Aerial view of factory tower showing ransomware attack on natural gas supplier

Natural Gas Supplier Superior Plus Suffers a Ransomware Attack Similar to Colonial Pipeline’s

Natural gas supplier Superior Plus confirmed it discovered a ransomware attack on December 12 that disrupted its computer systems.

Superior Plus is the latest oil & gas company to experience a ransomware attack. A similar attack on Colonial Pipeline earlier this year caused fuel shortages in the US East Coast.

Superior Plus is a multi-billion-dollar company supplying energy-related products and services to over 780,000 customer locations in the United States and Canada. With a market cap of $2.7 billion and a 38% market share, the company employs about 4,300 employees and earned $1.8 billion in 2020.

The latest attack coincided with the holiday season and cold weather, creating perfect conditions for extortion.

Natural gas supplier Superior Plus confirms a ransomware attack

Superior Plus said it took steps to secure its systems and engaged independent cybersecurity experts to mitigate the impact of the ransomware attack on its data and operations.

Additionally, Superior temporarily disabled certain computer systems and applications and commenced an investigation. The North American natural gas supplier requested patience as it began the process of bringing these systems back online.

The company assured its customers that it was addressing the ransomware attack “in accordance with industry best practices.”

While the natural gas supplier was still assessing the full impact of the ransomware attack, it determined that customer safety or security and personal data were not impacted.

Saryu Nayyar, CEO at Gurucul, suggested that Superior Plus had an impressive recovery strategy in place.

“At least Superior seems to be well-prepared to deal with this issue, having shut down servers early on, and currently attempting to bring them back up gradually,” Nayyar said.

“Enterprises can conduct simulated fire drills based on attack scenarios and develop both automated and manual playbooks once an attack is confirmed. Automated risk analysis and initial response can go a long way toward remediation of attacks.”

However, the natural gas supplier did not disclose the identity of the ransomware group responsible for the breach or the method used to gain access.

Likely, threat actors were present on the network long before Superior detected their malicious activity. The dwell time for a ransomware attack usually lasts between a few days to several months.

Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, said the natural gas supplier possibly detected the attackers only after they launched the cyber assault.

“As with most security incidents, it appears that the victim only detected the attacker once they had made themselves known by launching their ransomware,” said Clements.

“Superior Plus doesn’t say and likely might not yet know how long the attackers had access to their operations, however, normal attacker dwell time typically extends weeks or months before they trigger ransomware.”

He noted that the attackers can use this time to pivot through the victim’s network, escalate access and completely take over control and data. Superior also did not disclose whether the extortion gang has made any ransom demands.

Erich Kron, a security awareness advocate at KnowBe4, noted that the ransomware attack could further impact the supply chain negatively affecting consumers and organizations.

“Many consumers rely on propane gas to heat their homes during this chilly time of the year, and they may also rely on it to cook their holiday meals,” said Kron. “Commercial organizations often rely on propane to fuel their fleets of equipment, such as forklifts, to help move product in and out of their warehouse and to load trucks for shipping goods. Without propane, the already stressed supply chain can be further stressed, resulting in the slower movement of goods right at the peak shopping time of the year.”

He advised organizations to remain vigilant for possible attacks during the holiday season, when businesses experience staff shortages. Part of the contingency plan involves training employees on phishing and maintaining updated offline backups for speedy recovery after a successful ransomware attack.

Crackdown on ransomware attacks against critical infrastructure entities

Ransomware activity has attracted concerted law enforcement efforts with some ransomware gangs shutting down operations or rebranding to throw investigators off the trail.

However, authorities are making progress in ransomware cases with indictments of several ransomware gang members and the recovery of ransom payments. The FBI confirmed it successfully recovered 63.7 bitcoins out of 75 bitcoins paid by Colonial Pipeline to the DarkSide ransomware group in the $5 million deal.

The DOJ also unsealed indictments of seven individuals involved in ransomware attacks, while Europol arrested 12 high-value targets involved in over 1,800 similar incidents.

Ransomware attacks on U.S. critical infrastructure have prompted legislators to introduce bills to curb ransomware activity.

Lawmakers introduced the bipartisan Pipeline Security Act (H.R.3243) in the U.S. House of Representatives and the CISA Cyber Exercise Act (S.2993) in the U.S. Senate to address the ransomware threat. H.R.3243 tasks the Transportation Security Administration (TSA) with the responsibility of protecting pipelines from cyber threats, terrorism, and other threats. And, S.2993 introduces a National Cyber Exercise Program to evaluate the National Cyber Incident Response Plan strategy. Sadly, both proposals are yet to become law pending some proposed amendments.

The U.S. government is also taking action on other fronts with the State Department launching a $10 million bounty program for information leading to the arrest or identification of DarkSide and REvil ransomware gangs’ key leadership.