A recent ransomware attack caused a U.S. natural gas compressor facility to shut for two days, the latest in a string of attacks targeting the country’s energy infrastructure over the past few years.
Hackers sent emails with a malicious link, known as a phishing attack, to gain control of the facility’s information technology system, the Department of Homeland Security said Tuesday in an alert. The agency didn’t say which facility was targeted, when the attack occurred or who was behind it.
It appears likely that the attacker explored the facility’s network to “identify critical assets” before executing the ransomware attack, according to Nathan Brubaker, a senior manager at the cybersecurity firm FireEye Inc. This tactic — which has become increasingly popular among hackers — makes it “possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators,” he said.
The DHS alert comes amid increased concern about whether aging U.S. energy facilities are equipped to ward off cyber-attacks that could result in power failures and disruptions to oil and natural gas supply. In 2018, several pipeline companies saw their electronic systems for communicating with customers shut down after being targeted by hackers.
Regulators have urged better oversight for pipeline cybersecurity, which is overseen by the Transportation Security Administration. DHS announced in 2018 that it was working with the TSA and the Department of Energy on a pipeline cybersecurity initiative.
Operations at the facility have been restored, according to an official the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, who requested anonymity speaking about the matter. The official said the incident illustrates the risk that ransomware poses to industrial control systems.
Though the hackers didn’t gain control of the gas compression facility, the operator decided to perform a controlled shutdown after being unable to read and aggregate real-time operational data from certain devices.
While ransomware is usually designed to block access to a computer system until a sum of money is paid, the DHS notice didn’t specify what the hackers were demanding in the gas compressor cyber-attack. The facility’s emergency response plan didn’t specifically address the risk of cyber-attacks, DHS said.
The industrial cybersecurity firm Dragos Inc. assessed with “high confidence” that the DHS alert likely referred to an attack reported in 2019 by the U.S. Coast Guard in December, according to a Wednesday blog post. In that incident, a type of ransomware known as Ryuk — which has targeted organizations across the globe — hit a maritime facility, causing “primary operations” to shut down for more than 30 hours. Dragos didn’t identify the facility.
Joe Slowik, an analyst at Dragos, wrote in the blog post that the ransomware attack didn’t appear specifically focused on targeting industrial control systems. He added that phishing, the mechanism by which the hacker gained access to the facility’s networks, is a common “social engineering mechanism” that attackers use for both ransomware and infrastructure hacking.
(Updates with details from Dragos in ninth and 10th paragraphs.)
–With assistance from Sayer Devlin.