Behind the News: The Ragnar Locker Attack on Greek Natural Gas Supplier DESFA

What we know:

On August 20, 2022, SecNews.gr announced that Greek Natural Gas Supplier DESFA had a day earlier suffered a cyber attack on part of its IT infrastructure: “Cyber ​​attack on DESFA by foreign hackers, through Ragnar Locker ransomware and data interception took place on August 19, 2022 at 18:42. Hackers infected the National Gas System Operator’s systems with ransomware and managed to steal sensitive employee and customer data and information.”

Sometime later, leaked DESFA files showed up on the dark web:

Apparently, the hacker/blackmailers essentially have been stealing files from DESFA for a long time, and have threatened to share these files if the ransom is not paid.

At current, according to DataBreachToday, 361 gigabytes of what appears to be confidential data belonging to Greek national natural gas pipeline operator DESFA, after DESFA refused to negotiate with the hackers.

Among the leaked documents, some of which were posted on SecNews are engineering designs and budget and revenue documents, in addition to several files that appear to be future budget and past revenue spreadsheets; copies of non-disclosure agreements with customers and partners; engineering designs and their backups in a directory format (the authenticity of the data could not be immediately verified.) It is not clear the types and the extent of stolen personal data (PII).

According to DESFA, all industrial operations (OT) related to the Greek national natural gas system kept operating as usual and the damage was only to the IT of DESFA. “The management of the NNGS continues to operate smoothly and DESFA continues to supply natural gas to all entry and exit points of the country safely and adequately”

Insights

• • • • Even though they have announced ceasing operations in 2021, the Ragnar Locker gang is very much active
      • Given that the hackers published files stolen from DESFA’s IT environment, and that, according to DESFA, some of its systems were affected by a cyberattack, our assessment is that the hackers had probably leveraged weak authentication mechanisms or social engineering vectors to penetrate into the enterprise network
      • The DESFA attack was similar in nature to previous Ragnar Locker attacks, especially to the attack on the Colonial Pipeline (US)
      • Unlike the Colonial Pipeline attack which caused the victim to shut down its production operations (probably as a precaution), this time the victim, DESFA, stated that it “…continues to supply natural gas to all entry and exit points of the country safely and adequately.”

Recommendations

DESFA’s ability to maintain continuity of its OT operations was probably achieved thanks to the implementation of proper security controls between the breached IT environment and OT the networks which continued to function.

Critical infrastructure utilities should, accordingly, take action in two parallel paths:

1. Improve IT security to prevent external threat vectors
2. Build OT cyber resilience through a number of vectors:
   • • Risk assessment: assessing the risk posed to the organization by a cyber attack on each and every operational unit enables prioritizing the most effective mitigation measures per dollar spent, thus maximizing the ROI on OT security expenditure
     • IT/OT segmentation: segmentation plays an important role in preventing advanced cyber attacks, as they tend to employ lateral trans-network movement and attempts to breach the IT-OT conduits
     • Network Visibility: A system for continuously updated network visibility, with access to all asset state/properties, would enable tracking the spread of ransomware in real time, for much better handling of breach incidents.
     • Two-Factor Authentication: The spread of ransomware can be avoided by implementing 2FA , especially for remote access, and make sure employees have strong passwords and are well aware of phishing and another social-engineering attacks