DHS says ransomware hit US gas pipeline operator
A ransomware attack has impacted the operations of a US-based natural gas compression facility, according to a security advisory from the US government.
The advisory, published today, doesn’t say when the incident took place, but merely summarizes the event and provides technical guidance for other critical infrastructure operators so they can take precautions against a similar attack.
How the attack unfolded
According to the advisory, published by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the incident took place after “a cyber threat actor used a spearphishing link to obtain initial access to the organization’s information technology (IT) network before pivoting to its operational (OT) network.”
An OT network is different from an IT network. It’s a network with workstations for managing critical factory equipment and other factory operations. IT networks are usually dedicated for office and other administrative work. In theory, IT and OT networks should be air-gapped.
CISA says that after gaining access to the OT network, the attacker then deployed commodity ransomware that encrypted the company’s data on both the IT and OT networks at the same time, for maximum damage, before requesting a ransom payment.
CISA says the ransomware did not impact any programmable logic controllers (PLCs), which are small sensors and devices that interact directly with factory equipment.
However, CISA says that data from other related industrial processes, like human-machine interfaces (HMIs), data historians, and polling servers, could not be aggregated and read by human operators, resulting in a partial loss of insight into the pipeline facility’s operations by is own staff.
Pipeline operator shut down operations for two days
CISA says that the pipeline operator decided to implement “a deliberate and controlled shutdown to operations,” as a precaution and to avoid any incidents.
The pipeline operator took this step even if its emergency plan did not mandate an obligatory shutdown in the a case of a cyber-attack.
CISA officials said the shutdown lasted approximately two days, after which normal operations resumed.
Blow are CISA’s findings and conclusions from its recent investigation into the event:
- At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.
- The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security.
- Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.
- Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.
- The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.
US officials did not reveal the name of the ransomware strain. However, earlier this month, cyber-security firm Dragos published a report about a new ransomware strain named EKANS (or Snake) that was specifically built to interact with processes usually found on industrial networks, althought the ransomware could not interact with PLCs.
At the time of writing, there is no evidence to suggest or confirm that the pipeline operator was impacted by EKANS. Chances are that it was not, as EKANS is a very rare strain, and not “commodity ransomware” as CISA described the ransomware strain seen in this particular incident.