Spear-phishing email results in U.S. gas pipeline ransomware attack

On Feb. 19, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (AA20-049A) that specifically drew attention to a serious ransomware attack that knocked an American fuel pipeline offline for two days. The gas pipeline ransomware attack, according to CISA, originated in a spear-phishing email to an employee. The threat actor was able to leverage the initial access to the IT sphere, via the email, to then enter the OT network and deploy a commodity ransomware.

Once the ransomware took effect, the threat actor was able to affect the OT network by making certain elements unavailable including “human-machine interfaces (HMIs), data historians, and polling servers.” More specifically, as CISA words it in their alert, “impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators.”

In an analysis of the attack, CISA was able to zero-in on the specific factors that allowed the attacker to do as much damage as they did. The IT and OT networks, for instance, were not segmented, which obviously allowed the attacker to disrupt both networks with ease. Even though the attack specifically affected one facility, the two-day shutdown occurred because, as the report states, “geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies.”

The most egregious error, however, seems to stem from the unnamed facility’s cyber-incident plan. According to CISA, “the victim’s emergency response plan did not specifically consider the risk... Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.” As a result of this, CISA gave a detailed step-by-step mitigation plan for any at-risk facilities vital to U.S. energy infrastructure. Some of the fixes include exercising the “ability to failover to alternate control systems” and identifying “single points of failure (technical and human) for operational visibility.”

Any key point of a nation-state’s infrastructure, be it energy or otherwise, will come under attack at some point. As this incident proves, the U.S., in particular, is not prepared for a large-scale cyberattack. Those in charge of decision-making, more specifically cybersecurity policy, need to use this incident as a wakeup call.

Featured image: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Exchange security: Get your SPF, DMARC, and DKIM records in place

Every Exchange admin lives with the constant fear their system will be breached. Having SPF,…

2 hours ago

GE data breach exposes thousands of employee records

A GE data breach exposed a hacker’s treasure trove of employee records, including Social Security…

20 hours ago

Getting speed and consistency using Linux text editors and console

Ready to go back to the future? Here’s a look at some Linux text editors…

23 hours ago

Amazon GuardDuty unveils new, lower pricing tiers

The Amazon GuardDuty threat-detection service has unveiled some lower price tiers, which will be especially…

1 day ago

Best remote work collaboration tools to maintain peak productivity

Now more than ever businesses need remote work collaboration tools. Here’s our pick for the…

4 days ago

Using DHCP to configure VPN clients? Windows Server 2016 has features you need

Among the many new features included in Windows Server 2016, the improved DHCP services can…

4 days ago