Throwback Attack: Natural gas operator is plagued by ransomware attack, halts operations

Courtesy: CFE Media and Technology
Courtesy: CFE Media and Technology

Natural gas remains a major player within the energy industry and will continue to be until more renewable resources have been thoroughly explored. Given that it’s a big part of critical infrastructure — and that the U.S. is a world superpower, which naturally invites challenges — protecting the oil and gas sector from threat actors is a constant goal. Despite this, attacks continue to happen.

In early 2020, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about one unnamed natural gas operator in the U.S. that needed to halt all operations after a ransomware attack hit their systems. One would think that a threat actor hacked their network or plugged into a physical system to execute this attack. The truth? The attackers pushed a spear-phishing campaign, and all an employee had to do was click a link within an email.

Attacks like this one have demonstrated the need for proper employee training to help identify phishing emails, as well as other signs that a company is under attack. Threat actors are looking for the path of least resistance when infiltrating a network or industrial control system (ICS). Giving employees the tools to recognize irregular behavior will help mitigate cyberattacks.

Defining spear-phishing

According to cybersecurity company Kaspersky, spear-phishing is defined as “an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.” Ultimately, spear-phishing is just a more targeted form of phishing. In this case, the spear-phishing campaign was carried out to install ransomware.

This attack allowed the threat actors who targeted the natural gas operator to jump from the information technology (IT) systems to the operational technology (OT) systems. This kind of cross breach is becoming increasingly common because of the IT/OT convergence that continues to occur as a result of digital transformation. In other words, when one part faces an attack, the other will likely see a shutdown to prevent further damages.

Other ransomware attacks on the energy sector

Of course, this cyberattack on an energy facility isn’t the only time the sector has been targeted. In May 2021, the Colonial Pipeline — a pipeline system that carries gasoline, diesel and jet fuel from refineries on the Gulf Coast to the southeastern and eastern United States — was hit with a major cyberattack perpetrated by a group known as DarkSide. The attack caused the pipeline to shut down temporarily, leading to panic buying and gasoline shortages in several states.

This intrusion was carried out through a ransomware attack, in which the hackers encrypted the company’s systems and demanded a ransom in exchange for the decryption key. The Colonial Pipeline Company initially decided to pay the ransom, but later reversed this decision and opted to work with cybersecurity experts to restore its systems.

The incident had significant economic and logistical impacts, as the Colonial Pipeline is a critical piece of infrastructure that supplies fuel to much of the East Coast. The federal government declared a state of emergency in response to the attack, and President Joe Biden signed an executive order to strengthen the country’s cybersecurity defenses.

The attack highlighted the vulnerability of critical infrastructure to cyberattacks and the need for better cybersecurity measures. It also drew attention to U.S. reliance on a single, centralized pipeline for fuel distribution, leading to calls for more diversified and resilient energy systems.

The impact of the ransomware attack

While the adversaries from this attack are unknown, the intent of any ransomware attack is to encrypt data for ransom — particularly bitcoin. These threat actors did encrypt data, but they didn’t infect any programmable logic controllers (PLCs) that affected the actual operation of the facility, according to Ars Technica. “Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes.” This led to a facility-wide shutdown for two days to mitigate any further damage.

On CISA’s advisory, they list several failures of the natural gas facility; however, the most critical one is that they didn’t “implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.” This segmentation (or in this case, a lack thereof) is imperative to the protection of any industrial asset when IT is breached, or vice versa.

CISA also recommended several mitigations to limit the potential for a future attack. They are as follows:

  • Have a full emergency response plan.
  • Run exercises to learn from cybersecurity vulnerabilities.
  • Run tabletop exercises to walk employees and operators through different scenarios.
  • Identify points of failure for operational visibility.
  • Identify and go through the physical risks of a cyberattack.

This natural gas operations facility and the Colonial Pipeline hack highlight the vulnerabilities of critical infrastructure, as well as the damage that can be done when a hacker targets it. Cyberattacks can come through any vector and in different forms, underscoring the importance of protecting all assets — especially in critical infrastructure.




Keep your finger on the pulse of top industry news