CERIAS Tech Report 2013-9 Crude Faux: An analysis of … · An Analysis of cyber Conflict Within the Oil ... The US Army notes in their Cyber Concept & Capabilities plan for 2016-2028

CERIAS Tech Report 2013-9Crude Faux: An analysis of cyber conflict within the oil & gas industries

by Kambic, K., Aurthor, K,. Ellis, W., Jensen, T., Johansen, K., Lee, B., Liles, S.Center for Education and ResearchInformation Assurance and Security

Purdue University, West Lafayette, IN 47907-2086

1

Crude Faux

An Analysis of cyber Conflict Within the Oil & Gas Industries

Authors AbstractJake Kambic, Kristine Aurthor, Will Ellis, Mary Horner, Tyler Jensen,

Kyle Johansen, Brian Lee

Under the direction ofDr. Samuel Liles

The oil & gas industry is a mul-tibillion-dollar industry that has a history of conflict. As modern technology has developed, both the corporate aspects and technical as-pects of the oil & gas industry have become heavily reliant on the Cy-ber domain. The inherently insecure origins and evolution of computing has led that dependence to become a severe vulnerability. This report examines how these vulnerabilities have been exploited, and what that means to the future of the industry.Purdue University

Cyber Conflict & Transational

Cyber-Crime Course

2

Executive Summary Theoil&gasindustryisamultibillion-dollarindustrythathasahistoryofconflict.Asmoderntechnologyhasdeveloped,boththecorporateaspectsandtechnicalaspectsoftheoil&gasindustryhavebecomeheavilyreliantontheCyberdomain.Theinherentlyinsecureoriginsandevolutionofcomputinghasledthatdependencetobecomeaseverevulnerability.Recenteventshavebroughtthisfacttolightwithadelugeof“cyberattacks”launchedgloballyagainsttheindustry.Theseattacksraisespecterofcyberconflictandthequestionofculpabil-ity.Thisreportseekstoanalyzeaselectionoftheseevents,lookingforpatternsthatwouldindicateoneormoreadvancedactors.Byobservingthemotivesmeansandopportunitiespresentedtoactors,andlookingatacrosssectionoftheseattacksovertime,conclusionswillbedrawnastothepast,present,andfutureofcyberconflictwithintheindustry.

TheUSArmynotesintheirCyberConcept&Capabilitiesplanfor2016-2028thatcybercapabilitiesposeauniqueandattractiveopportunitytoaninferiorenemytogainequivalencetemporaryequivalencewithasuperiorenemythroughtheuseofCyber.Thisappliesnotonlytonationstates,butnon-stateactorsaswell.Thereareseveralfac-torscompoundingthisissue:

Unfetteredaccesstotheinfrastructureandtoolsusedtoconductcyberoperationsbyanyone

Alowbarriertoentryfiscallyandlimitedexperiencerequiredtoachieveanoutsizedimpact

Ahighandattractivereturnoninvestment

Plausibledeniabilityduetoissueswithattribution

Thesefactsmakeithighlylikelythatmultipleforeignagenciesaswellaspowerfulcorporatedenizenshaveusedandcontinuetomakeuseofcybercapabilitiestoaffectfavorableoutcomes.

Methods:UsingOSINTtechniques,informationwasgatheredfromgovernmentwebsites,corporatewebsites,newsagencies,andsearchenginequeries.Thisinformationwasthensynthesizedandscrutinizedforpossiblelinksandattribution.Bylookingatthesurroundinggeopoliticalevents,gainsandlossesaswellasindirectoutcomes,eventscanbecorrelatedandattributedtoactorswhichpossessthemeansmotiveandopportunitytodoso.Theprimarypurposeistoanalyzetheeventregardlessofattribution.Becauseofthenatureofopensourceinforma-tion,biasesarenaturallyintroducedwhichmustbeacknowledged,ifnotaccountedfor.

