Assessment on AA20-049A, Report of Ransomware Impacting Pipeline Operations

Details of AA20-049A published by the U.S. Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) (reported in the Security & Resilience Update for February 18, 2020), does not seem to represent newly observed activity.

Based on information shared with ICS cybersecurity firm Dragos, they (and others) assess with high confidence that AA20-049A likely describes a previously reported incident by the U.S. Coast Guard in December. Furthermore, while AA20-049A cites a disruption to OT operations occurred at the facility, analysts believe this was likely due to the lack of robust segmentation between the IT and OT networks (as included in the alert) and shared Windows operating system infrastructure, and not the result of the ransomware specifically targeting ICS. In fact, the alert mentions the deployment of “commodity” ransomware – commodity is typically a term referred to as widely used IT-based, not advanced or specific for specialized systems such as ICS-based environments. Even though the operational disruption lasted nearly two days, available evidence does not indicate the ransomware adversaries specifically targeted ICS operations.

While the activity described in AA20-049A does not appear to represent any additional adversary activity, CISA’s comprehensive mapping of the activity to the MITRE ATT&CK Framework provides asset owners with a more complete set of TTPs with which to defend against. Members are encouraged to review the ATT&CK techniques and mitigations listed in the alert for a better defense strategy against similar activity. Read the assessment at Dragos