Disruptionware: A New Cyber Threat Targeting Critical Infrastructure

Disruptionware is an emerging type of cyberattack calculated not only to disrupt the availability, integrity and confidentiality of victims’ data, systems and networks, but also to interrupt or shut down the essential business operations functions of its victims. More destructive than traditional malware and ransomware attacks which typically only target a victim’s systems and networks, disruptionware attacks target both the “information technology” (IT) and “operational technology” (OT) networks of its victims. In other words, disruptionware attacks target victims’ physical infrastructure and their ability to operate, as well as their networks, systems and/or data.

Disruptionware attacks typically utilize various, more traditional cyberattack “tools” in order to paralyze their victims. Some of the most common tools include ransomware, wipers, “bricking” capabilities, automated components, data exfiltration tools and network reconnaissance tools. Ransomware is the most commonly used tool to effectuate disruptionware attacks, and, similar to other disruptionware tools, is a type of malware that — once released into a victim’s data networks — is highly effective at diagnosing, attacking and shutting down the victim’s business operations.

Disruptionware attacks are expensive and inconvenient for their victims. However, and perhaps more disturbingly, they also pose a danger to the public health and safety. For example, a 2020 disruptionware attack at a German hospital shut down the hospital’s computer systems, making patient and vital health data inaccessible. The attack also targeted the hospital’s OT networks, including shutting down operating room infrastructure, which locked the hospital out of critical life support systems and equipment needed by the medical staff to perform various procedures. As a result, the hospital was unable to complete critical medical procedures, and a patient scheduled for emergency surgery died. Similarly destructive attacks have also victimized at least one U.S.-based hospital system, although, thankfully, without the loss of lives.

While attacks on companies in the health care industry have garnered significant and well-deserved attention, disruptionware attacks have begun to impact companies in many other industries. The energy sector has been particularly susceptible to disruptionware attacks. This is likely due to the fact that most energy sector participant networks are dated and were designed without cybersecurity in mind.  Further, many of these networks still use antiquated legacy Information Control Systems which utilize under-protected and outdated technology. The Institute for Critical Infrastructure Technology (ICIT), which monitors disruptionware attacks, has stated that “all of the power generation facilities, transmission networks, distribution nodes, network operations, and consumer endpoints that interconnect to form the energy sector are susceptible to disruptionware attacks.”

Another reason that the energy sector is susceptible to disruptionware attacks is due to its reliance on OT networks. OT networks are susceptible to less sophisticated, readily deployable cyberattacks such as ransomware. According to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), there are many forms of ransomware that are designed to specifically disrupt operations by organizations using OT networks and devices. In a recent energy sector attack, CISA noted that the threat actor deployed ransomware to encrypt data on both of the victim’s networks. CISA further noted that the attacker succeeded because the victim lacked “robust segmentation” between its IT and OT networks, thereby “allowing the adversary to traverse the IT-OT boundary and disable Windows-based assets on both networks with a commodity ransomware.” The attack forced the victim company to shut down its physical operations for over two days.

A recent cyberattack on a water treatment plant in Oldsmar, Florida also highlights the danger posed by disruptionware attacks on participants in critical infrastructure industries. In that case, an attacker remotely accessed an OT system controlling the chemicals that were added to the water supply. The attacker increased the level of sodium hydroxide, known as lye, which can be deadly in high concentrations. Fortunately, the attack was discovered and reversed before there was any danger to the public health.

The danger from disruptionware attacks to the nation’s critical infrastructure is only growing. In early May 2021, one of the largest U.S. fuel pipelines was hit by a ransomware attack, forcing its operator, Colonial Pipeline, to shut down its operations — including 5,500 miles of pipeline. Colonial transports 2.5 million barrels of gasoline per day, or 45% of all fuel consumed on the U.S. East Coast, and it serves several major U.S. airports. While the ultimate impact of the attack is still unclear as of the publication of this article, a prolonged shutdown is expected to impact fuel supply and gasoline prices.

Based on information released to date, the Colonial Pipeline attack was orchestrated by foreign state nationals who were able to infiltrate and shut down both IT and OT networks through malware introduced into the pipeline’s control systems. The hackers stole more than 100 gigabytes of data and have demanded a ransom, though it is still unclear whether the attack was strictly financially motivated or at the behest of a foreign nation state government designed to weaken our national infrastructure. As of the date of this writing, there are still four major veins of the Colonial Pipeline offline with no known date for when full operations will return.

Disruptionware attacks are, unfortunately, becoming more commonplace and more dangerous. In response, the Biden administration has called for greater cyber defenses around our nation’s power grid and other infrastructure targets. Disruptionware is obviously a tremendous change to the cyber threat landscape, and companies should be aware of the potential danger that such attacks can pose. Business organizations — particularly those in sectors which are common disruptionware targets — would be well-advised to take steps to upgrade their security to guard against disruptionware. In addition to baseline “cyber hygiene” practices to secure IT and OT networks, organizations should also consider doing the following:

• Regularly patching networks and ensuring a viable patch management system
• Disabling Macro Scripts on your network
• Limiting unnecessary internet exposure
• Disabling Secure Server Message Block (SMB)
• Disabling Remote Desktop Protocol (RDP)
• Managing and securing third-party Service Level Agreement (SLA) access to networks
• Instituting effective “Social Awareness” training for company employees