The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on 18 February 2020 on a ransomware incident impacting a natural gas compression facility at an unidentified U.S. pipeline operator.
Assessment of Ransomware Event at U.S. Pipeline Operator
Article from | Dragos
The ransomware event impacted both IT and ICS assets by causing loss of view and control impacts that caused the facility to implement controlled shutdown processes and resulted in a reported two days of downtime. Based on information shared with Dragos, as well as noted in public reporting, the CISA alert describes the same event reported by the U.S. Coast Guard in 2019.
Operational impacts were likely caused by a combination of insufficient segregation of IT and ICS environments and shared Windows operating system infrastructure. Based on reporting, the intrusion appears to only have impacted a natural gas compression facility owned by the pipeline operator. Impacted ICS devices included data historians and human machine interface (HMI) devices but did not propagate to Layer 1 devices or lower, such as PLCs.
Ransomware attackers initially breached the unnamed U.S. pipeline operator via phishing containing a malicious link, according to limited details provided in the CISA report. This allowed the unidentified attacker to gain access to the victim’s IT network, with subsequent pivoting allowing for spread to ICS network assets. Phishing is a very common initial access vector for cyberattacks, as both ransomware criminals and ICS-targeting adversaries leverage this social engineering mechanism to successfully breach companies.
Following spread throughout the victim network, the attacker deployed unidentified ransomware within the environment leading to operational disruption. The victim disconnected and disabled impacted ICS assets to mitigate any potential threat to operations, then proceeded with a controlled shutdown instead of relying on purely manual control given the ICS loss of view impact. As a result, even though CISA reporting indicates only one compression facility was directly targeted, overall pipeline operations ceased for two days during restoration from backup operational data and stored configuration files.
After publication, Dragos learned from multiple sources that the event described in the CISA report is the same as an event reported by the U.S. Coast Guard in December 2019. This link was later reported by several news outlets as well. As reported by the U.S. Coast Guard, Ryuk ransomware was ultimately deployed at the facility creating the disruption in operations.
Dragos can confirm through sources that the two events are the same, and multiple observations demonstrate strong overlap and similarity:
- Initial infection via an email message containing a malicious link
- Primary operational impact through loss of view on Windows-based systems performing ICS-related operations
- Relatively similar outage periods, with CISA reporting two days of downtime at the natural gas compression facility while the U.S. Coast Guard reported an outage of over 30 hours
"Given these details, Dragos assesses with the two reports reference the same event based on available information."
Based on a variety of factors, Dragos concludes with high confidence the events in the CISA alert represent well-known ransomware behavior and is not an ICS-specific or ICS targeted event. This includes reportedly insufficient segregation between IT and ICS network environments within the victim organization, ICS impacts only affecting Windows-based devices, and no available evidence indicating attackers tried to alter, modify, or degrade the integrity of ICS operations beyond encrypting Windows-based systems using “commodity ransomware.”
Although limited details about the ransomware event exist, current trends in ransomware leverage initial access into victim environments to capture credentials or compromise Windows Active Directory (AD) to gain widespread access to the victim’s entire network. Once achieved, the attacker can then utilize malicious scripts and legitimate remote execution tools like PSExec to stage ransomware, or even push malicious software via AD Group Policy Objects. The result is all domain-joined Windows machines are infected nearly simultaneously to produce an entire-network encryption event. This strategy has been used to deploy various ransomware strains including Ryuk, MegaCortex, and Sobinokibi.
Given the limited details on the victim environment, an AD-focused or credential capture-based compromise would allow the attacker to spread to Windows-based assets in the unsegregated, IT-joined ICS network. Subsequent encryption operations would therefore spread to ICS assets indiscriminately along with typical IT assets.
No information provided indicates or supports ICS-specific targeting, such as observed with the limited process targeting identified in EKANS and some MegaCortex variants.
Update: Dragos confirmed through sources the recent CISA alert about a ransomware incident that impacted a natural gas compression facility at a U.S. pipeline operator describes the same event reported by the U.S. Coast Guard in 2019.
The content & opinions in this article are the author’s and do not necessarily represent the views of ManufacturingTomorrow
This post does not have any comments. Be the first to leave a comment below.
Post A Comment
You must be logged in before you can post a comment. Login now.