- Attackers targeted a gas compression plant with a spear-phishing emails to infect its network with ransomware.
- The victim organization lacked robust segmentation between its IT and OT networks, allowing the attacker to pervade both.
The Department of Homeland Security (DHS) revealed that a ransomware attack on a US natural gas facility forced it to shut down operations for two days.
A US natural gas compression facility, whose name wasn’t disclosed, had to shut down operations after becoming infected with commodity ransomware.
- Attackers initially targeted the gas compression plant with a spear-phishing email, which gave them access to IT systems.
- Then the malware entered the firm’s Operational Technology (OT) network to infect more devices.
- The ransomware was described as a “commodity” type by the Cybersecurity and Infrastructure Security Agency (CISA).
Though the ransomware couldn’t impact any of the programmable logic controllers (PLCs) based processes, it was still able to compromise human-machine interfaces (HMIs), data historians, and polling servers on the OT network.
It was designed to infect only the Windows systems.
Reaction to the attack
As disclosed by CISA, the victim’s emergency response plan focused on physical safety and did not entirely encompass cyberattacks. So, a deliberate choice was made to proceed with a controlled shutdown of operations.
In its alert, the agency said, “The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process.”
Reasoning the malware penetration
It is a worrying sign that critical infrastructure providers still haven’t evolved their threat modeling to counter or mitigate modern blackhat attack techniques.
Specifically, the victim organization lacked robust segmentation between its IT and OT networks, allowing the attacker to pervade both. It also failed to develop a cyber-risk response plan.
“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning,” read an excerpt from the alert.
CISA, in response to the threat, has warned critical U.S. infrastructure operators of a possible attack on their networks and urged them to add cyber risk planning to their incident response strategies. It has advised them to:
- Practice failover to alternate control systems.
- Use tabletop exercises to train employees.
- Identify technical and human points of failure for operational visibility.
- Recognize the safety implications of cyberattacks, among other steps.
Among the physical security controls, the agency further recommended operators to ensure network segmentation, multi-factor authentication, anti-phishing filters, whitelisting, traffic filtering, regular data backups, least privilege access policies, and regular patching.