Ransomware Attack On US Power Station

A major cyber attack has hit a US gas compression facility in Massachusetts, forcing it to shut it down for two days as it struggled to recover. The power station operator has refused to meet the attackers' financial demands.

The Reading Municipal Light Department (RMLD) was targeted by cyber-criminals hoping to extort money by encrypting data in the station's computer system. The station bosses hired an outside IT consultant to help them deal with the ransomware infection instead of paying for the return of their files.

According to records obtained by a local TV station 1 in 6 Massachusetts communities have been targeted by ransomware and at least 10 communities have used taxpayers' money to recover encrypted data. RMLD said that its IT team had been working tirelessly to identify and isolate the problem, which was believed to have been contained. Outside help was brought in to make doubly sure that all traces of the malware had been removed.

The attack started with a malicious link in a phishing email that allowed attackers to obtain initial access to the organisation’s information technology (IT) network and later pivot to the company’s OT network. It happened because the adversary was able to hop from the gas compression facility’s IT network onto the operational technology (OT) network when an employee mistakenly clicked on a malicious email link.

Eventually, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.” The infection of the OT network caused engineers to lose access to several automated resources that read and aggregate real-time operational data from equipment inside the facility’s compression operations.

These resources included human machine interfaces, or HMIs, data historians, and polling servers. The loss of these resources resulted in a partial “loss of view” for engineers.

From their account @readinglight, the company posted: "RMLD’s website, http://rmld.com, is currently unavailable due to a widespread issue our vendor is experiencing. There is no ETA for a resolution at this time. This issue is affecting multiple city and town websites in MA. Updates will be shared as they become available."

Electricity services were not interrupted by the attack, and RMLD said that the grid remains secure. RMLD also said that there were no indications that customers' financial data had been compromised as a result of the attack. Information regarding customers' bank accounts and credit cards is stored in a separate system managed by third-party provider Invoice Cloud.

Online payments remained unaffected by the ransomware attack, as they are handled by Invoice Cloud. RMLD said that prompt payment discounts will be honored despite a potential delay in the carrying over of payments from Invoice Cloud to RMLD’s billing system.

Customer data that may have been exposed in the attack includes names, addresses, email addresses, and records of how much electricity an individual has accessed.

RMLD has not confirmed how the ransomware entered their computer system, nor has the electricity provider stated how much money was requested by the attackers.
   
The attack also had a knock-on effect. While the direct operational impact of the cyber-assault was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline for the two days.

As industries such as oil and gas become an increasing target for cyberattacks by nation state actors, it’s important that organisations work together to try to counter the threat.

Fortunately, the attackers in this compromise didn’t cause any physical damage but the incident is the latest wakeup call to warn of the potential of hacks that could. 

Forbes:     Popular Mechanics:       Ars Technica:       Infosecurity Magazine: 

You Might Also Read:

Electric Grids Targeted For Cyber Attacks: