Ransomware Shuts Gas Compressor for Two Days in Latest Attack

February 19, 2020 by

A recent ransomware attack caused a U.S. natural gas compressor facility to shut for two days, the latest in a string of attacks targeting the country’s energy infrastructure over the past few years.

Hackers sent emails with a malicious link to gain control of the facility’s information technology system, the Department of Homeland Security said Tuesday in an alert. The agency didn’t say which facility was targeted, when the attack occurred or who was behind it.

It appears likely that the attacker explored the facility’s network to “identify critical assets” before executing the ransomware attack, according to Nathan Brubaker, a senior manager at the cybersecurity firm FireEye Inc. This tactic — which has become increasingly popular among hackers — makes it “possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators,” he said.

The DHS alert comes amid increased concern about whether aging U.S. energy facilities are equipped to ward off cyber-attacks that could result in power failures and disruptions to oil and natural gas supply. In 2018, several pipeline companies saw their electronic systems for communicating with customers shut down after being targeted by hackers.

Regulators have urged better oversight for pipeline cybersecurity, which is overseen by the Transportation Security Administration. DHS announced in 2018 that it was working with the TSA and the Department of Energy on a pipeline cybersecurity initiative.

Operations at the facility have been restored, according to an official the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, who requested anonymity speaking about the matter. The official said the incident illustrates the risk that ransomware poses to industrial control systems.

Though the hackers didn’t gain control of the gas compression facility, the operator decided to perform a controlled shutdown after being unable to read and aggregate real-time operational data from certain devices.

While ransomware is usually designed to block access to a computer system until a sum of money is paid, the DHS notice didn’t specify what the hackers were demanding in the gas compressor cyber-attack. The facility’s emergency response plan didn’t specifically address the risk of cyber-attacks, DHS said.

–With assistance from Sayer Devlin.