IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ransomware attack shuts US pipeline for two days

CISA had to respond to an attack that targeted the infrastructure of a natural gas compression plant

A pipeline was shut down for two days following a ransomware attack on a natural gas facility that wasn't prepared for such an attack, according to the Department of Homeland Security (DHS).

The DHS' Cybersecurity and Infrastructure Security Agency (CISA) didn't say in its security alert when or where the attack happened, nor did it name the facility that was targeted.

The hackers targeted the facility using spearphishing, when attackers trick a victim into clicking a malicious link, but rather than use a shotgun approach they send the link to specific individuals. That gave the attackers access to the company's wider IT network, which they used to access the operational technology network.

The DHS said the hackers were then able to leap from the standard IT network to the operational side because the victim failed to properly segment them. The attack was limited because the hackers used commodity ransomware that only targeted Windows-based computers, and physical processes were run on different systems.

"It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware," said Nathan Brubaker, senior manager for the cyber physical team at FireEye.  "This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware."

"In post-compromise ransomware incidents, a threat actor first gains privileged access to a victim’s environment where they can explore target networks and identify critical systems before deploying the ransomware," said Brubaker. "This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators."

While the attack interfered with specific tools used by the facility, at no point was control of operations lost, the alert notes. The shutdown was instead sparked by the facility's emergency response plan, and while normal operations have since resumed, the outage led to closures at other plants nearby.

"A natural gas pipeline having to shut down for two days from a spear-phishing attack is yet another example of the real world implications of cyber on critical national infrastructure," said Stuart Reed, VP of cyber security at Nominet. "This has knock on effects for customers and partners who rely on that supply to conduct their own business, not to mention putting the gas facility in a difficult position."

Recovery was possible by finding replacement equipment, suggesting no ransom was paid.  Though the attack was limited by the Windows-focused ransomware, the impact was worsened by lack of preparation — it had planned for a physical attack, not a virtual one. "The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning," the DHS said.

Max Vetter, chief cyber officer of Immersive Labs, said that highlighted the importance of security skills across an organization. "Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change," he said.

"In particular, the organization said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning," he added, advising all companies — especially those running critical national infrastructure in particular — to run frequent crisis simulations to be better prepared.  "Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either," Vetter added.

The recent rise of ransomware targeting public organizations, the government and critical infrastructure sparked the FBI to last year ask the private sector for security help. That's possibly a wise move after high-profile attacks against Travelex and LifeLabs, as well as government agencies in the state of Louisiana and Texas, as well as Baltimore and Las Vegas.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022