In March, US Homeland Securitys Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identified an active series of cyber intrusions targeting natural gas pipeline sector companies. Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations.
Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign with spear-phishing activity dating back to as early as December 2011. Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization.
ICS-CERT is currently engaged with multiple organizations to provide remote and onsite analytic assistance to confirm the compromise, extent of infection and assist in removing it from networks. ICS-CERT does not recommend enabling the intrusion activity to persist within networks, and it has been working aggressively with affected organizations to prepare mitigation plans customized to their current network security configurations to remove the threat and harden networks from reinfection.
In addition, ICS-CERT recently conducted a series of briefings across the country to share information related to the intrusion activity with oil and natural gas pipeline companies. These briefings provided additional context of the intrusions and mitigations for detecting and removing the activity from networks.
ICS-CERT continues to recommend Defense-in-Depth practices and educating users about social engineering and spear-phishing attacks. Organizations are also encouraged to review ICS-CERTs Incident Handling brochure for tips on preparing for and responding toan incident. Asset owners/operators who would like access to the portal or to the alerts can contact ICS-CERT at email@example.com. HP