A ransomware attack has hit a natural gas compression facility in the U.S., the feds have warned. The attack resulted in a two-day pipeline shutdown as the unnamed victim worked to bring systems back online from backups.
The attackers were able penetrate the IT portion of the facility’s network, and then move beyond that to eventually infiltrate the control and communication assets on the operational technology (OT) side of the house. The Cybersecurity and Infrastructure Security Agency (CISA) said in an alert issued this week said that the attackers successfully spearphished an employee to gain initial access.
This initial compromise to the IT network led to the cyberattacker deploying a “commodity ransomware” to encrypt data on both the IT and the OT networks. The ability to pivot was thanks to a lack of network segmentation between the IT and the OT portions of the infrastructure, CISA said.
Security firm Dragos said that despite limited technical details, previous ransomware attacks provide a possible attack blueprint: “Current trends in ransomware leverage initial access into victim environments to capture credentials or compromise Windows Active Directory (AD) to gain widespread access to the victim’s entire network,” it said in a blog post on Wednesday. “Once achieved, the attacker can then utilize malicious scripts and legitimate remote execution tools like PSExec to stage ransomware, or even push malicious software via AD Group Policy Objects. The result is all domain-joined Windows machines are infected nearly simultaneously to produce an entire-network encryption event. This strategy has been used to deploy various ransomware strains including Ryuk, MegaCortex and Sodinokibi.”
CISA noted that the attackers never gained the ability to control the plant’s physical processes. The attack did not impact any programmable logic controllers (PLCs), which are responsible for directly reading and manipulating those processes in industrial environments – this was because the attack was limited to Windows-based systems.
“Specific assets experiencing a loss of availability on the OT network included human machine interfaces (HMIs) [which read and control operations at the facility], data historians and polling servers,” according to the agency. “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial loss-of-view for human operators.”
CISA said that a separate and geographically distinct central control office was able to maintain visibility into the facility, but lacked the instruments necessary to control the plant’s operations.
“The decision was made to implement a deliberate and controlled shutdown to operations,” the CISA alert read. It added that the facility quickly obtained replacement equipment and loaded “last-known-good configurations” to facilitate the recovery process: “This lasted approximately two days, resulting in a loss of productivity and revenue, after which normal operations resumed.”
The incident had ripple effects. Other compression facilities also had to halt operations because of “pipeline transmission dependencies,” according to CISA, resulting in a total pipeline shutdown during the two-day recovery process.
Lack of Preparedness
The facility admitted that its disaster recovery plans only included physical emergency scenarios, not cyber-related attacks.
“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” CISA noted. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency-response planning.”
According to Saurabh Sharma, vice president at Virsec, the event highlights a lack of cybersecurity preparedness within the legacy environments of industrial and critical infrastructure.
“This alert highlights a growing problem across the industrial control space,” he said via email. “While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness and human mistakes continue to expose critical infrastructure to attack. While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down and further erode the public’s confidence in the security of our critical systems.”
Ryuk to Blame?
CISA didn’t name the victim nor the ransomware, nor did it reveal when the attack happened. However, security researchers at Dragos said that it likely took place in December and involved the Ryuk malware.
“Based on information shared with Dragos…the CISA alert likely describes the same event reported by the U.S. Coast Guard in 2019,” the firm said.
Dragos also believes that the attack wasn’t specifically targeted to industrial control systems – as evidenced by the Windows-only focus, among other things.
“The events in the CISA alert represent well-known ransomware behavior and is not an ICS-specific or ICS targeted event,” researchers wrote. “This includes reportedly insufficient segregation between IT and ICS network environments within the victim organization, ICS impacts only affecting Windows-based devices, and no available evidence indicating attackers tried to alter, modify or degrade the integrity of ICS operations beyond encrypting Windows-based systems using ‘commodity ransomware.'”
Loss of View
In November, a similar “loss-of-view” cyberincident came to light impacting sPower, a wind and solar power company based in Utah. Attackers were able to use a vulnerability in Cisco firewalls to disrupt connections between the main control center and remote power-generation sites.
“This disrupted the organization’s ability to monitor the current status of its power-generation systems. The utility industry refers to this type of incident as ‘loss of view,'” explained Phil Neray, vice president of industrial cybersecurity at CyberX, in an interview with Threatpost at the time. “If an attacker wanted to shut down parts of the grid, one of their first steps might be precisely this loss-of-view step, because it would leave utility operators ‘blind’ to subsequent disruptive actions the attackers would take, such as switching relays off to halt the flow of electricity.”