Events:Incidentswereselectedbasedonrelevanceandtheirtimeliness,alongwithotherfactorsdiscussedinthemethodology.Incidentswerelargelygroupedintooneofthreecategories:espionage,sabotage,andincidental/miscellaneous.WhiletheseincidentsdonotqualifyaswarfarebytheClausewitzdefinition,theyareaformofconflict.

Cyber Espionage:Thereissignificantevidenceofprotracted,insidiousespionagecarriedoutbyastateactorwithinthecyberrealm.Chinahaslikelylaunchhundredsofcyberattacksagainsttheoilandgasindustrysinceasearlyas2002.WiththeadventofRedOctober,theymaynotbetheonlyactorsinthegame.Withalevelofsophisticationnotyetobservedpubliclyinthisrealm,RedOctobercouldrepresentanevolutiontoChina’scurrenttechniques,oranotheractorenteringthegame.Bylookingatsomeofthetechnicalaspectsoftheevents,alinkwasestablishedbetweenByzantineCandorandAPT1,aswellasapossiblelinkbetweentheMirageCampaignandElderwoodProj-ect.

3

Sabotage: TheMiddleEasthassceneperhapsthemostevidenceandvarietyofcyberconflictofall.Whilestayingawayfromeventswhichdonotdirectlyrelatetotheoilindustry,aseriesofsabotageincidentsusingcyberasthemediumareexamined.Itispossiblethatthereeventsweresalvosbetweennationstatesinanexampleofbidirectionalconflict.Ifthisisnotthecase,andincidentslikeShamoonweresimplytheactofnon-stateactors,thenitrepresentsaffirmationoftherevelenceofnon-stateactorsinfuturecyberconflict.ThisisonlylogicalsincemostofAmerica’scriticalinfrastructureiscontrolledbytheprivatesector,andeconomicinfluencecanbeleveragedtogaingreatpower.

Incidental:BytakinganadversariallookattheDeepwaterHorizonoilspill,anexampleofhowastateactorcouldactinaviolent,kineticwayagainstanon-statethroughcyberwhileremaininganonymousisexaminedthroughavignette.ItisdeterminedthatwhiletheDeepwaterhorizonspillwasnotanattack,iteasilycouldhavebeen.Thistypeofconflictisbothdeadlyandcatastrophic,andwhileitisunlikelytobeusedlightly,itsetsthetoneforpossibilitiesgoingforward.

Conclusions:

Basedontheobservedevents,thepossiblethreatactors,andthecorrelationoftheseevents,itappearsthatthereisongoingcyberconflictwithintheoilindustry.Thecorrelationofseveralincidentshasshowncoordinatedattacksbyanadvancedforeignthreatactoragainstmultipleentitieswiththeuseofespionage.Ithasalsosuggestedthepos-sibilityofmoredestructiveattacks,andpointedoutthebenefitstobothstateactorsandnon-stateactorswithintheoilindustry.Insomecasestherehasbeenanobviousalignmentofpolitical,strategic,operational,andtacticalgoalsandprincipalstoaffectfavorableoutcomes.Theculminationofthesefindingsisthattherearemanythreatactorswhoarecurrentlyengagedin,ormaybeengagedin,ongoingconflictwhichmayhavethepotentialtoescalate.Thisshouldbebothaprimaryconcernandacauseforfutureresearchandanalysis.

4

IntroductionRecenteventsofnationalsignificancewithintheoil&gasIndustryhavebroughttolightboththequestionof

definingthreatsourcesandthatofplausiblyattributingknowneventstoathreatsource.Theunprecedentedriseincy-bereventsbegetsthequestionofwhetherthisisincidentaltothecontinuedadvancementoftechnology,orsuggestsanongoingconflictthatmayescalate.Thisreportwillaggregaterelevantevents,presentcriteriaforoutliningthreatorigins,anddeterminethelikelihoodthattheincidentsarerelated.Italsoseekstodeterminewhetherornotanyobservedcor-relationpointstoapersistentaggressororsimplycircumstantialcoincidence.Thepurposeofthisanalysisistoprovidedecision-makerswithaclearerideaofthecurrentsecurityoutlookfortheoilandgasindustry,andpinpointwhatcurrentandfuturecausesforconcernappeartobe.Alleventsandpresentedoptionsshouldbeconsideredcautiouslyandasempiricallyaspossible;anyassumptionsthataremadewillbeexplicitlystated.

