ARS Technica – by Dan GoodwinBloomberg News is reporting evidence of a watershed event in the annals of cyberwarfare, a 2008 hack attack that caused a Turkish oil pipeline to spectacularly burst into flames.
If true, the hack could rewrite the history of cyberwar. The first known use of a computer hack digital weapon to cause physical damage on an enemy is the Stuxnet worm, which in 2009 caused the destruction of uranium centrifuges in Iran’s Natanz nuclear facility. (The malware was unleashed on a handful of carefully selected targets a year or so earlier, journalist and author Kim Zetter reported in a recent book, but it took time for the malware to infect its intended target.) The timing has earned Stuxnet the title of the world’s first known digital weapon. The Bloomberg account suggests the hack on the Turkish pipeline occurred around the same time Stuxnet was released and was able to successfully detonate its payload effect physical damage a year earlier than Stuxnet did. Update: As several readers have pointed out in comments below, the suspected sabotage of a Siberian pipelinein 1982 is believed to have used a logic bomb.
As described by Bloomberg, attackers gained access to the pipeline’s computerized operational controls and increased the pressure of the crude oil flowing inside. By hacking the video and sensors that closely monitored the 1,099-mile Baku-Tbilisi-Ceyhan pipeline, the attackers were able to prevent operators from learning of the blast until 40 minutes after it happened, from a security worker who saw the flames, Bloomberg said. As many as 60 hours of surveillance video were also erased. According to Bloomberg:
Instead of receiving digital alerts from sensors placed along the line, the control room didn’t learn about the blast until 40 minutes after it happened, from a security worker who saw the flames, according to a person who worked on the probe.
As investigators followed the trail of the failed alarm system, they found the hackers’ point of entry was an unexpected one: the surveillance cameras themselves.
The cameras’ communication software had vulnerabilities the hackers used to gain entry and move deep into the internal network, according to the people briefed on the matter.
Once inside, the attackers found a computer running on a Windows operating system that was in charge of the alarm-management network, and placed a malicious program on it. That gave them the ability to sneak back in whenever they wanted.
…
The central element of the attack was gaining access to the operational controls to increase the pressure without setting off alarms. Because of the line’s design, the hackers could manipulate the pressure by cracking into small industrial computers at a few valve stations without having to hack the main control room.
The presence of the attackers at the site could mean the sabotage was a blended attack, using a combination of physical and digital techniques. The super-high pressure may have been enough on its own to create the explosion, according to two of the people familiar with the incident. No evidence of a physical bomb was found.
Having performed extensive reconnaissance on the computer network, the infiltrators tampered with the units used to send alerts about malfunctions and leaks back to the control room. The back-up satellite signals failed, which suggested to the investigators that the attackers used sophisticated jamming equipment, according to the people familiar with the probe.
Investigators compared the time-stamp on the infrared image of the two people with laptops to data logs that showed the computer system had been probed by an outsider. It was an exact match, according to the people familiar with the investigation.
Bloomberg reported the attack was the work Russia-backed hackers but went on to say the evidence supporting the link was circumstantial.