
Ransomware Hits Gas Pipeline Facitlity – DHS Warns Critical Industries to Plan and Prepare for Cybeattacks
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to help system administrators prepare for and defend against malware attacks targeting critical industries. The facility suffered a loss of productivity but fortunately did not lose control of facility operations. The company’s operations were disrupted at one gas facility as a direct result of the cyberattack. Their gas compression facilities in other geographical locations were not impacted by the ransomware but had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.
The ransomware was successfully delivered to an unnamed gas compression facility via spear phishing to gain access to the company’s IT network which was used to compromise their operational technology (OT) network. An operational technology network monitors and controls industrial equipment and processes like those used in critical infrastructure. Ransomware was deployed on the OT network to encrypt data and interrupt availability of systems. Windows-based machines on both the IT and OT networks were compromised.
CISA is provided an alert to help system administrators guard against malware attacks after a ransomware attack caused an oil pipeline facility to shut down for two days while the cyberattack was mitigated and computer systems were restored. Although malware can and has attacked all types of businesses, cyber attacks on critical industries can have the most crippling affect. The critical industries, or critical infrastructure sectors, defined by Presidential Policy Directive 21 are the Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Bases, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, Waste, Transportation, and water and Wastewater systems.
Operations were shut down for about two days while the networks were cleaned and recovered.
Preparing for Cyberattacks
The target of this ransomware attack had an existing emergency response plan, but it did not focus on cyberattacks as a possible scenario.
- Require Multi-Factor Authentication to access the OT and IT networks from external sources from remote connections
- Implement regular Data Backup procedures
- Restrict user account access to a level of permission
- Schedule regular backups of critical data
- Use reliable antivirus software to protect computers from visiting malicious websites and to detect phishing emails
- Train employees on how to spot phishing emails and recognize spoof websites
- Disable macro scripts from Microsoft Office files sent as email attachments
All computers, laptops, and smartphones should be kept up to date with the latest security patches for operating systems and all apps installed in the devices. Users should avoid connecting to any personal or work accounts over public WiFi connections. Using a virtual private network (VPN) to encrypt data, emails, and activity from mobile devices. In January 2020 Microsoft stopped supporting Windows 7 computers in favor of their Windows 10 operating systems. Laptops and computers that were running Windows 7 are older do not have features like facial recognition and fingerprint scanning. Upgrading to a new computer or getting a new phone can provide extra security layers of security for two-factor authentication.
What is Spear Phishing?
Spear phishing is a type of email that is used to initiate cyber attacks, deliver malware, steal money, or collect more information from a specific target or targets. While phishing emails accomplish similar attacks, the hacker sending the spear phishing email already knows some information about the recipients That information is used to personalize the email and make it seem familiar to the recipient. Personal information about spear phishing targets is often taken from social media accounts and corporate websites. Addressing the email recipient with topics, names, and requests that are relevant to their workplace make the malicious emails more believable to the reader and make it more likely that the user will follow the instructions in contained in the message. For example, human resource personnel may be targeted with requests for tax information or direct deposit changes. Employees who deal with accounts payable may be tricked into wiring money to an account hacker’s control.
In January CISA issues a bulletin warning the public about an increase in Emotet malware attacks a banking Trojan which spreads via malicious email attachments.
Over 1,000 schools in the United States were impacted by successful ransomware attacks. The city of Baltimore, Maryland has been successfully attacked twice. Three cities in Florida and the City of New Orleans were crippled attacks in 2019.
Last week, CISA release a Malware Analysis Report about a North Korean malware know has HOPLIGHT. That malware first appeared in November 2019 and is believed to be the work of an advanced persistent threat group known as Hidden Cobra in November 2019. Early in January 2020, the United States assassinated Iranian Revolutionary Guards Corps Quds Force commander Qasem Soleimani in Baghdad. System administrators prepared an onslaught of cyberattacks and in the following weeks cyberattack attempts against the United States tripled. Previous Iranian attacks targeted the Navy Marine Corps Intranet. Hackers successfully breached the control system of a dam in Rye, New York. In 2013. Two years later, in a separate malware cyberattack, hackers infected 35,000 office computers owned by Saudi Aramco with malware.