A pipeline was shut down for two days following a ransomware attack on a natural gas facility that wasn't prepared for such an attack, according to the Department of Homeland Security (DHS).
The DHS' Cybersecurity and Infrastructure Security Agency (CISA) didn't say in its security alert when or where the attack happened, nor did it name the facility that was targeted.
The hackers targeted the facility using spearphishing, when attackers trick a victim into clicking a malicious link, but rather than use a shotgun approach they send the link to specific individuals. That gave the attackers access to the company's wider IT network, which they used to access the operational technology network.
The DHS said the hackers were then able to leap from the standard IT network to the operational side because the victim failed to properly segment them. The attack was limited because the hackers used commodity ransomware that only targeted Windows-based computers, and physical processes were run on different systems.
"It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware," said Nathan Brubaker, senior manager for the cyber physical team at FireEye. "This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware."
"In post-compromise ransomware incidents, a threat actor first gains privileged access to a victim’s environment where they can explore target networks and identify critical systems before deploying the ransomware," said Brubaker. "This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators."
While the attack interfered with specific tools used by the facility, at no point was control of operations lost, the alert notes. The shutdown was instead sparked by the facility's emergency response plan, and while normal operations have since resumed, the outage led to closures at other plants nearby.
"A natural gas pipeline having to shut down for two days from a spear-phishing attack is yet another example of the real world implications of cyber on critical national infrastructure," said Stuart Reed, VP of cyber security at Nominet. "This has knock on effects for customers and partners who rely on that supply to conduct their own business, not to mention putting the gas facility in a difficult position."
Recovery was possible by finding replacement equipment, suggesting no ransom was paid. Though the attack was limited by the Windows-focused ransomware, the impact was worsened by lack of preparation — it had planned for a physical attack, not a virtual one. "The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning," the DHS said.
Max Vetter, chief cyber officer of Immersive Labs, said that highlighted the importance of security skills across an organization. "Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change," he said.
"In particular, the organization said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning," he added, advising all companies — especially those running critical national infrastructure in particular — to run frequent crisis simulations to be better prepared. "Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either," Vetter added.
The recent rise of ransomware targeting public organizations, the government and critical infrastructure sparked the FBI to last year ask the private sector for security help. That's possibly a wise move after high-profile attacks against Travelex and LifeLabs, as well as government agencies in the state of Louisiana and Texas, as well as Baltimore and Las Vegas.
-
Cloudflare is cracking down on AI web scrapersNews Cloudflare CEO Matthew Prince said AI companies have been "scraping content without limits" - now the company is cracking down.
-
Swiss government data published following supply chain attack – here’s what we know about the culpritsNews Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackersNews While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
