Computer Security US Pipeline Operation Disrupted via Ransomware Attack

US Pipeline Operation Disrupted via Ransomware Attack

us pipeline attack by ransomwareA ransomware attack recently hit a natural gas compression facility within US territory, according to the authorities. The attack resulted in a shutdown that lasted for two days as the facility that fell victim to the attack worked hard to bring the system back online using backups.

The threat actors were able to get in the IT section of the network, then moving on from that to infiltrate communication and control functions inside the facility. The Cybersecurity and Infrastructure Security Agency (CISA) released an alert that shared more information on the subject. It appears the attackers were successful at spearphishing an employee and thus gained their foot in the door.

The compromise of the network moved on to what CISA described as a 'commodity ransomware' that encrypted data on the IT and OT networks as well. The agency also shared that this happened due to the network's IT and OT parts of the infrastructure weren't separate.

Dragos, a security company, mentioned that despite the limited information and technical details released by the facility, previous attacks using ransomware show a repeating pattern. A Dragos blog post mentions that "Current trends in ransomware leverage initial access into victim environments to capture credentials or compromise Windows Active Directory (AD) to gain widespread access to the victim's entire network. Once achieved, the attacker can then utilize malicious scripts and legitimate remote execution tools like PSExec to stage ransomware, or even push malicious software via AD Group Policy Objects. The result is all domain-joined Windows machines are infected nearly simultaneously to produce an entire-network encryption event. This strategy has been used to deploy various ransomware strains including Ryuk, MegaCortex and Sodinokibi."

CISA mentioned that the attackers thankfully never managed to gain control over the physical part of the plant's operations. The attack failed to impact the programmable logic controllers responsible for reading and manipulating processes in industrial environments, since the attackers were limited to Windows-based systems. The attack resulted in a partial loss-of-view for the human operators of the facility, according to the agency. As an aftermath of the incident, other compression facilities had to stop their operations due to what CISA calls a 'pipeline transmission dependencies', resulting in a complete shutdown of the pipeline during a two-day period.

Dragos found similarities between this event and a different one back in December 2019 reported by the US Coast Guard. The two events had an overlap in the way the attacks developed:

  • Initial infection through an email message paired with a malicious link.
  • Primary operations being affected through the loss of view of the Windows-based systems responsible for ICS-related operations.
  • A relatively similarly small period of outage with the CISA report showing two days of downtime and the US Coast Guard report of a 30-hour period of outage.

The facility admitted that the disaster recovery plans they had were only focused on emergency scenarios of a physical variety, but no cyber attacks as part of response training. CISA noted the emergency response exercises failed to train employees to have decision-making experience when dealing with cyberattacks. The gap in security knowledge and the wide range of possible scenarios were a reason to fail in the incorporation of cyber security training into emergency response planning.

Potential Ryuk Malware Involvement

CISA didn't disclose the victim facility, nor the ransomware used in the process, nor when the attack happened. Security researchers working at Dragos believe the attack happened during December 2019 and that it involved the Ryuk malware. Dragos mentioned that based on the information shared with them, the CISA alert likely describes the same event with the US Coast Guard from 2019.

Dragos also believe that the attack wasn't specifically aimed at affecting the industrial control systems, as it was Windows-based. A similar incident in November 2019 happened that impacted sPower, a Utah-based wind, and solar energy company. The attackers were able to disrupt communications between the main control center and remote power generation sites by utilizing a vulnerability in Cisco firewalls, showing an ongoing trend with threat actors targeting power facilities over the course of the last few years.

Loading...