New details on ransomware pipeline attack

A new alert from the Department of Homeland Security warns about a ransomware attack that caused a natural gas compression facility to shut down its pipeline for about two days.

This is the same attack outlined in a U.S. Coast Guard bulletin from December 2019 about Ryuk ransomware at a Maritime Transportation Security Act regulated facility, according to unnamed sources.

The Maritime Transportation Security Act or MTSA covers some ships, offshore oil and gas platforms, and port facilities.

In this case, ransomware attackers used spear phishing to enter the gas company’s business network, then made their way to the more sensitive operational network, which runs the industrial machinery and has potential to cause serious damage.

The malware then disrupted the industrial operations and the facility chose to shut down the natural gas pipeline for recovery, the DHS alert said.

This is similar to other ransomware cases affecting oil and gas companies in the last five months, according to Clint Bodungen, CEO of cybersecurity company ThreatGEN.

“I think that it’s ‘big game hunting’ because they think that’s where the money is,” Bodungen told Archer News.



Temporary Shutdown

DHS did not specify the company’s name or location, nor when the attack took place.

But the alert does explain that the ransomware affected industrial computer devices and systems running the Windows operating system, like human machine interfaces or HMIs, data historians and polling servers.

The devices stopping providing data, so people running the pipeline could not see crucial information to keep the operation going.

The operators “lost control and the ability to monitor and control critical sensors across the facilities’ ICS [industrial control systems] network,”  Coast Guard Cyber Program Specialist Charles Blackmore told Archer News.

Ultimately, the company chose to shut the pipeline down for about 30 hours, according to the Coast Guard.

The company found replacement equipment and re-loaded configurations for equipment in order to recover, DHS said.

Similar Attacks

The same kind of attack has occurred at least twice in recent months, according to Bodungen, though he is not sure if DHS is reporting on the same attacks he has observed.

Attackers use spear phishing to trick oil and gas employees into downloading malware, then move to infect Windows machines in the operations network and indirectly cause problems running the crucial industrial control systems, he said.

Though the attackers did not take control of the industrial machinery, they had the capability to do it, Bodungen said.

“We’re not talking about a Bruce Willis movie where they can redirect the gas to another part of the city and blow things up. That’s fiction,” he said.

However, “if they had the intent and or knowledge of the process to do more damage, they could have,” he added.


An example of a Ryuk ransomware note. Image: Check Point


The company did have an emergency response plan, but it “did not specifically consider the risk posed by cyberattacks,” according to the alert.

“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning,” the alert said.

A number of oil and gas facilities are not following proper security procedures, Bodungen said.

“The ones that did get hit, it’s consistent across the board,” he said. “None of them had proper security controls in place. Most of them — if not all — were ‘flat networks,’ no network segmentation. None of them had threat monitoring and none of them had an incident response plan in place.”


An example of an HMI, or human machine interface, in an industrial setting. Image: Genkur/iStock


Recognize that cyberattacks can cause physical danger, DHS recommended in its alert, along with many other steps for protection.

They include separating business and operational networks, practicing how to stay running while systems are under attack, and  more.

“While operations have since been restored, this incident is just the latest example of the risk ransomware and other cyber threats can pose to industrial control systems, and of the importance implementing cybersecurity measures to guard against this risk,” said an official with DHS’ Cybersecurity and Infrastructure Security Agency in a statement.

Attackers may be conducting a campaign specifically targeting oil and gas companies, Bodungen theorized.

“As an industry, we kind of had our ‘heads in the sand’ syndrome,” said Bodungen. ”A lot of us kind of felt like, ‘Well, there’s no real risk, or it’s not happened to me, or it’s not large scale enough.'”

“I think we are starting to see that people are waking up and saying, ‘Oh, well, this could happen to me,’” he said.


Main image: An example of a pipeline. Image: Spooh/iStock


Leave a Reply