Oil refinery plant at twilight.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory following a ransomware attack on a natural gas compression facility.

In the warning, CISA announced that a “cyber threat actor used a Spearphising Link to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware…on both networks,” adding that the facility was out of commission for two days. 

While CISA declined to give specifics regarding the date of the attack or the facility that was affected, it did point out several shortcomings in their cybersecurity readiness, including:

  • The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.
  • Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.
  • The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.

The type ransomware in the attack is unknown, but has been speculated by security researchers to be EKANS, a relatively recently discovered malware strain that specifically targets industrial environments.