News about the attack has come from the U.S. Department of Homeland Security. According to the BBC, the report does not name the facility or its location. The attack on the utility was, however, sufficiently severe that it caused the shutdown “of the entire pipeline asset”. the shutdown lasted for two days.
With the ransomware incident, a cyber threat actor used a Spearphishing Link to obtain initial access to the organization’s information technology (network before pivoting to its Operational Technology (OT) network, according to the U.S. Cybersecurity and Infrastructure Security Agency. An OT network differs from an IT network, it is, according to ZD Net, a network with workstations for managing critical factory equipment and other factory operations.
The attacker proceeded to deploy commodity ransomware to ‘Encrypt Data for Impact‘. With this, the threat actor renders stored data inaccessible by encrypting files, or data on local and remote drives, and withholding access to a decryption key.
With the specific form of attack, spearphishing with a link is a specific variant of spearphishing. This cybersecurity issue is different from other forms of spearphishing in that it employs the use of links to download malware contained in email. This is instead of attaching malicious files to the email itself (the reason for this is to avoid defenses that may inspect email attachments).
Reaching out to Dr. Vinay Sridhara, CTO of Balbix for comment, the security expert tells Digital Journal: “This is yet another breach where humans are the easiest path to infiltration by attackers.” This is given the source of the attack being an email containing malicious code.
Sridhara continues: “As with other high profile events, this one propagated from a lower value target to an extremely high value target.” he then goes on to explain how the attack moved through the process: “Starting with a targeted phishing attack, the adversary then pivoted across networks, eventually using commodity ransomware to encrypt critical infrastructure data.”
In terms of lessons to be learned, Sridhara notes: “Organizations, especially those protecting critical assets, must ensure that propagation risk doesn’t overshadow other efforts to protect those assets.”
in addition, Sridhara states: “The organization also cited ‘gaps in cybersecurity knowledge and the wide range of possible scenarios. Every organization’s attack surface is huge, and grows with digital transformation and with the ever increasing number of attack methods available to adversaries, leaving an unlimited number of things that can go wrong.”
The expert concludes by stating: “Cybersecurity is no longer a human scale problem, so risk-based prioritization, across all assets and attack vectors, must form the basis for information security decision making.”
