Closing the Case on the Reported 2008 Russian Cyber Attack on the BTC Pipeline

An article released today in Sueddeutsche (the largest German national daily newspaper) by Hakan Tanriverdi revealed new information that further cast doubt on a report of a 2008 Russian cyber attack which caused the Baku-Tbilisi-Ceyhan (BTC) pipeline explosion. The Sueddeutsche article can be found here.

Background:

The original report of the attack was released on December 14th, 2014 with the title “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar” by Bloomberg. The article referenced an explosion that occurred in 2008 along the BTC pipeline that had previously been attributed to a physical attack by Kurdish extremists in the area. The Bloomberg report cited four anonymous individuals familiar with the incident and claimed the explosion was actually due to a cyber attack. The attribution to the attack was pointed at Russia.

Following this claim, a few individuals, including myself, analyzed the statements in the article and critiqued the validity of the assertions. A record of these critiques was saved by Davi Ottenheimer on his website here. Following this critique, members of the SANS ICS team (myself, Michael Assante, and Tim Conway) published ICS Defense Use Case (DUC) #1 “Media Report of the Baku-Tbilisi-Ceyhan (BTC) pipeline Cyber Attack” further doubting the claims; the DUC can be found here. The focus of the DUC was to extract lessons learned for defenders regardless of the accuracy of the report. While we all doubted that the cyber attack actually occurred, there were still lessons that could be extracted regarding the attack paths discussed in the Bloomberg article. It did accurately highlight a number of concerns regarding architecture and ability for defenders to monitor their networks.

New Information:

Hakan’s article in Seud Deutsche focused on four claims by the Bloomberg article and introduced new information surrounding them from an internal report. Hakan’s four main points are translated and summarized below with the claims in the Bloomberg report they counter:

1. Claim: Internet Protocol (IP) connected surveillance cameras at the pipeline allowed Russian actors to compromise the network. They then proceeded to erase 60 hours of surveillance video.

Counter: An internal audit revealed that there were no security cameras at the pipeline before the explosion, they were acquired after the event in response to the explosion.

2. Claim: The IP connected surveillance cameras gave the Russian actors access to the control center.

Counter: After the event when the surveillance cameras were installed they were specifically installed on separate lines which would not have allowed the attackers access to the control center or valve stations.

3. Claim: The control room was connected to field information via a wireless monitoring system. This allowed the Russian actors to manipulate the data and alarms being sent to the control center.

Counter: The internal audit revealed that there was not a radio or wireless network installed for the valve stations that would have been tampered with.

4. Claim: The explosion was caused by the cyber attack.

Counter: The internal audit revealed that there were explosives found at the explosion which coincides with the previous attribution of a physical attack by Kurdish extremists.

Analysis:

The report of a Russian cyber attack on the BTC pipeline was already controversial and held in question. This new information presented by Hakan further closes the case on this reported attack. It is important to note that any good security minded person could play devil’s advocate with the claims such as Claim #2. In #2 the counter was that the lines were separate which would imply an “air gap”. Although the surveillance cameras weren’t even installed it is always best to doubt claims of separation and segmentation as supposedly air gapped networks are consistently found to be connected in various ways. However, the entire argument does not rest on this or any one of the counter claims. The focus should be that no real evidence was ever presented so when the few claims that were made are further called into question they hold even less persuasion than before.

Why It Matters:

The reason for writing this blog is not to draw attention to a reporter or news site getting a story wrong. Everyone makes mistakes and good journalistic work at times requires taking chances. However, there are a few reasons it is important to address this story which I will highlight below:

  • This story has been cited as evidence in other cases. As an example, when the Turkey power failure occurred earlier this year this story was one of the few cited to show that it may have been a cyber attack. Stories that are allowed to remain incorrect have a snowball effect on inaccurate reporting.
  • It is important to note how difficult reporting on ICS attacks can be. It is not the fault of journalists or researchers not being able to get data. Instead, there is a serious lack of forensic quality data in ICS environments as it relates to cyber attacks. There are numerous reported and unreported cases of failures at ICS facilities where a cyber incident is to blame. Without the appropriate data there will simply not be any lessons learned or resolution to the root cause. The ICS community must better prepare for and implement incident response practices including field level logging and evidence collection ranging from network traffic to Windows logs.
  • Stories about ICS cyber attacks will continue to be very difficult for anyone to fairly evaluate unless the community does a better job of sharing information about incidents. There are restrictions and concerns including legal, financial, and compliance reasons that make information sharing difficult. When these issues are mitigated the community itself cannot hinder progress in this area. Accurate information sharing is important for developing the appropriate case-studies and lessons learned to drive better defenses and resource investments.
  • Attribution to national level adversaries increases geopolitical tension. It is good to call attention to these adversaries when there is proper evidence to support the claims. When there is not though we must all ensure that tensions are not allowed to boil over for the wrong reasons.


This was first posted on the SANS ICS blog;

Originally appeared at RobertMLee.org.

Author:

Robert M. Lee is a fellow in the Cybersecurity Initiative. He is Founder and CEO of the cybersecurity company Dragos, Inc., a SANS Institute course author and researcher, and a PhD candidate at Kings College London.