Timeline of EventsOneofthefirstprioritiesistooutlineatimelineofeventswhichhaveoccurredandthenexaminewhatsignifi-

cancetheymayhaveorrelationshipstheymayshareinordertoscopetheconversation.Theseeventswillconstitutetheframefortheanalysis.Eventswerechosenafterapreliminaryoverviewofcontentfromopensourcessuchasestablishednewsmediasites,oil&gascompanywebsites,Googlequeryresults,governmentbulletins,andtechnicalreportsbysecuritycompanies.Fromthisbriefoverview,eventswithintheOilandGasIndustrywhichexhibiteda“cyber”componentwereselected.Theseeventsarenotmeanttobeallinclusive,andduetotheentirelyopensourcenatureoftheresources,thevantagepointontheinformationmaybebiasedandinmanyinstancesislikelyincomplete.Howeverevenanincompleteviewmaycontainenoughinformationtoidentifysignificantpatterns,andbyacknowledgingthequalityconcernswiththeinformation,amoreaccurateandobjectiveanalysismaybeperformed.Belowisatimelineofobservedeventswhichwillbediscussedingreaterdetail.Thetimelinewilllisttheeventandtheapparenttargetoftheevent.

5

Cyber Espionage

Sabotage

Incidental/Misc

Signi�cant Open-Source Cyber-Related Incidents within Oil & Gas Industries[2008-2013]*

0 MMbbl

2009 2010 2011 2012 2013

Top 20 CountriesProven Oil Reserves

[2011]

211,169 MMbbl

20,000 MMbbl

2 4

3

5

6

7 8 9

10

11

12

13

14

15

16

171819

ImportersExporters

Top 5 [2011](in thoursands of barrel per day)

SA

RU

IR

AE

NG

US

CN

JP

IN

DE

Earliest known intrusion of Shady RAT in the Gas industry–sophisticated infection and data ex�ltration of corporate secrets

A disgrunted former contractor for PER intentionally disables o�shore oil rig safety controls remotely o� the coast of California

McAfee starts monitoring the Night Dragon cyber espionage campaign against oil, energy, and petrochemical companies

Symantec ties back a Google hack to a campaign referred to as the Elderwood Project that targets Oil/Gas targets amongst others

Deepwater Horizon Oil Rig su�ers catastrophic failure; Control safety Systems had been rendered inhibited

BG Group Plc and CHK. are alleged to be victim of sophisticated data ex�ltration of corporate secrets reported by Bloomberg

Talisman Energy & Halliburton Co. are targeted by the comment group as part of a corporate espionage campaign

Sophisticated infection and data ex�ltration of corporate secrets from unspeci�ed oil & gas companies in Norway

Virus infects a series control systems on Kharg Island, Iran’s main oil exportation station, causing them to shut down the terminals

Dell’s Counter Threat Unit begins tracking the Mirage cyber espionage campaign—Sophisticated data ex�ltration of corporate secrets

Anonymous hackers target oil industry giants, exposing more than 1,000 email credentials

Shamoon virus systematically ex�ltrates corporate data and wiped hard drives of over 30,000 computers at Saudi’s Aramco

Sophisticated infection and data ex�ltration of corporate secrets from Telvent, ltd.

Sophisticated infection and data ex�ltrationin Iraq of corporate secrets suspected to be part of the Night Dragon campaign

Virus infects a series control systems on Kharg Island, Iran’s main oil exportation station, causing them to shut down the terminals

Anonymous announces their intent to attack international oil companies in “#OpFuelStrike”

Kaspersky announces Red October, a highly �exible cyber espionage virus which targets, amongst others, global oil & gas companies

Mandiant releases a document entitled APT1 which implicates China’s PLA sponsored espionage, including within the Oil Industry

The CSM highlights a “restricted” DHS report states 23 gas pipeline companies were targeted via spear-�shing

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

Timeline & Details of Sampled Events

1

6

Giventhisdataset,anaturalescalationofeventsappearstooccur,withthefrequencyofincidentscontinuingtorise.Thiscanpartiallybeexplainedbyagrowinginternationalawarenessofthevulnerabilitiesandperilsinvolvedininternet-facingcontrolsystemsofallkinds;aseventsoccur,theygarneradditionalattentionandthereforeinducead-ditionalincidents.

