Ransomware Attacks Disrupting United States Pipeline Operations
The United States Cybersecurity and Infrastructure Security Agency (CISA) recently released a bulletin describing a ransomware attack on a US natural gas pipeline operator; highlighting how even well-regulated and normally well-secured industries can fall victim to cyber attack if security controls are not regularly tested and refined both individually and while working in tandem.
While a ransomware attack of this nature isn’t unusual, unfortunately; the fact that this attack disrupted a major manufacturing industry is, in fact, unusual - especially in that it disrupted even the highly secured Operational Technologies (OT).
According to CISA, the ransomware attack began with targeted phishing techniques, then used off-the-shelf ransomware technologies to encrypt systems both within the sphere of the Information Technology platforms and the OT platforms alike.
Luckily the pipeline operator was able to limit the spread of the malware and contain it within one operational location; allowing another physical location to take over management of operations and minimizing production impacts. There was still a significant recovery operation required, and as such there was a significant business impact even though overall production was not disrupted.
Cybercriminals Stepping Up Their Phishing and Ransomware Attacks
There are two primary areas of concern with this particular attack: susceptibility to phishing attacks overall, and the ability of the malware to jump from general IT platforms into the more-secured OT platforms which could have directly interrupted production and had a knock-on effect on overall commodity output.
Both are significant weak-points in many organizations that have a distinct barrier between general-use technology and special-use technology, such as other manufacturing industries, financial industries, and government operations. Beyond the business impact, this attack shows the vulnerability of large-scale industrial operations to both private-sector and state-sponsored attacks, which is quite a sobering experience.
Phishing itself is a constant threat. With users’ email addresses, and in many cases titles and job descriptions, being public knowledge through social networking platforms and organizational websites; threat actors can easily harvest targeted information on the critical players within any organization.
Combined with other information gleaned from social networks and publicly published data breach dumps, a threat actor can create a highly targeted phishing campaign (commonly known as spear-phishing) to address the attack to just those employees who would have operational access and/or oversight over the systems the threat actor wishes to compromise.
Highly successful spear-phishing campaigns can yield direct access to desktops, laptops, and in some cases, server and cloud technology platforms. This is a change from only a few years ago - where phishing was primarily broad-based and the ability to gain a foothold where the threat actor wanted to be was largely based on luck.
How This Phishing Attack Bypassed Traditional Email Security Filters
Moving from a less-secure to a more-secure networking segment is also troubling. In a normal operational procedure, such networks should be strictly segregated - often by the physical disconnection between the two segments unless direct data transfer is required.
This ensures that a wildfire event (rapid spread of malicious software or influence) is contained within the less-secure segment; and has no means to progress into the more-secured segment directly. The indirect spread is always a possibility, controlled primarily through enforcement of data hygiene policies and procedures.
In this case, a combination of factors led to a complete infiltration of the malware throughout the first physical location:
First, email filtration systems failed to properly identify phishing emails as malicious intent. While no filtering system is perfect, artificial intelligence and deep learning technologies (currently in use by multiple email hygiene vendors) are capable of detecting a large percentage of such targeted spear-phishing campaigns and either quarantining or entirely removing them from the organization’s mail stream.
Secondly, users were susceptible to the phishing attack. Once again, no system of training and testing is perfect, but well-defined security awareness training can help ensure that users can withstand many threat attempts.
Reinforcement with disciplinary action for those users who show themselves to be uninvolved with the security process; such as by demonstrating repetitive behaviors that indicate they are not examining emails from unknown senders before interacting with them further closes the loop and helps defend the organization.
While disciplinary action is never a primary strategy; targeted negative reinforcement when clear indicators of inefficient and/or outright negligent behaviors are observed can be a useful tool when other options for enforcing email security protocols have failed.
Additionally, the malware used was well-known; indicating that filtration systems at the firewall, proxy, and content filtering layers of the organization’s security controls were insufficient. Detection of known malware as users attempt to download it via links both known malicious and unknown is critical.
Many obfuscation techniques can be used to bypass such scanning, but attempting to determine file intent is a useful component of an overall security protocol. The failure of endpoint defense systems to detect either the malware by signature or heuristic examination or via behavioral detection was also at fault.
Endpoint defenses - the last line of defense against executable files and macro-based attacks - are a vital component of any security protocol set and must be adaptable to the latest identified threats. As this attack used a known set of commonly-available ransomware tools, the endpoint solution should have contained the attack well before it began to spread.
Finally, strict network segmentation is a necessity when dealing with multiple layers of security cordons. In this case, the malware was able to propagate using known methodologies from a less-secure IT infrastructure into the higher-security OT infrastructure unfettered. The segregation between such networks should, if possible, be physical or through strict policy enforced by security controls.
Layers of redundancy in these policies and controls combined should prohibit - in this example - unauthorized application movement between less-secure networking into a more-secured network in the same way as these policies and controls prohibit secure data from flowing into the less-secure network.
Unfortunately, the prevailing set of controls for most organizations primarily focuses on prohibiting sensitive information from traveling into the lesser-security network, allowing for attacks like this to propagate in the opposite direction easily.
How Breach and Attack Simulation Can Prevent Phishing Attacks Like This
In summary, the attack detailed by CISA represents not a failure of a single set of security controls, but the failure of multiple controls when working in tandem with each other - or not working as was the case here.
Leveraging comprehensive Breach and Attack Simulation platforms like Cymulate can thoroughly test the effectiveness of each control, but also the impact the controls have when working in conjunction with each other and with the users that operate on them.
Phishing Awareness, Email Gateways, Network Segmentation and many other components must work as expected and work together as effectively as they do individually. Comprehensive simulation of multiple threat methodologies - not the pinpoint testing of a penetration test or the overall awareness of potential issues that vulnerability testing can bring - will be the way that avenues of attack such as this one are prohibited from wreaking havoc on vital production systems.