A ransomware attack has impacted the operations of a US-based natural gas compression facility, according to a security advisory from the US government.
The advisory, published today, doesn't say when the incident took place, but merely summarizes the event and provides technical guidance for other critical infrastructure operators so they can take precautions against a similar attack.
According to the advisory, published by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA), the incident took place after "a cyber threat actor used a spearphishing link to obtain initial access to the organization's information technology (IT) network before pivoting to its operational (OT) network."
An OT network is different from an IT network. It's a network with workstations for managing critical factory equipment and other factory operations. IT networks are usually dedicated for office and other administrative work. In theory, IT and OT networks should be air-gapped.
CISA says that after gaining access to the OT network, the attacker then deployed commodity ransomware that encrypted the company's data on both the IT and OT networks at the same time, for maximum damage, before requesting a ransom payment.
CISA says the ransomware did not impact any programmable logic controllers (PLCs), which are small sensors and devices that interact directly with factory equipment.
However, CISA says that data from other related industrial processes, like human-machine interfaces (HMIs), data historians, and polling servers, could not be aggregated and read by human operators, resulting in a partial loss of insight into the pipeline facility's operations by is own staff.
CISA says that the pipeline operator decided to implement "a deliberate and controlled shutdown to operations," as a precaution and to avoid any incidents.
The pipeline operator took this step even if its emergency plan did not mandate an obligatory shutdown in the a case of a cyber-attack.
CISA officials said the shutdown lasted approximately two days, after which normal operations resumed.
Blow are CISA's findings and conclusions from its recent investigation into the event:
US officials did not reveal the name of the ransomware strain. However, ICS security firm Dragos believes this is the same ransomware incident disclosed in a US Coast Guard alert last year.