The Department of Homeland Security’s cybersecurity agency released an alert Feb. 18 that said it had responded to a ransomware attack on an unnamed pipeline operator.
But this cyberattack was more complex than other ransomware attacks. Though the attacker entered the network through the operators’ information technology network, it then targeted the operational technology network, which controls hardware and software on industrial control systems, according to the alert from the DHS Cybersecurity and Infrastructure Security Agency.
After infiltrating the OT network, the actor deployed ransomware on both networks.
Though the victim of the attack never lost control of operations, the attack on the natural gas operator resulted in operations being shutdown for two days and disrupted business.
“Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies," the CISA alert read.
The attack, in which the threat actor is able to enter a network and traverse throughout to identify critical assets, may be a sign of what’s next in ransomware, according to one threat intelligence company.
“This is what we call post-compromise ransomware deployment and [it] is what we are seeing as the next trend in ransomeware [sic] (definitely including critical and industrial sectors),” said Nathan Brubaker, senior manager for FireEye’s Cyber Physical Team, in a statement.
The attack approach, Brubaker said, allows the threat actor to identify critical systems and disable security processes, ultimately allowing them to “cast wider nets that impact critical systems.”
“As a result, they are better positioned to negotiate and can often demand much higher ransoms — which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves,” said Brubaker.
According to Kyle Miller, chief technologist at Booz Allen Hamilton, the navigation of the threat actor to the OT network is something he sees “more frequently.”
“We’ve seen a rise in targeted ransomware attacks that select one target and dive deeper into the network, which seems to be what happened here,” Miller said in a statement. “We are also seeing an uptick in threat actors trying to target softer environments like OT systems where things like back up and traditional security and anti-virus technologies aren’t always present.”
According to analysis by Dragos, an industrial control system security company, the event is “likely” the same as an ransomware attack on a U.S Coast Guard facility in the last week of December. The unnamed company in that attack had to shut down operations for 30 hours.
The alert from CISA said that the operator failed to put a robust boundary between the IT and OT environments. The organization also didn’t have cybersecurity as part of its emergency response plan.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.