In March, US Homeland
Securitys Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) identified an active series of cyber
intrusions targeting natural gas pipeline sector companies.
Various sources provided information to ICS-CERT describing
targeted attempts and intrusions into multiple natural gas
pipeline sector organizations.
Analysis of the malware and
artifacts associated with these cyber attacks has positively
identified this activity as related to a single campaign with
spear-phishing activity dating back to as early as December
2011. Analysis shows that the spear-phishing attempts have
targeted a variety of personnel within these organizations;
however, the number of persons targeted appears to be tightly
focused. In addition, the e-mails have been convincingly
crafted to appear as though they were sent from a trusted
member internal to the organization.
ICS-CERT is currently engaged with
multiple organizations to provide remote and onsite analytic
assistance to confirm the compromise, extent of infection and
assist in removing it from networks. ICS-CERT does not
recommend enabling the intrusion activity to persist within
networks, and it has been working aggressively with affected
organizations to prepare mitigation plans customized to their
current network security configurations to remove the threat
and harden networks from reinfection.
In addition, ICS-CERT recently
conducted a series of briefings across the country to share
information related to the intrusion activity with oil and
natural gas pipeline companies. These briefings provided
additional context of the intrusions and mitigations for
detecting and removing the activity from networks.
ICS-CERT continues to recommend
Defense-in-Depth practices and educating users about social
engineering and spear-phishing attacks. Organizations are also
encouraged to review ICS-CERTs Incident
Handling brochure for tips on preparing for and
responding toan incident. Asset owners/operators who would like
access to the portal or to the alerts can contact ICS-CERT at