Experts Insight On Ransomware Attack Forces U.S. Gas Pipeline To Shut Down

By   ISBuzz Team
Writer , Information Security Buzz | Feb 20, 2020 01:58 am PST

The Cybersecurity and Infrastructure Agency (CISA) responded to a ransomware attack that targeted a U.S. natural gas facility, forcing it to shut down for two days. CISA did not reveal when the incident happened or the identity of the victim organization. 

An employee of the facility clicked on a malicious link from a spear-phishing email, allowing a malicious actor to jump from the gas compression facility’s IT network onto the operational technology (OT) network. The attacker was then able to deploy data-encrypting ransomware on the networks.

Notify of
10 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Nathan Brubaker
Nathan Brubaker , Senior Manager, Cyber Physical Team
InfoSec Expert
February 20, 2020 1:20 pm

It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware. This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware (definitely including critical and industrial sectors)—and interestingly is the topic of one of our presentations taking place at RSA next week.

The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach are often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organisations have moved toward adopting a more operationally complex post-compromise approach.

In post-compromise ransomware incidents, a threat actor first gains privileged access to a victim’s environment where they can explore target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators. Actors cast wider nets that impact critical systems, which maximises the scale and effectiveness of their end-stage operations by inflicting maximum pain to the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves.

Last edited 3 years ago by Nathan Brubaker
Dr. Vinay Sridhara
InfoSec Expert
February 20, 2020 1:15 pm

This is yet another breach where humans are the easiest path to infiltration by attackers. As with other high profile events, this one propagated from a lower value target to an extremely high value target. Starting with a targeted phishing attack, the adversary then pivoted across networks, eventually using commodity ransomware to encrypt critical infrastructure data. Organizations, especially those protecting critical assets, must ensure that propagation risk doesn\’t overshadow other efforts to protect those assets.

The organization also cited ‘gaps in cybersecurity knowledge and the wide range of possible scenarios.’ Every organization\’s attack surface is huge, and grows with digital transformation and with the ever increasing number of attack methods available to adversaries, leaving an unlimited number of things that can go wrong. Cybersecurity is no longer a human scale problem, so risk-based prioritization, across all assets and attack vectors, must form the basis for information security decision making.

Last edited 3 years ago by Dr. Vinay Sridhara
Max Vetter
Max Vetter , Chief Cyber Officer
InfoSec Expert
February 20, 2020 1:13 pm

This latest ransomware attack demonstrates the need to ensure both technological and human cyber security capabilities are as strong as they can possibly be. The natural gas facility has specifically named a lack of practised cyber skills as a fundamental cause of the breach, which has led to the pipeline being shut. Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change.

In particular, the organisation said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning. Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either. Although many companies run \”fire drills\” or cyber crisis simulations, they are shockingly infrequent, often specific to only a small number of attacks, and therefore inadequate at preparing staff for the multitude of security incidents they could face. All organisations, and particularly those that play a role in critical national infrastructure, should be conducting cyber crisis simulation exercises frequently and repeatedly, to practice and prepare for each incident type.

Last edited 3 years ago by Max Vetter
Tal Zamir
Tal Zamir , Founder and CTO
InfoSec Expert
February 20, 2020 1:09 pm

Organizations that handle critical infrastructure cannot trust OS-based security solutions as these had been proven to fail over and over again, similar to this recent example of ransomware successfully hitting US-based OT networks. Instead, these organizations must apply isolation/segregation approaches both at the network level and at the endpoint level. Isolation can be achieved by a strong physical or virtual \”air gap\”, but must ensure that the IT or OT assets do not have direct network connectivity from one to the other.

Last edited 3 years ago by Tal Zamir
Saurabh Sharma
InfoSec Expert
February 20, 2020 10:16 am

This alert highlights a growing problem across the industrial control space. While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness, and human mistakes continue to expose critical infrastructure to attack. While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down, and further erode the public’s confidence in the security of our critical systems.

Last edited 3 years ago by Saurabh Sharma

Recent Posts

Would love your thoughts, please comment.x