Real world dangers posed by malware after natural gas pipeline in the United States is shut down after a ransomware attack
The United States has warned of the dangers posed by malware after a natural gas pipeline was shut down for two days after a ransomware attack.
According to the technical alert from the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), the unnamed “natural gas compression” plant was first targeted with a spear-phishing email, which allowed the attacker to access its IT network and then in turn access the pipeline’s OT (operational technology) network.
Ransomware has been a scourge of IT networks for the past few years now. Last month for example there was a an attack on a major Canadian defence contractor Bird Construction that resulted in the theft of 60GB of data.
Despite the fact that ransomware attacks are common nowadays, it seems the pipeline operator was ill prepared for the attack.
A fact that is alarming, considering the critical industrial nature of gas pipelines.
“The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents,” noted CISA. “Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures.
“These included a four-hour transition from operational to shutdown mode combined with increased physical security,” it said.
“Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks,” reported CISA. “Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.”
“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning,” it added.
One security expert said that the attack highlighted the need for organisations to build up their cyber defences and skills.
“This latest ransomware attack demonstrates the need to ensure both technological and human cyber security capabilities are as strong as they can possibly be,” said Max Vetter, chief cyber officer of Immersive Labs.
“The natural gas facility has specifically named a lack of practised cyber skills as a fundamental cause of the breach, which has led to the pipeline being shut,” said Vetter. “Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change.”
“In particular, the organisation said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning,” noted Vetter. “Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either.”
“Although many companies run ‘fire drills’ or cyber crisis simulations, they are shockingly infrequent, often specific to only a small number of attacks, and therefore inadequate at preparing staff for the multitude of security incidents they could face,” warned Vetter. “All organisations, and particularly those that play a role in critical national infrastructure, should be conducting cyber crisis simulation exercises frequently and repeatedly, to practice and prepare for each incident type.”
Another expert noted the increasingly sophisticated and targetted nature of ransomware attacks of late.
“It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware,” noted Nathan Brubaker, senior manager of the cyber physical team at FireEye.
“The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims,” said Brubaker. “Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible.”
“While early ransomware campaigns adopting this approach are often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organisations have moved toward adopting a more operationally complex post-compromise approach,” said Brubaker.
“Regarding this incident specifically, we find it interesting that the impact of the ransomware was broader than the actual systems impacted because multiple sites were taken down as a precaution,” said Brubaker. “We are also not surprised that a financial crime actor pivoted to OT networks, as many of the TTPs used by OT-focused threat actors are common among other threat actors.”
Do you know all about security? Try our quiz!