Hackers have installed ransomware on systems of a natural
gas compression facility in the United States, affecting the operational
technology (OT) network, including human-machine interfaces (HMIs), data
historians, and polling servers.
The Cybersecurity and Infrastructure Security Agency
(CISA) offered details of the attack in an effort to inform other organizations
about the danger of such intrustions and mitigation techniques.
In this case, a human served as the entry point for the
hackers. Someone fell for a phishing email that contained a link that triggered
the installation of malware. After the hackers had access to the network,
infecting it with ransomware was easy.
While the attack on the natural gas compression facility could
inflict a lot of damage, the hackers lacked access to programmable logic
controllers (PLCs), so the company didn’t lose control of the actual operation.
This was one of the more fortunate cases, where the
organization had quick access to backups, and restoration only took a couple of
days.
“The victim’s existing emergency response plan focused on
threats to physical safety and not cyber incidents,” says the advisory. “Although
the plan called for a full emergency declaration and immediate shutdown, the
victim judged the operational impact of the incident as less severe than those
anticipated by the plan and decided to implement limited emergency response
measures.”
Mitigation measures recommended by CISA include network
segmentation, multi-factor authentication, data backups, specific Account Use
Policies and Users Account control, spam filters, endpoint protection,
disabling office macro scripts, and keeping software up to date. All of these
are just the basic protections any company and organization should employ.
The CISA advisory doesn’t say what type of ransomware was
used, how much ransom was requested, or name the hackers, but Ryuk and
Sodinokibi have been used in the past on industrial systems.