Ransomware Attack Breaches U.S. Compressor Station

The U.S. Dept. of Homeland Security (DHS) said Feb. 18 that a ransomware attack recently caused a gas compressor facility to shut down for two days.

Following standard DHS protocol, the alert (AA20-049A) did not disclose the name of the facility, its location, or the date of the attack. DHS also did not say if a ransom demand was actually made.

Hackers used a spearphishing link sent through email to gain access to the owner’s information technology (IT) network and then pivoted to its operational technology (OT) network. The hackers used ransomware to encrypt data on both networks.

On the OT network, the attack affected ‘human machine interfaces (HMIs), data historians, and polling servers. Windows-based assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial loss of view for human operators.

“The attack did not impact any programmable logic controllers and at no point did the victim lose control of operations,” DHS said.

It said the victim’s emergency response plan focused primarily on physical threats and did not specifically consider the risks posed by cyberattacks, so employees lacked training for such occurrences. The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process.

“Although the direct operational impact of the cyberattack was limited to one control facility, geographically-distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days,” DHS said.