A pipeline was shut down for two days following a ransomware attack on a natural gas facility that wasn't prepared for such an attack, according to the Department of Homeland Security (DHS).
The DHS' Cybersecurity and Infrastructure Security Agency (CISA) didn't say in its security alert when or where the attack happened, nor did it name the facility that was targeted.
The hackers targeted the facility using spearphishing, when attackers trick a victim into clicking a malicious link, but rather than use a shotgun approach they send the link to specific individuals. That gave the attackers access to the company's wider IT network, which they used to access the operational technology network.
The DHS said the hackers were then able to leap from the standard IT network to the operational side because the victim failed to properly segment them. The attack was limited because the hackers used commodity ransomware that only targeted Windows-based computers, and physical processes were run on different systems.
"It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware," said Nathan Brubaker, senior manager for the cyber physical team at FireEye. "This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware."
"In post-compromise ransomware incidents, a threat actor first gains privileged access to a victim’s environment where they can explore target networks and identify critical systems before deploying the ransomware," said Brubaker. "This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators."
While the attack interfered with specific tools used by the facility, at no point was control of operations lost, the alert notes. The shutdown was instead sparked by the facility's emergency response plan, and while normal operations have since resumed, the outage led to closures at other plants nearby.
"A natural gas pipeline having to shut down for two days from a spear-phishing attack is yet another example of the real world implications of cyber on critical national infrastructure," said Stuart Reed, VP of cyber security at Nominet. "This has knock on effects for customers and partners who rely on that supply to conduct their own business, not to mention putting the gas facility in a difficult position."
Recovery was possible by finding replacement equipment, suggesting no ransom was paid. Though the attack was limited by the Windows-focused ransomware, the impact was worsened by lack of preparation — it had planned for a physical attack, not a virtual one. "The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning," the DHS said.
Max Vetter, chief cyber officer of Immersive Labs, said that highlighted the importance of security skills across an organization. "Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change," he said.
"In particular, the organization said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning," he added, advising all companies — especially those running critical national infrastructure in particular — to run frequent crisis simulations to be better prepared. "Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either," Vetter added.
The recent rise of ransomware targeting public organizations, the government and critical infrastructure sparked the FBI to last year ask the private sector for security help. That's possibly a wise move after high-profile attacks against Travelex and LifeLabs, as well as government agencies in the state of Louisiana and Texas, as well as Baltimore and Las Vegas.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
