A U.S. Natural Gas Operator Shuts Down For 2 Days After A Phishing Attack Infects It With Ransomware



CISA-logo-1Dan Goodin at Ars Technica reported something worrisome: "A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said on Tuesday.

"Tuesday’s advisory from the DHS’s Cybersecurity and Infrastructure Security Agency, or CISA, didn’t identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.

"The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facility’s IT network to the facility’s OT network, which is the Operational Technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”

"The infection didn’t spread to programmable logic controllers, which actually control compression equipment, and it didn’t cause the facility to lose control of operations, Tuesday’s advisory said. The advisory explicitly said that “at no time did the threat actor obtain the ability to control or manipulate operations.”

"Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes." End quote, and link to the full story below.

James McQuiggan, Security Awareness Advocate at KnowBe4 commented: "Looking at the CISA report on the incident, this could be the norm for an attack on any ICS/OT organization.

The fact that the attacker was in the IT and OT networks for a period of time where they were able to access the various systems, granted, they were read-only systems it could have been worse.

Organizations that have Operational Technology (OT) environments must consider their OT networks as the crown jewel of their environment and work to properly secure them, isolate them and only allow the necessary access to those environments.

This is further secured by implementing a DMZ environment with single or redundant systems used for machine and interactive user communication. The OT environments need to be isolated, not air gapped and their OT organizations to consider the access to the systems a high priority, with strong accounts and restrictions.

Finally, it's important to educate your employees in cybersecurity. Ransomware often enters via a phishing attack. Teaching users via Security Awareness Training to not engage with suspect or unusual emails is a solid first step in lowering the risk of successful attack." 

Ars Technica has the story.


Ransomware Has Gone Nuclear, How Can You Avoid Becoming The Next Victim?

There is a reason more than half of today’s ransomware victims end up paying the ransom. Cyber-criminals have become thoughtful; taking time to maximize your organization’s potential damage and their payoff.

After achieving root access, the bad guys explore your network reading email, finding data troves and once they know you, they craft a plan to cause the most panic, pain, and operational disruption. Ransomware has gone nuclear.

GoneNuclear-WEBINARJoin us for this webinar where, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, dives into:

  • Why data backups (even offline backups) won’t save you
  • Evolved threats from data-theft, credential leaks, and corporate impersonation
  • Why ransomware isn’t your real problem
  • How your end users can become your best, last line of defense

Watch Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/nuclear-ransomware

Subscribe To Our Blog


Ransomware Has Gone Nuclear Webinar




Get the latest about social engineering

Subscribe to CyberheistNews