A ransomware attack has impacted the operations of a US-based natural gas compression facility, according to a security advisory from the US government.
The advisory, published today, doesn't say when the incident took place, but merely summarizes the event and provides technical guidance for other critical infrastructure operators so they can take precautions against a similar attack.
How the attack unfolded
According to the advisory, published by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA), the incident took place after "a cyber threat actor used a spearphishing link to obtain initial access to the organization's information technology (IT) network before pivoting to its operational (OT) network."
An OT network is different from an IT network. It's a network with workstations for managing critical factory equipment and other factory operations. IT networks are usually dedicated for office and other administrative work. In theory, IT and OT networks should be air-gapped.
CISA says that after gaining access to the OT network, the attacker then deployed commodity ransomware that encrypted the company's data on both the IT and OT networks at the same time, for maximum damage, before requesting a ransom payment.
CISA says the ransomware did not impact any programmable logic controllers (PLCs), which are small sensors and devices that interact directly with factory equipment.
However, CISA says that data from other related industrial processes, like human-machine interfaces (HMIs), data historians, and polling servers, could not be aggregated and read by human operators, resulting in a partial loss of insight into the pipeline facility's operations by is own staff.