However,thereareotherinterestingobservationstobemadefromthisdata.Largely,theincidentsofgreatnotehaveoccurredineitherNorthAmericaortheMiddleEast.Whenconsideringthatthreeofthetopfiveoilproducingcountriesareintheseregions(SaudiArabia,theUnitedStates,andIran),thisisnotsurprising.Yetsubstantivereportsofsimilarincidentsaremarkedlyabsentintheothertwoofthetopfiveoilproducingcountries(ChinaandRussia),andthisisnoteworthy.Theargumentcouldbemadethatthisisduetolanguagebarriersandtightcontroloninformationdissemination,butitisimprobablethatasignificantincidentwouldhavegoneentirelyunnoticedbyallmediaoutlets.Astheincidentsthemselvesmakeapparent,humanthreatactorsareinvolved,andwhatremainstobeidentifiediswhetherthereisthecomplexity,overarchingcoordination,orrecurringthreatsourcethatwouldpointtoanadvancedthreatsuchasastateactororcomplexnon-stateactor.

Beforecontinuingwiththepossibleattributionofevents,somebasediscussionandcriteriaforthethreatsourc-esmustbeestablished.Athreatsourceisconsideredtobeahuman-basedornaturalentitywhichpossessesacapabil-itythatalignswithanunmitigatedvulnerability.Thethreatsourceswhichwillbeconsideredmustmeettheminimumrequirementofhavingboththemotiveandthemeanstocarryouttheattack.Onceahypothesisconsistingoftheseele-mentsisestablished,itwillbescrutinizedtodeterminewhetherornottheeventssurroundingtheincidentorseriesofincidentsaligninanyobviouspolitical,strategic,operationalandtacticalmanner.Themeansinthiscaseconsistsofboththeopportunityandthetechnologicalcapabilitytocausetheincidenttooccur,andthemotivesthatwillbeconsideredareeconomicgain,retribution,orpoliticalagenda(toincludeideology).

TheUSArmynotesintheirCyberConcept&Capabilitiesplanfor2016-2028thatcybercapabilitiesposeauniqueandattractiveopportunitytoaninferior,asymmetricenemytotemporarilygainequivalencewithasuperioren-emybecauseofitsrelativelylowinitialcost,highreturnoninvestment,andplausibledeniabilityduetoissueswithattri-bution.Becauseofthisfact,itishighlylikelythatmultipleforeignagenciesaswellaspowerfulcorporatedenizenshaveusedandcontinuetomakeuseofcybercapabilitiestoaffectfavorableoutcomes.Therestofthereportwillattempttosubstantiatethisclaimthroughcriticalanalysis.

7

Methods Toreachtheconclusionspresentedintheensuingreportincidentswerecollectedandchosenbasedontheinclusionofcybereitherasthemediumfortheevent,orassomecomponentfactorthatplayedadirectorotherwiseinstrumentalroleintheoutcome.Aftercollectingasamplingofincidentsintoadataset,theseincidentswereexaminedandseveraldirectlyattributablefeatures/impactsweretakenintoaccount,including:

Thevictim(s)targeted

Evidenceofcyberinvolvement

Economiclosses

Fatalitiesincurred

Geopoliticalimpacts

Beyondthedirectimpacts,itwasalsonecessarytoconsiderpossibleindirect“ripple”effects.Forexample,itcouldbeimportanttoconsidersomethinglikethepricesofcrudeoilpriortoandafteragivenincident.Acircumstancemaybesuchthatparticularcompaniesorcountriesunaffectedbytheincidentwouldfindthemselvesbenefitingfromarippleeffectlikehighercrudeprices.Othereffectstoidentifyincludechangesinthestatusoftheinvolvedcompaniesthrough-outanincident.Thiscouldinvolvelookingatearningsreports,thesellingorbuyingofassets,oranylegalactionsthecompanyisinvolvedin,aswellascontextualeventsthataresignificantorcontentiousandoccurdirectlypriortoorafteranincident.

