Last updated at Tue, 24 May 2022 20:23:36 GMT

The energy, utilities, and industrials vertical has long been a significant target for criminals and state-sponsored threat actors. The May 2021 DarkSide ransomware attack on the US Colonial pipeline operation became one of the most high-profile examples of these long-standing threats, due to the gasoline supply shortages it caused. However, it was not the first time that ransomware operators have targeted an energy pipeline operation, nor was it the most severe from a purely technical perspective – only in terms of its market impact.

According to reports, the Colonial attack did not affect the pipeline's operational technology (OT) but only the operator's IT, including its billing system. This led some to believe that the company suspended supply operations simply because it could not bill customers. However, CEO Joseph Blount said in his June 9 US Senate testimony the decision to shut down the pipeline was preemptive under the assumption that the OT may have been compromised. Either way, this incident illustrates that an IT compromise of an organization that also has OT can have a disruptive impact on its industrial operations, even if the attackers fail to move laterally into the more sensitive OT. The organization may be compelled to shut down its OT environment, as in this case, either as a precaution or because it is unable to continue normal business processes.

In contrast, the Cybersecurity and Infrastructure Security Agency (CISA) reported in February 2020 that a ransomware attack on a US natural gas compressor station succeeded in moving laterally from its IT network into its OT environment. The attackers initially infected the IT network with ransomware via a malicious email link and were able to move laterally into the OT network due to insufficient segmentation between the IT and OT networks.

The operators of the facility lost access to human machine interfaces (HMIs), data historians, and polling servers, and they also lost some of their ability to monitor operational data. The use of Windows-specific ransomware prevented the attack from affecting programmable logic controllers (PLCs), which would have deprived staff of the ability to control operations. The attack itself directly affected only one compressor station, but the attack indirectly affected the whole pipeline operation when operators shut down that one compressor station for two days in response to the attack.

The Colonial incident was also not the first time members of the DarkSide Ransomware-as-a-Service (RaaS) affiliate program targeted critical energy infrastructure. Rapid7 coverage of underground criminal communities revealed that, in early February 2021, DarkSide RaaS affiliates disclosed more than 1TB of data they claimed to have obtained from a breach of Companhia Paranaense de Energia (Copel), an electric utility in the Brazilian state of Parana. The data included user credentials from CyberArk storage, network reconnaissance details, backup schedules, phone numbers, and email addresses for customers and employees (including senior management), legal and financial documents, and engineering schematics.

Additionally, in December 2020, DarkSide affiliates disclosed data that they claimed to have obtained from a breach of US-based Forbes Energy Services, an independent oilfield services contractor for oil and gas companies in Texas and Pennsylvania. The compromised data included tax and accounts payable information, human resources records, health care information, and board presentations.

Rapid7 coverage of underground criminal communities has yielded other examples of disclosures of data that ransomware operators claimed to have obtained from breaches of energy, utility, and other industrial organizations. In fact, we found 20 examples of such data disclosures, going back only one year from the time of the Colonial incident.

Not just ransomware

Rapid7 threat intelligence coverage of these forums has yielded several examples of criminals selling access to the compromised networks of energy, utility, and other industrial organizations. Ransomware attacks are a popular way to monetize such compromises, but they are certainly not the only way. Energy, utility, and other industrial organizations possess data that criminals can monetize via identity theft, bank fraud, or additional attacks, as well.

Learn more about the energy, utilities, and industrials cyber threat landscape in our new research report, “Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report.”


Get the latest stories, expertise, and news about security today.