ALERT: Ransomware Impacting Pipeline Operations

The Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday responded to a cyber-attack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility.

A cyber threat actor used a Spearphishing Link [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network.

The threat actor then deployed commodity ransomware to Encrypt Data for Impact [T1486] on both networks. Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators.

The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations.

This lasted approximately two days, resulting in a Loss of Productivity and Revenue [T828], after which normal operations resumed. CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks.

The technical details stated that the victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.

Cell Phones and Accessories

The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers and because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted.

The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process and all OT assets directly impacted by the attack were limited to a single geographic facility.

US-Cert.gov (February, 2020) Alert (AA20-049A)- Ransomware Impacting Pipeline Operations

Help a veteran in need by donating here.