Lansing Board of Water & Light Hit By Ransomware Attack
The Board of Water and Light (BWL) in Lansing, Michigan, was struck by ransomware on Monday, April 25. Only the corporate network was affected, with no disruption to water or energy supplies. The BWL has kept its customers updated through its Twitter feed, but few details (apparently on advice from the FBI) are yet known. Nevertheless, this would seem to be the first disclosed example of a utility being successfully compromised by ransomware.
The incident was announced via a series of tweets when it first occurred. “Today we were the victim of ransomware that came in through a phishing virus and infected our corporate networks. We immediately instated a self-imposed lockdown to all of our corporate networks to protect the system while developing a solution. We are working with local, state and federal law enforcement authorities. No utility functionality has been lost during the attack. No personal customer info has been compromised. Customers are still able to make payments online, in our cust serv center & at kiosks.”
From this we can assume that the ransomware may have encrypted parts of BWL’s corporate network but did not succeed in accessing the operational network and the industrial control systems (ICS).
Yesterday, BWL posted a FAQ on Twitter. It reiterated that it shut down the network itself. On discovering the incident, “as a precaution, we immediately initiated a self-imposed lockdown of all corporate systems.” We don’t know whether the loss of corporate systems was due to the lockdown or ransomware encryption. Nevertheless, we can assume that law enforcement will be taking a very keen interest in the malware involved and the actors who control it: it has got unnervingly close to what is essentially a part of the critical national infrastructure.
Just one month ago, Patrick Coyle, the owner and author of Chemical Facility Security News told SecurityWeek that his personal nightmare for utilities is that “someone will put a critical infrastructure on lockdown with ransomware. That does not take any great process knowledge; just access to the system.”
Ivan Sanchez, a SCADA and ICS security researcher with Nullcode doesn’t believe that the Lansing attacker was targeting the ICS equipment. The malware “wasn’t on the ICS plants’ consoles, HMI devices. I think it was directed only at the IT corporate. But in the future, or maybe the next step, is to go for the plant.”
This needs to be considered in conjunction with Fox-IT’s description of a ransomware investigation it has recently undertaken. The attackers did not simply break into the corporate network and start encrypting data. Using compromised RDP servers, they broke in and then spent several weeks reconnoitering the network. In that example it was in order to know the optimum point that would create the most damage.
It’s not a leap to imagine attackers doing similar with the IT network for other CNI installations, but this time seeking access to the OT network before launching the encryption. “Depending on the topology of the network, ransomware ‘could’ cross to the OT network,” warns Sanchez. “In general ransomware viruses do not work in this way – for the moment.”
This “incident really does highlight how dangerous this type of attack is for communities,” Coyle told SecurityWeek by email. “It is also a poster child for the importance of proper network segmentation. In this case the business office was affected, but customer accounts (billing) and operations were not affected. You have to give the utility credit for properly keeping those networks separated. This makes it much harder for a ransomware attack to shutdown operations.”
He fears that smaller utilities might not be so well organized or prepared, and the malware could potentially get on to the operational network. “Locking down an operations network of an electrical utility is almost certainly going to result in power outages.”
But, reassuringly, Coyle suggests that ransomware is only likely to cause local rather than national difficulties. “I do not believe that a ransomware attack would rise to the level of a national or even regional problem. Network segmentation is almost certainly better maintained at that level. Certainly the separation between business systems (the most likely to be compromised by this type of attack) and operations systems is much better. And the segmentation of the operations systems would also keep the affected areas limited if an attack did reach those systems.”
Last week it was reported that that multiple forms of malware were found in a German nuclear energy plant in Gundremmingen, 75 miles north-west of Munich.
Related: Concerns Raised Over Malware in German Nuclear Plant