When the air gap is the space between the ears: A natural gas plant let ransomware spread from office IT to ops

America's Homeland Security this week disclosed it recently responded to a ransomware infection at an unnamed natural gas plant.

The cyber-nasty, described as a common or garden strain of file-scrambling Windows ransomware, did not result in any physical damage to equipment nor any of the programmable logic controller units that directly control gas flow at the compression facility, we're told. It did, however, spread from an office computer through the plant's IT network to the operational network of PCs that monitor the plant, overwriting documents and other data as it went.

"A cyber threat actor used a spear-phishing link to obtain initial access to the organization’s information technology network before pivoting to its operational technology network," Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said in a Tuesday bulletin describing the kerfuffle.

"The threat actor then deployed commodity ransomware to encrypt data for impact on both networks."

CISA did not say where the infection occurred nor what malware code was used. However, infosec outfit Dragos speculated today the agency is referring to the Ryuk ransomware family, which was used in a 2019 attack reported to the US Coast Guard.

Disk-nuking malware takes out Saudi Arabian gear. Yeah, wipe that smirk off your face, Iran

READ MORE

In addition to failing to stop the spear-phishing that led to the infection, CISA says the plant's operator fell short on separating the IT network from the operational systems of the plant. This made it easier for the malware to move between two networks that should have been isolated from one another, or at least better-secured.

Fortunately, because the attack involved a piece of Windows-only ransomware, the malicious code was unable to affect the gas plant control systems that directly controlled operations. It appears the spear-phisher was more interested in holding files to ransom than specifically disrupting plant systems. Still, as a result of the infection, the plant had to be shut down as the monitoring systems were cleaned up.

"Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations," CISA noted. "This lasted approximately two days, resulting in a loss of productivity and revenue, after which normal operations resumed."

Malware infections in oil and gas plants have long been seen as a danger, but those cases usually concern purpose built-malware and spyware designed with infrastructure targets in mind. This attack was caused by what Homeland Security calls a "commodity" ransomware infection that was apparently just looking for Windows PCs to lock up.

We asked Homeland Security where the gas plant was located; it declined to comment. You could assume the US government organization is referring to a facility on its home soil. ®