When the air gap is the space between the ears: A natural gas plant let ransomware spread from office IT to ops

Mystery facility hit by 'commodity' infection thought to be Ryuk

By Shaun Nichols in San Francisco


America's Homeland Security this week disclosed it recently responded to a ransomware infection at an unnamed natural gas plant.

The cyber-nasty, described as a common or garden strain of file-scrambling Windows ransomware, did not result in any physical damage to equipment nor any of the programmable logic controller units that directly control gas flow at the compression facility, we're told. It did, however, spread from an office computer through the plant's IT network to the operational network of PCs that monitor the plant, overwriting documents and other data as it went.

"A cyber threat actor used a spear-phishing link to obtain initial access to the organization’s information technology network before pivoting to its operational technology network," Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said in a Tuesday bulletin describing the kerfuffle.

"The threat actor then deployed commodity ransomware to encrypt data for impact on both networks."

CISA did not say where the infection occurred nor what malware code was used. However, infosec outfit Dragos speculated today the agency is referring to the Ryuk ransomware family, which was used in a 2019 attack reported to the US Coast Guard.

Disk-nuking malware takes out Saudi Arabian gear. Yeah, wipe that smirk off your face, Iran


In addition to failing to stop the spear-phishing that led to the infection, CISA says the plant's operator fell short on separating the IT network from the operational systems of the plant. This made it easier for the malware to move between two networks that should have been isolated from one another, or at least better-secured.

Fortunately, because the attack involved a piece of Windows-only ransomware, the malicious code was unable to affect the gas plant control systems that directly controlled operations. It appears the spear-phisher was more interested in holding files to ransom than specifically disrupting plant systems. Still, as a result of the infection, the plant had to be shut down as the monitoring systems were cleaned up.

"Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations," CISA noted. "This lasted approximately two days, resulting in a loss of productivity and revenue, after which normal operations resumed."

Malware infections in oil and gas plants have long been seen as a danger, but those cases usually concern purpose built-malware and spyware designed with infrastructure targets in mind. This attack was caused by what Homeland Security calls a "commodity" ransomware infection that was apparently just looking for Windows PCs to lock up.

We asked Homeland Security where the gas plant was located; it declined to comment. You could assume the US government organization is referring to a facility on its home soil. ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Oil be damned: Iran-based crooks flinging malware at Middle Eastern energy plants again – research

ZeroCleare wipes up where Shamoon left off

Cyber-wrath of Iran for top general's assassination hasn't progressed beyond snooping and nicking logins... yet

Boring! Where are teh 1337 h4x? We want 1337 h4x

Cyber-warnings, cyber-speculation over cyber-Iran's cyber-retaliation cyber-plans post-Soleimani assassination

Experts reckon regional infrastructure is in the cross-hairs

Iran says it staved off cyber attack but doesn't blame US

Here's a rundown of some of the Middle East's cyber argy-bargy

Iran kills the internet for its people's own good as riots grip the Middle Eastern nation

Country offline for third day in response to protests

How to fool infosec wonks into pinning a cyber attack on China, Russia, Iran, whomever

Black Hat Europe Learning points, not an instruction manual

The eagle has handed.... scientists a serious text message bill after flying through Iran, Pakistan

A bird on the band is worth more than your entire research budget

What's Farsi for 'as subtle as a nuke through a window'? Foreign diplomats in Iran hit by renewed Remexi nasty

Iran, spying on foreigners within its borders? Shocked, shocked, we tell you

Iran's blame-it-on-Bitcoin 'leccy shortage probably isn't a US hack cover story... yet

Comment But just imagine Stuxnet: Consumer Edition

Iran tried to hack hundreds of politicians, journalists email accounts last month, warns Microsoft

No confirmation from Trump yet whether he asked them to do it

Tech Resources

Why you need managed detection and response

How do you go about implementing MDR securely and manageably? Dave Martin from Open Systems has promised to tell us. He’s talking to the Reg’s Tim Phillips, and he will explain why your organization needs MDR, how to convince the business that it needs it too, and how to implement it.

KEMET Customer Story

KEMET chooses Open Systems to optimize performance of cloud apps, secure cloud connectivity and reduce costs by 50%

Faster Response with CrowdStrike and MITRE ATT&CK

Today’s threat landscape has created new challenges for security analysts and incident responders.

A Definitive Guide to Understanding and Meeting the CIS Critical Security Controls

The CIS Critical Security Controls are the industry standard for good security. Are you up to par?