DHS says ransomware hit US gas pipeline operator

Oil gas pipeline

A ransomware attack has impacted the operations of a US-based natural gas compression facility, according to a security advisory from the US government.

The advisory, published today, doesn’t say when the incident took place, but merely summarizes the event and provides technical guidance for other critical infrastructure operators so they can take precautions against a similar attack.

How the attack unfolded

According to the advisory, published by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the incident took place after “a cyber threat actor used a spearphishing link to obtain initial access to the organization’s information technology (IT) network before pivoting to its operational (OT) network.”

An OT network is different from an IT network. It’s a network with workstations for managing critical factory equipment and other factory operations. IT networks are usually dedicated for office and other administrative work. In theory, IT and OT networks should be air-gapped.

CISA says that after gaining access to the OT network, the attacker then deployed commodity ransomware that encrypted the company’s data on both the IT and OT networks at the same time, for maximum damage, before requesting a ransom payment.

CISA says the ransomware did not impact any programmable logic controllers (PLCs), which are small sensors and devices that interact directly with factory equipment.

However, CISA says that data from other related industrial processes, like human-machine interfaces (HMIs), data historians, and polling servers, could not be aggregated and read by human operators, resulting in a partial loss of insight into the pipeline facility’s operations.

Pipeline operator shut down operations for two days

CISA says that the pipeline operator decided to implement “a deliberate and controlled shutdown to operations,” as a precaution and to avoid any incidents.

The pipeline operator took this step even if its emergency plan did not mandate an obligatory shutdown in the a case of a cyber-attack.

CISA officials said the shutdown lasted approximately two days, after which normal operations resumed.

US officials did not reveal the name of the ransomware strain. However, earlier this month, cyber-security firm Dragos published a report about a new ransomware strain named EKANS (or Snake) that was specifically built to interact with processes usually found on industrial networks, althought the ransomware could not interact with PLCs.

At the time of writing, there is no evidence to suggest or confirm that the pipeline operator was impacted by EKANS. Chances are that it was not, as EKANS is a very rare strain, and not “commodity ransomware” as CISA described the ransomware strain seen in this particular incident.