A pipeline was shut down for two days following a ransomware attack on a natural gas facility that wasn't prepared for such an attack, according to the Department of Homeland Security (DHS).
The DHS' Cybersecurity and Infrastructure Security Agency (CISA) didn't say in its security alert when or where the attack happened, nor did it name the facility that was targeted.
The hackers targeted the facility using spearphishing, when attackers trick a victim into clicking a malicious link, but rather than use a shotgun approach they send the link to specific individuals. That gave the attackers access to the company's wider IT network, which they used to access the operational technology network.
The DHS said the hackers were then able to leap from the standard IT network to the operational side because the victim failed to properly segment them. The attack was limited because the hackers used commodity ransomware that only targeted Windows-based computers, and physical processes were run on different systems.
"It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware," said Nathan Brubaker, senior manager for the cyber physical team at FireEye. "This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware."
"In post-compromise ransomware incidents, a threat actor first gains privileged access to a victim’s environment where they can explore target networks and identify critical systems before deploying the ransomware," said Brubaker. "This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators."
While the attack interfered with specific tools used by the facility, at no point was control of operations lost, the alert notes. The shutdown was instead sparked by the facility's emergency response plan, and while normal operations have since resumed, the outage led to closures at other plants nearby.
"A natural gas pipeline having to shut down for two days from a spear-phishing attack is yet another example of the real world implications of cyber on critical national infrastructure," said Stuart Reed, VP of cyber security at Nominet. "This has knock on effects for customers and partners who rely on that supply to conduct their own business, not to mention putting the gas facility in a difficult position."
Recovery was possible by finding replacement equipment, suggesting no ransom was paid. Though the attack was limited by the Windows-focused ransomware, the impact was worsened by lack of preparation — it had planned for a physical attack, not a virtual one. "The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning," the DHS said.
Max Vetter, chief cyber officer of Immersive Labs, said that highlighted the importance of security skills across an organization. "Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change," he said.
"In particular, the organization said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning," he added, advising all companies — especially those running critical national infrastructure in particular — to run frequent crisis simulations to be better prepared. "Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either," Vetter added.
The recent rise of ransomware targeting public organizations, the government and critical infrastructure sparked the FBI to last year ask the private sector for security help. That's possibly a wise move after high-profile attacks against Travelex and LifeLabs, as well as government agencies in the state of Louisiana and Texas, as well as Baltimore and Las Vegas.
-
Researchers sound alarm over AI hardware vulnerabilities that expose training dataNews Hackers can abuse flaws in AI accelerators to break AI privacy – and a reliable fix could be years away
-
Are AI PCs becoming the norm?ITPro Podcast As manufacturers increasingly embed NPUs in devices, what are the benefits to businesses?
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber professionals are losing sleep over late night attacksNews Hackers are biding their time and launching attacks when businesses can’t respond
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
