The US Department of Homeland Security (DHS) on Tuesday said that an infection by an unidentified ransomware strain forced the shutdown of a natural-gas pipeline for two days.

Fortunately, nothing blew up. The attacker never got control of the facility’s operations, the human-machine interfaces (HMIs) that read and control the facility’s operations were successfully yanked offline, and a geographically separate central control was able to keep an eye on operations, though it wasn’t instrumental in controlling them.

Where this all went down is a mystery.

The alert, issued by DHS’s Cybersecurity and Infrastructure Security Agency (CISA), didn’t say where the affected natural gas compression facility is located. It instead stuck to summarizing the attack and provided technical guidance for other critical infrastructure operators so they can gird themselves against similar attacks.

The alert did get fairly specific with the infection vector, though: whoever the attacker was, they launched a successful spearphishing attack, which enabled them to gain initial access to the facility’s IT network before pivoting to its operational technology (OT) network.

OT networks are where hardware and software for monitoring and/or controlling physical devices, processes and events reside. Some examples are SCADA industrial control systems, programmable logic controllers (PLCs), and HMIs.

After the attacker(s) got their hands on both the IT and OT networks, they deployed what CISA called “commodity” ransomware, encrypting data on both networks. Staff lost access to HMIs, data historians and polling servers. Data historians – sometimes referred to as process or operational historians – are used in several industries, and they do what you might expect: record and retrieve production and process data by time and store the information in a time series database.

Although humans partially lost their view of some low-level OT devices, the attack didn’t affect PLCs, and hence, the facility never lost control of operations. From the alert:

At no time did the threat actor obtain the ability to control or manipulate operations.

CISA’s alert also noted that, although the victimized facility’s emergency response plan didn’t specifically take cyberattacks into consideration, a decision was made to implement what DHS called a “deliberate and controlled shutdown” of operations. That shutdown lasted about two days. It also affected other compression facilities that were linked to the victimized site, the advisory said:

Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies.

As a result, “the entire pipeline asset” had to be shut down for two days, not just the victimized compression facility.

Why, in this day and age, when ransomware and other malware attacks are running amok, would cyberattacks have been left out of a utility company’s emergency response plan? CISA said in its advisory that the victimized facility pointed to a gap in cybersecurity knowledge being a mitigating factor: it’s at the heart of the facility’s failure to “adequately incorporate cybersecurity into emergency response planning.”

For years, DHS has been warning that enemy nations have been ready to disrupt US energy utilities.

In 2018, DHS’s chief of industrial-control-system analysis, Jonathan Homer, got specific. He said that between 2016 and 2018, Russian hackers snared “hundreds of victims” in the utilities and equipment sectors, to the point where “they could have thrown switches” in a way that could have caused power blackouts. Similarly to the recently announced natural-gas compression facility attack, those compromises also started with phishing attacks, according to Homer. He added that the attackers had, at the time, been sophisticated enough to even jump air-gapped networks.

Although we don’t know which malware strain was involved in this week’s advisory, Ars Technica notes that it comes two weeks after researchers from industrial cybersecurity firm Dragos reported that a ransomware strain known as EKANS had tampered with industrial control systems used by gas facilities and other critical infrastructure.

Dragos reported that EKANS, a ransomware that emerged in December 2019, is pretty straightforward, as ransomware goes: it encrypts, it displays a ransom note. But beyond that, it’s been tailored to cripple industrial control systems in particular. From Dragos’s writeup:

EKANS featured additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations. While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space.

ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.

Mind you, we don’t know if EKANS was used in this recent incident at the natural-gas pipeline. What we do know: ransomware exists to specifically target such crucial infrastructure facilities, and operators should be aware of the risks that entails.

Again, CISA’s advisory provides guidance for critical infrastructure operators. Here’s additional guidance for the rest of us:

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate-limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
  • Use anti-ransomware protection. QuattroOne’s Advanced security offering was designed to combat ransomware and its effects. To learn more, please contact us.

Sourced in part from Sophos Naked Security blog