Ryuk’ Malware Attacked 5 Oil and Gas Facilities, Says Report

Industry News

January 28, 2020

‘Ryuk’ Malware Attacked 5 Oil and Gas Facilities, Says Report

Recent “ransomware” cyberattacks on the oil and gas sector may have hit five oil and gas facilities, forcing them to revert to manual operations, cybersecurity firm ThreatGEN said.

Two of the victims were clients of the cyber security firm, according to ThreatGEN founder and CEO Clint Bodungen. He said he has reason to believe that three other facilities were also harmed by a hacking campaign that dates back to November and uses a brand of ransomware called Ryuk.

“I’m 99% certain that it was a campaign specifically targeting oil and gas firms,” Bodungen said. He did not name the companies or provide their locations, citing security concerns, but said the firms ThreatGEN worked with did not pay the undisclosed ransoms.

The Ryuk ransomware is infamous for crippling the networks of cities and large organizations across the U.S., holding their information for ransoms that can reach into the hundreds of thousands of dollars. The hackers deploying the ransomware have amassed at least $3 million in payments since it first spread in August 2018, according to one estimate from cybersecurity firm CrowdStrike Holdings Inc.

Ryuk ransomware reportedly crippled computers at state oil company Petróleos Mexicanos in November — a cyberattack that Bodungen believes is part of the same campaign. The company, commonly referred to as Pemex, faced a $5 million ransom demand to unlock its data, according to industry reports. 

In a separate case affecting one of ThreatGEN’s clients, hackers got into the network of one oil and gas facility after an employee opened a phishing email, Bodungen said.

The other facility was compromised through a “watering hole” technique that infected a website the hackers knew employees visit often. Once an employee browsed to the compromised website, attackers were able to break into the company’s computers. The hackers stayed in the network for months before launching the ransomware attack, according to Bodungen.

The hacks did not bring down production at either site, Bodungen said, but remote viewing of the industrial equipment was paralyzed for up to 72 hours, forcing the facilities to go to manual mode until they could load backups to fix the problem. But because the hackers compromised the system months before the attack, the first backup at both of the facilities had also been compromised, Bodungen said, forcing operators to replace the hard drives completely.

“None of the physical processes was actually affected by Ryuk. The only thing that was affected was the remote viewing, monitoring and control of the other SCADA systems,” Bodungen said, referring to a widely used type of industrial control network.

Bodungen says the cyberattacks were similar to one that prompted an alert from the U.S. Coast Guard in December that described a facility being shut down by the Ryuk ransomware. The ransomware moved from the corporate information technology network to the industrial control systems that operated cargo transfers, disabling the facility for over 30 hours, according to the report.

But Bodungen said he disagrees with part of the alert that indicated Ryuk bypassed the IT network to impact control systems directly. He said that although it’s possible for the ransomware to be modified to do that, he hasn’t seen an updated variation of the malware with industrial control system capabilities.

Bodungen said that the latest Ryuk campaign could have been thwarted if the facilities took some basic precautions.

“Lack of network/threat monitoring, or proper monitoring, in all of these cases contributed to the adversary being able to remain on the network for so long, perform recon, move laterally undetected and weaponize the [active directory network service] until the ransomware was deployed,” Bodungen said.

‘Significant impact’

Worries over regulations of cyberdefenses for the oil and gas sector have been brewing for over a year, and homeland security officials are particularly concerned about securing natural gas pipelines that supply major power plants with fuel (Energywire, July 25, 2019).

Oil and gas facilities may not be as heavily regulated as electric utilities when it comes to cybersecurity, but that doesn’t mean they don’t invest in ramping up their defenses, according to Kyle Miller, chief industrial cybersecurity engineer for Booz Allen Hamilton Holding Corp.

Unlike electric utilities, which tend to focus on meeting regulations, Miller said, oil and gas companies tend to show “a little bit more freeform investment” when it comes to cybersecurity.

“We’ve seen larger investments around building out threat models and trying to understand who the adversaries are; what tools, techniques and procedures they use; and how to specifically defend against those threats,” Miller said.

Others are pushing for more scrutiny of those defenses. Federal Energy Regulatory Commission Chairman Neil Chatterjee has been a staunch proponent of improving cybersecurity oversight for gas pipelines in particular.

“I am concerned that, because of our nation’s growing use of natural gas for power generation, a successful cyber-attack on the natural gas pipeline system could have a significant impact on the electric grid,” Chatterjee said in testimony before the Senate Energy and Natural Resources Committee last year. He added that “more must be done to ensure robust oversight for natural gas pipeline cybersecurity.”

Chatterjee, a Republican, joined Democratic FERC Commissioner Richard Glick to write a 2018 op-ed in Axios calling for Congress to consider moving regulatory authority for pipeline security away from the Transportation Security Administration, which currently oversees it.

There may be some time yet to develop these defenses, as ransomware attacks on oil and gas facilities have remained steady recently, according to an official from the American Gas Association who spoke on background. AGA, which represents hundreds of gas utilities nationwide, developed the Downstream Natural Gas Information Sharing and Analysis Center to feed cybersecurity warnings and information to participating energy companies.

All comments to blog posts will be moderated by ACEC staff.