over European nations that oppose its actions in Ukraine.

Reportedly, now the FBI is investigating the source of the explosion.

According to a June 14th press release from Freeport LNG, “the incident occurred in pipe racks that support the transfer of LNG from the facility’s LNG storage tank area to the terminal’s dock facilities. … Preliminary observations suggest that the incident resulted from the overpressure and rupture of a segment of an LNG transfer line, leading to the rapid flashing of LNG and the release and ignition of the natural gas vapor cloud. Additional investigation is underway to determine the underlying precipitating events that enabled the overpressure conditions in the LNG piping.” The release noted federal authorities were assisting in the investigation.

What has puzzled experts, is that such systems are built with redundant safety mechanisms, so it is puzzling such an overpressure condition was allowed to occur without safety systems being triggered into action. Two LNG pipeline experts who did not wish to be known to be speaking about the incident, noted that piping from a storage tank, carrying gas to a terminal, would have safeguards to prevent overpressure events. One expert noted he was “highly confident” such a system would be centrally controlled from a control facility that was networked.

The cyber unit which conducted the reconnaissance of the Freeport facility, is called XENOTIME by researchers. The unit is known to have used special malware called TRITON/TRISIS. developed by the Russian Ministry of Defense’s Central Scientific Research Institute of Chemistry and Mechanics, which is specifically designed to attack industrial control systems and seize control of safety systems. In 2022, FBI specifically warned that this malware remained a threat.

XENOTIME is noted to be designed to target industrial safety systems, and has caused specific concern in Western cyber security circles for targeting safety systems designed to protect lives during a cyber attack.

In 2020, the Russian Ministry of Defense’s Central Scientific Research Institute of Chemistry and Mechanics was sanctioned by the US Treasury Department for a 2017 attack on a Saudi oil facility. Experts say the attack would have likely killed workers at the facility, had the attackers not made minor errors in the course of the attack that led to their detection.

Multiple experts have said in the Freeport LNG explosion, they cannot help but notice the overpressure event occurred in a key pipeline, and should have been prevented by key safety systems.

Unfortunately such attacks are very difficult to prove, and even if it were able to be shown to be Russia, this would constitute an explicit act contrary to a demand by President Biden that Russia refrain from attacking key infrastructure, as well as an act of war on US soil. It is highly unlikely it would be made public given the political nd practical ramifications.

For its part, Freedom LNG made a statement in response to these allegations, which read, “While our ongoing investigation continues, a cyberattack was ruled out as the cause within days of the incident. After a thorough assessment of our network, our internal cyber detection systems have been confirmed to have been functioning properly and do not indicate any manipulation or compromise of our security solutions.”

One reporter noted Freeport did not have the necessary network detection systems to detect XENOTIME”s TRITON malware, and asked Freeport if it had the necessary systems. Freeport did not address the question.