The ransomware epidemic that has affected enterprise and municipal networks for years now is making inroads in more complex environments, including a recent attack on the network of an operator of a natural gas compression facility.
The incident began when attackers sent a spear phishing email to someone inside the organization who clicked on the embedded link. That gave the adversaries access to the operator’s IT network, which they then used as a platform to move to the operational technology network, the systems that do the work of running and monitoring the facility’s equipment. Once there, the attackers installed ransomware on a number of systems, including human machine interfaces (HMI), polling servers, and others.
“Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators. The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations,” an alert from the Department of Homeland Security’s Cybersecurity and Infrastructure and Security Agency says.
CISA specialists responded to the incident at the unnamed compression facility and helped the organization assess and recover from the intrusion. They found that the organization had not segmented the IT and OT networks well enough, which allowed the attackers to move from their initial foothold onto the OT systems. The organization ended up having to shut down operations for two days while it tried to recover from the incident, which affected systems on both the IT and OT networks.
“The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers,” the CISA alert says.
“Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted.”
Ransomware attacks on industrial control systems, OT systems, and other specialized gear are relatively uncommon still, but not unheard of. There have been a handful of other documented incidents in the last few years, and there are a few known ransomware samples that have some ICS-specific functionality. In January, researchers at Dragos, which specializes in ICS security, discovered a ransomware strain it named Ekans that had some overlapping functionality with the older Megacortex ransomware. Ekans, like some other ransomware, looks for and attempts to kill a number of specific processes on a system before encrypting it. Some of the processes Ekans looks for are specialized ICS processes.
“EKANS (and apparently some versions of MEGACORTEX) shift this narrative as ICS-specific functionality is directly referenced within the malware. While some of these processes may reside in typical enterprise IT networks, such as Proficy servers or Microsoft SQL servers, inclusion of HMI software, historian clients, and additional items indicates some minimal, albeit crude, awareness of control system environment processes and functionality,” the Dragos analysis says.
“The actual level of impact EKANS or ICS-aware MEGACORTEX may have on industrial environments is unclear. Targeting historian and data gathering processes at both the client and server level imposes significant costs on an organization and could induce a loss of view condition within the overall plant environment.”
CISA stressed that the attacker in the incident it responded to never had control of the operations in the facility and the victim organization had an offsite backup control center that had network visibility into the affected systems throughout the attack. However, the organization didn’t have a backup plan that included the possibility of a cyber attack rather than a physical attack.
“The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security,” CISA said in the alert.
The good news was that the organization was able to load known-good backup images onto new systems to replace the infected ones and resume normal operations after two days.
CC-By 2.0 license photo from Flickr.