CISA Shares Details About Ransomware that Shut Down Pipeline Operator

The Cybersecurity and Infrastructure Security Agency released details about a ransomware attack on an undisclosed natural gas compression facility that decided to deliberately shut down for two days in order to ensure control of operations. 

“Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks,” CISA said in an alert Tuesday. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

CISA did not reveal any information regarding when the attack took place, but the cybersecurity firm Dragos “assesses with high confidence” that the event described was the same as a December attack on the Coast Guard.

CISA has been working to acquire more information on vulnerabilities from private-sector owners of critical infrastructure to glean patterns and inform long-term planning and mitigation measures across the ecosystem. 

The details of the attack in the Tuesday alert are key to developing the kind of metrics lawmakers such as Rep. Jim Langevin, D-R.I., have said are crucial for developing “evidence-based” cybersecurity policy and could become more standardized if recommendations from the Cyberspace Solarium are implemented.  

According to the CISA alert, the pipeline operator never lost control of operations. However, the operator opted to shutdown operations for two days, leading to a loss of productivity and revenue.

The term “loss of productivity and revenue” is a technical one. It’s described by the MITRE Corporation as a technique that adversaries use to interrupt the availability of certain assets in architectures where there are no barriers, resulting in the compromised organization basically shutting down to remove the malware. 

According to the CISA alert: “The victim failed to implement robust segmentation between the IT and [Operational Technology] networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.”

CISA said the attackers were able to gain initial access to the facility’s IT through a successful spearphishing link, a social engineering operation that would have targeted a specific individual to click and download the malware.

The attackers used commodity ransomware—conveniently available on the dark web–to “Encrypt Data for Impact,” so that assets such as Human Machine Interfaces were no longer accessible, causing a “Loss of View.” 

Lack of visibility, was also associated with what is thought to be the first cyber disruption of the U.S energy grid last March.