Update: Dragos confirmed through sources the recent CISA alert about a ransomware incident that impacted a natural gas compression facility at a U.S. pipeline operator describes the same event reported by the U.S. Coast Guard in 2019.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on 18 February 2020 on a ransomware incident impacting a natural gas compression facility at an unidentified U.S. pipeline operator. The ransomware event impacted both IT and ICS assets by causing loss of view and control impacts that caused the facility to implement controlled shutdown processes and resulted in a reported two days of downtime. Based on information shared with Dragos, as well as noted in public reporting, the CISA alert describes the same event reported by the U.S. Coast Guard in 2019.
While causing operational disruption lasting two days, available evidence does not indicate the ransomware adversaries specifically targeted ICS operations.
Operational impacts were likely caused by a combination of insufficient segregation of IT and ICS environments and shared Windows operating system infrastructure. Based on reporting, the intrusion appears to only have impacted a natural gas compression facility owned by the pipeline operator. Impacted ICS devices included data historians and human machine interface (HMI) devices but did not propagate to Layer 1 devices or lower, such as PLCs.
Ransomware attackers initially breached the unnamed U.S. pipeline operator via phishing containing a malicious link, according to limited details provided in the CISA report. This allowed the unidentified attacker to gain access to the victim’s IT network, with subsequent pivoting allowing for spread to ICS network assets. Phishing is a very common initial access vector for cyberattacks, as both ransomware criminals and ICS-targeting adversaries leverage this social engineering mechanism to successfully breach companies.
Following spread throughout the victim network, the attacker deployed unidentified ransomware within the environment leading to operational disruption. The victim disconnected and disabled impacted ICS assets to mitigate any potential threat to operations, then proceeded with a controlled shutdown instead of relying on purely manual control given the ICS loss of view impact. As a result, even though CISA reporting indicates only one compression facility was directly targeted, overall pipeline operations ceased for two days during restoration from backup operational data and stored configuration files.
After publication, Dragos learned from multiple sources that the event described in the CISA report is the same as an event reported by the U.S. Coast Guard in December 2019. This link was later reported by several news outlets as well. As reported by the U.S. Coast Guard, Ryuk ransomware was ultimately deployed at the facility creating the disruption in operations.
Dragos can confirm through sources that the two events are the same, and multiple observations demonstrate strong overlap and similarity:
- Initial infection via an email message containing a malicious link
- Primary operational impact through loss of view on Windows-based systems performing ICS-related operations
- Relatively similar outage periods, with CISA reporting two days of downtime at the natural gas compression facility while the U.S. Coast Guard reported an outage of over 30 hours
Given these details, Dragos assesses with the two reports reference the same event based on available information.
Based on a variety of factors, Dragos concludes with high confidence the events in the CISA alert represent well-known ransomware behavior and is not an ICS-specific or ICS targeted event. This includes reportedly insufficient segregation between IT and ICS network environments within the victim organization, ICS impacts only affecting Windows-based devices, and no available evidence indicating attackers tried to alter, modify, or degrade the integrity of ICS operations beyond encrypting Windows-based systems using “commodity ransomware.”
Although limited details about the ransomware event exist, current trends in ransomware leverage initial access into victim environments to capture credentials or compromise Windows Active Directory (AD) to gain widespread access to the victim’s entire network. Once achieved, the attacker can then utilize malicious scripts and legitimate remote execution tools like PSExec to stage ransomware, or even push malicious software via AD Group Policy Objects. The result is all domain-joined Windows machines are infected nearly simultaneously to produce an entire-network encryption event. This strategy has been used to deploy various ransomware strains including Ryuk, MegaCortex, and Sobinokibi.
Given the limited details on the victim environment, an AD-focused or credential capture-based compromise would allow the attacker to spread to Windows-based assets in the unsegregated, IT-joined ICS network. Subsequent encryption operations would therefore spread to ICS assets indiscriminately along with typical IT assets.
No information provided indicates or supports ICS-specific targeting, such as observed with the limited process targeting identified in EKANS and some MegaCortex variants.
The following are security recommendations asset owners and operators can implement to prevent the infection and spread of ransomware that could potentially impact ICS operations.
- Ensure employees are trained to recognize and respond to phishing campaigns, and to report to security personnel when observed.
- Implement flagging or other methods to tag external email to mitigate spoofing of internal email addresses.
- Ensure strong network defenses between the IT and OT networks, creating chokepoints to limit malware spread.
- Keep anti-virus signatures up to date, where possible. Ensure corporate networks are thoroughly patched to prevent malware infections targeting disclosed vulnerabilities from entering the environment in the first place and prevent subsequent propagation that may impact ICS networks.
- Critically examine and limit connections including network shares between corporate and ICS networks to only required traffic.
- Aggressively monitor outbound communications from ICS networks to identify signs of infection events within OT space.
- Ensure backups of enterprise and OT network systems are maintained.
- Test backups during a disaster recovery simulation.