In August 2017, the unknown attacked the control system of the petrochemical plant in Saudi Arabia. The case is unique in that the attackers did not just want to erase information from computers or stop the plant, but, as the researchers say, provoke an explosion.
Rumors about such tactics went for a long time, but this is the first such a fixed case, which almost ended in tragedy. The US, its allies and cybersecurity experts fear that the perpetrators can repeat the attack in other countries, as thousands of industrial enterprises around the world rely on the same computer systems that have been compromised. Details of the incident told The New York Times.
How hackers bypassed the system
Cyberspecialists are still studying the details of the August attack with the support of American companies. All participants in the investigation believe that, most likely, the attack was conducted in order to provoke an explosion at the plant and at the same time to kill employees.
In recent years, similar accidents have occurred in China and Mexico – usually with explosions in factories, although not connected with hacker hacking, several die and injure at least 10 people. This is all not counting the total damage, which usually stops the work of the enterprise for a couple of months.
The key point of the attack, troubling researchers, is related to the Triconexsecurity system , which is responsible for the voltage, pressure and average temperature at the plant. Experts found on the company’s engineering computers (it is not specified which) a strange file that looked like part of the Triconex controllers, but in practice sabotaged the system. Previously it was believed that the system of this brand can not be disconnected remotely.
Cyberspecialists do not disclose how the document got into the system, but do not believe that someone added it inside the company. If you believe the experts, this is the first time when such a system was disabled out of action remotely. Similar regulators are installed on more than 18 thousand enterprises around the world, including nuclear, oil, gas or chemical resources.
The only thing that saved the plant from the explosion, it’s a mistake in the computer code of hackers – it inadvertently led to the shutdown of the plant’s system. However, if the attackers found a way to bypass protection in Saudi Arabia, they are able to repeat this in any country.
Which events preceded the attack
The August attack looks like a large-scale step forward against the background of the first break-ins of Saudi companies. The problems began in 2012: the Shamoon virus struck at the largest national oil company Saudi Aramco. From tens of thousands of computers, the institution lost all the data, and instead of them on the hard drive images of a burning American flag appeared. The US tied up the hacking with the Iranian hacker group.
In November 2016, computers in several government offices in Saudi Arabia suddenly disconnected, and data from their hard drives disappeared. Two weeks later the same virus hit other institutions in the country. In January 2017, a local company, National Industrialization, owning several industrial enterprises, disconnected all computers. The same happened in the walls of a joint venture between oil and chemical giants Saudi Aramco and Dow Chemical.
From the hard drives of National Industrialization computers, all the information was lost, and instead there appeared a picture of Alan Kurdi, a Syrian child foundon the Turkish coast in 2015. As the investigators concluded, he escaped from Syria with his family and suffocated while trying to reach the land.
Representatives of the company called the motives of the perpetrators political. The recovery of the data took several months, for which the researchers were convinced that the same Shamoon virus was responsible for the hacking.
The interlocutors of the Times suggested that with the help of the August attack, the intruders wanted to hinder the plans of the authorities of Saudi Arabia to attract additional investments to the country. At the same time, both attacks were not just for private firms, but for companies with industrial plants that occupy a key position in the country’s economy.
What conclusions did the experts make?
Investigators believe that since the attack, the attackers probably corrected the previous mistakes and can soon again try to sabotage the work of another company. Moreover, now, new intruders have learned about the vulnerability of the factories, and they will certainly look for ways to destabilize enterprises.
In the August attack, attackers did not use the Shamoon virus, but manufactured tools for hacking, which had never appeared before. Researchers suspect that the incident involves the authorities of an unnamed country. In their opinion, independent hackers do not have an obvious motive for profit, but at the same time significant financial investments were required for the attack.
To attack, intruders needed not only knowledge of how to penetrate the system, but also a general understanding of the design of the plant, as well as of where the separate pipes lead and how to provoke the explosion.
According to experts, the perpetrators of the crime in advance bought regulators Troconex and found out the principles of work. On eBay they can be purchased for 40 thousand dollars.
Cyberspecialists believe that Iran, China, Israel, the United States and Russia have the resources to attack Saudi Arabia’s factories. As stressed by NYT, most of these countries have no motives. China and Russia are seeking to establish economic relations with Saudi Arabia, and Israel and the United States are cooperating with the kingdom to fight Iran. It is this country, as experts have reported , is intensively developing a cyber war program, but the authorities deny involvement in hacking.