A pipeline was shut down for two days following a ransomware attack on a natural gas facility that wasn't prepared for such an attack, according to the Department of Homeland Security (DHS).
The DHS' Cybersecurity and Infrastructure Security Agency (CISA) didn't say in its security alert when or where the attack happened, nor did it name the facility that was targeted.
The hackers targeted the facility using spearphishing, when attackers trick a victim into clicking a malicious link, but rather than use a shotgun approach they send the link to specific individuals. That gave the attackers access to the company's wider IT network, which they used to access the operational technology network.
The DHS said the hackers were then able to leap from the standard IT network to the operational side because the victim failed to properly segment them. The attack was limited because the hackers used commodity ransomware that only targeted Windows-based computers, and physical processes were run on different systems.
"It appears in this case that the threat actor carried out some initial intrusion and lateral movement work probably to identify critical assets prior to deploying the ransomware," said Nathan Brubaker, senior manager for the cyber physical team at FireEye. "This is what we call post-compromise ransomware deployment and is what we are seeing as the next trend in ransomware."
"In post-compromise ransomware incidents, a threat actor first gains privileged access to a victim’s environment where they can explore target networks and identify critical systems before deploying the ransomware," said Brubaker. "This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators."
While the attack interfered with specific tools used by the facility, at no point was control of operations lost, the alert notes. The shutdown was instead sparked by the facility's emergency response plan, and while normal operations have since resumed, the outage led to closures at other plants nearby.
"A natural gas pipeline having to shut down for two days from a spear-phishing attack is yet another example of the real world implications of cyber on critical national infrastructure," said Stuart Reed, VP of cyber security at Nominet. "This has knock on effects for customers and partners who rely on that supply to conduct their own business, not to mention putting the gas facility in a difficult position."
Recovery was possible by finding replacement equipment, suggesting no ransom was paid. Though the attack was limited by the Windows-focused ransomware, the impact was worsened by lack of preparation — it had planned for a physical attack, not a virtual one. "The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning," the DHS said.
Max Vetter, chief cyber officer of Immersive Labs, said that highlighted the importance of security skills across an organization. "Security professionals talk a lot about making sure you have bought all the right tech to protect your company but far less often about the skills you need to protect the company, and this needs to change," he said.
"In particular, the organization said that staff were not adequately prepared for this type of attack in their cyber crisis scenario planning," he added, advising all companies — especially those running critical national infrastructure in particular — to run frequent crisis simulations to be better prepared. "Unfortunately, many security employees across all industries are probably looking at this example and thinking that they would not have been prepared either," Vetter added.
The recent rise of ransomware targeting public organizations, the government and critical infrastructure sparked the FBI to last year ask the private sector for security help. That's possibly a wise move after high-profile attacks against Travelex and LifeLabs, as well as government agencies in the state of Louisiana and Texas, as well as Baltimore and Las Vegas.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
