Every modern company or individual is on some level at risk of cyber-attack. And every company and individual, bar none, is critically dependent upon their computer systems. It has become in vogue for commentators to portray cyber-attacks as representing real threats to the “internet of things”, with bad actors taking control of nuclear power stations or similar core infrastructure. However, while the reality is generally less dramatic, it has huge potential to destabilize society.
2012 Iranians attack Aramco
In August 2012 the Iranians launched a devastating attack against Saudi Arabia’s giant state oil company – Aramco. The attack was Iran’s first serious cyber-attack. Sometime in in 2012 an Aramco employee opened an email on an Internet connected computer and clicked on a malicious link which unknown to the employee gave Iranian actors access to the company network. From this single entry the attackers code was distributed throughout the company network, spreading malicious code to many other computers and network nodes. From this silent, unnoticed entry the attackers deployed malicious code throughout the network to carry out two operations, 1) to wipe files from the company’s system and 2) to report back progress to the attackers. Once the wiping component was activated it deleted the relevant disk drivers (which manage reading and writing on the system) and replaced them with their own copy. The copy looked and operated entirely legitimately and raised no flags. However, the wiping code then overwrote the contents of important files. This is actually much more difficult to recover from than simple deletion. The malicious code then wiped the master boot record (basically the master directory) rendering the attacked computers unable to operate at all.
The attack was initiated on August 15th and swiftly spread throughout the company’s environment rendering some thirty-five thousand computers inoperable – the majority of Aramco’s administrative and operational computing capability. Some computer screens displayed a burning US flag. There was no doubt a major attack was in progress.
The attack happened during Ramadan when about half of the IT staff were on vacation. While the attack did not (attempt) to target physical operations, it caused major disruption to company operations that cost many millions of dollars and caused huge disruption on all levels of the company’s operations. We might assume that the motive of this attack was simply to disrupt the commercial heart of a nation state.
2021 Colonial Pipeline
On May 8th this year Colonial Pipeline, an American fuel distribution company said that it was the victim of a cybersecurity attack forcing the company to shut down its 5500 mile pipeline which transports gas, diesel and aviation fuel from the Gulf Coast to the USA East Coast. Following the initial company announcement it was widely assumed, not surprisingly, that the physical pipeline infrastructure systems may have been compromised. Over the weekend the US government declared a state of emergency and the Department of Transportation temporarily relaxed regulations across much of the country governing how long truckers could drive, to provide flexibility in the supply chain. Gas prices jumped 6 cents over the past week and is expected to keep rising until supply returns to normal. Supply shortages, minimal at present are expected to increase across the country.
Colonial said it’s likely to restore service on the majority of its pipeline by Friday (14th May).
Richard Joswick, head of global oil analytics at S&P Global Platts said, “There’s no imminent shortfall, and thus no need to panic buy gasoline. If the pipeline is restored by Friday, there won’t be much of an issue.” He went on, “If it does drag on for two weeks, it’s a problem, you’d wind up with price spikes and probably some service stations getting low on supply. And panic buying just makes it worse.”
Apparently Colonial admitted that the threat was a ransomware attack by gang of criminal hackers that calls itself DarkSide, and had halted all pipeline operations over the weekend, forcing what the company called a precautionary shutdown. However, U.S. officials said Monday that the “ransomware” malware used in the attack didn’t spread to the critical systems that control the pipeline’s operation. But the fact that it could have done so alarmed outside security experts.
The hackers are reported to be of Russian origin from an organization called the DarkSide, one of many ransomware gangs that specialize in extortion. The criminals typically steal an organization’s data and encrypt it, making ongoing business impossible or extremely difficult. They then frequently threaten to publish the data if the targeted organization doesn’t pay up, creating a second disincentive to trying to recover without paying. Ransomware gangs are usually only motivated by profit. Colonial has not disclosed any details of the form of threat, or indeed the impact, other that it has been forced to halt pipeline operations.
It’s useful to think of corporate computer systems in three categories – administrative, operational and control. Administrative systems cover functions such as contract management, billing, debtors, asset management, accounting and marketing. Operational systems manage business dynamics including resource planning, scheduling and management, production and logistics. Control systems manage the physical operations including instrumenting, monitoring and controlling the actual operations. The link between operational and control systems are Remote Terminal Units (RTUs). The RTU provides data consolidation and translation between the two technology worlds.
The RTU clearly represents a big focus of cyber-attacks. And hackers often find older RTUs poorly defended with unsecured communication, so they become the path of least resistance into the network.
In this case it appears from Colonial’s comments that the control systems were not compromised. Unlike the Aramco case the target was almost certainly for the attackers to make money by threatening a) to publish commercially confidential data, or b) to massively disrupt commercial operations. We may never know the outcome. Specialists in this field always advise on the highest level of secrecy over how cyber-attacks were resolved.
For Colonial, there are a number of really big questions. First the extent to which their systems may have been compromised? Like the Iranian attack on Aramco, it could be that the attackers have left sleepers in the Colonial network. Second, whether the interface between the operational and the control systems have been breached? Most control systems these days will be protected by virtual private networks, but if the attackers have gained access to the operational systems layer, they may well be able to gain access to the private network.
So what do Colonial do? Should they, like Aramco, effectively reinstall their entire system software layer? But how do they know what systems software is legitimate? And what might be hiding malicious code? This might be a powerful argument for paying the ransom. But can cyber attackers be trusted to reset the systems if the ransom is paid? Or will they reset sufficient to allow operations to restart. But thereafter will they come back for more? For Colonial, and any company faced with the same threat, this is a real nightmare.
What’s happening is that the entire world is critically dependent upon computer systems. This creates a compelling opportunity for any number of bad actors who have various motivations including making money, destabilizing nation states, economies or organizations. The key lesson we need to learn is that prevention is easier than cure. But we need to be aware that this trend is only just getting started. There’s too much money to be made.
The Hacker and the State, Cyber Attacks and the New Normal of Geopolitics,
Harvard University Press 2020
Just as I publish this I noted from the Guardian:
Russian-speaking cyber gang threatens release of Washington police data
A Russian-speaking ransomware syndicate that stole data from police department in Washington DC says negotiations over payment have broken down and it will release sensitive information that could put lives at risk if more money is not offered. The extortion threat comes amid a separate ransomware attack on a major pipeline that’s affected part of the US’s fuel supply, highlighting the power of internet-savvy criminal gangs to sow mayhem from a half a world away with impunity. The Babuk group said on its website late on Monday that it would release “all the data” it stole from the Washington police department if it did not “raise the price”.
“The negotiations reached a dead end, the amount we were offered does not suit us,” the group said. The department did not immediately return a request for comment, and has not said whether it has negotiated any possible payment. If true, it is an example how complex the ransomware problem is when even police find themselves forced to consider making payments to criminal gangs.