The Cybersecurity and Infrastructure Agency (CISA) responded to a ransomware attack that targeted a U.S. natural gas facility, forcing it to shut down for two days. CISA did not reveal when the incident happened or the identity of the victim organization.
An employee of the facility clicked on a malicious link from a spear-phishing email, allowing a malicious actor to jump from the gas compression facility’s IT network onto the operational technology (OT) network. The attacker was then able to deploy data-encrypting ransomware on the networks.
It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware. This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware (definitely including critical and industrial sectors)—and interestingly is the topic of one of our presentations taking place at RSA next week.
The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach are often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organisations have moved toward adopting a more operationally complex post-compromise approach.
In post-compromise ransomware incidents, a threat actor first gains privileged access to a victim’s environment where they can explore target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators. Actors cast wider nets that impact critical systems, which maximises the scale and effectiveness of their end-stage operations by inflicting maximum pain to the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves.
This is yet another breach where humans are the easiest path to infiltration by attackers. As with other high profile events, this one propagated from a lower value target to an extremely high value target. Starting with a targeted phishing attack, the adversary then pivoted across networks, eventually using commodity ransomware to encrypt critical infrastructure data. Organizations, especially those protecting critical assets, must ensure that propagation risk doesn\’t overshadow other efforts to protect those assets.
The organization also cited ‘gaps in cybersecurity knowledge and the wide range of possible scenarios.’ Every organization\’s attack surface is huge, and grows with digital transformation and with the ever increasing number of attack methods available to adversaries, leaving an unlimited number of things that can go wrong. Cybersecurity is no longer a human scale problem, so risk-based prioritization, across all assets and attack vectors, must form the basis for information security decision making.
This latest ransomware attack demonstrates the need to ensure both technological and human cyber security capabilities are as strong as they can possibly be. The natural gas facility has specifically named a lack of practised cyber skills as a fundamental cause of the breach, which has led to the pipeline being shut. Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change.
In particular, the organisation said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning. Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either. Although many companies run \”fire drills\” or cyber crisis simulations, they are shockingly infrequent, often specific to only a small number of attacks, and therefore inadequate at preparing staff for the multitude of security incidents they could face. All organisations, and particularly those that play a role in critical national infrastructure, should be conducting cyber crisis simulation exercises frequently and repeatedly, to practice and prepare for each incident type.
Organizations that handle critical infrastructure cannot trust OS-based security solutions as these had been proven to fail over and over again, similar to this recent example of ransomware successfully hitting US-based OT networks. Instead, these organizations must apply isolation/segregation approaches both at the network level and at the endpoint level. Isolation can be achieved by a strong physical or virtual \”air gap\”, but must ensure that the IT or OT assets do not have direct network connectivity from one to the other.
This alert highlights a growing problem across the industrial control space. While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness, and human mistakes continue to expose critical infrastructure to attack. While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down, and further erode the public’s confidence in the security of our critical systems.