Throughtheinvestigationoftheseoutcomesandcontexts,thereisthepossibilityoffindingcorrelationsbe-tweenvariousincidents.Thesecorrelationsmaybemadeplainbyobservablepatternsamongthedetailsoftheevents.Anobservedpatternmaysuggestarecurringactor—thesepatternsincludetacticalandmethodicalsimilaritiesbetweenallegedattacks,recurringtargets,entitiesthatdirectlyorindirectlybenefittedorincurredlossesasanoutcome,andgeo-graphicdispersionorclosenessoftheevents.Incaseswhereanattackisapparent,tacticalelementssuchastoolswerescrutinizedaswell,asameansofattribution.Forexample,atoolmayunintentionallyexhibitculturaltendenciessuchasthelanguageused,colloquialisms,idioms,religiouspreference,andrecurringpersonalhabitsofthecreatororoperator.Thesesignaturescoupledwithaspectsofthetacticalassetslikeexclusiveness(asinthecaseofapurchaseddomainusedasaC2point)cansignificantlyraisetheconfidencelevelofanattribution.

Possibleactorsinthecyberexchangecanostensiblybeidentifiedfromthesecorrelations.Ifitisdeterminedthattheincidentwasanattack,motivesofthepotentialactorscanbeconsidered.Akeyelementofthisthatshouldbeconsideredisanyprecedencefortheattack.Thehistoryofpoliticalrelationshipsbetweencountries,suchasanyex-pressedhostilitiesorallegiancesandtreaties,mayalsoproverelevant.Historyalsotellsusthatmostconflictsariseovertheacquisitionofresources.Assuch,theenergyresourcesandrequirementsofnation-statesmustbeanalyzed.Forex-ample,istheentitybeingexaminedamajorimporterorexporterofoil?Istheentitycapableofenergyself-sufficiency?Orhasthecountrybeenexperiencingamajorinfluxinenergydemand?Thisinformationcanthenbeaggregatedandsynthesizedintoamoreinformedviewoftheevent.

Afinalmajorcomponentoftheanalysiswastheexaminationofwhetherthemotivesandmethodsalignwiththeactor’sstrategicculture.Thisincludesdefiningtheoverallstrategictheoriesthatthecountryadherestoandgoalsitdesirestoaccomplish.Asmentionedearlier,thetacticsemployedduringtheattackcanbeincrediblypotentasanattri-butionmechanism—ifanattackisfarremovedfromanation’scapabilities,itislesslikelythattheywereinvolvedintheincident.Likewise,ifthetacticsarewithinagivennation’stechnicalprowessandfollowestablishedpatternsexhibitedbythatnation,itsignificantlyimprovestheconfidenceinattribution.However,cautionwastakenwhenattributingtacticstoactors,asdeceptionisacommonelementinmanycyberwarfarestrategies.Therefore,tacticalsimilaritiesordissimilari-

8

tiesalonedonotimplicitlyidentifyorruleoutagivenactor.

Biases

ThenatureofOSINTgatheringposesobstaclestoobjectiveanalysis.Whilegatheringthedata,itshouldbenotedthattherearesourcebiases.Allofthesourcesusedareopensource,andassuchtheprovenanceoftheinforma-tioncannotalwaysbeindependentlyverified.Theinformationitselfmaybelegitimate,butpresentedinanincompleteorskewedmanner.Itisalsolikelythatnotallofthedetailsofthecollectedincidentsareavailable.Insomecasesthecompaniesreportingtheincidents,suchasSymantecandMacAfee,arenotlegallydisposedtodivulgeselectinformationabouttheircustomers.Anotherlimitationisinformationavailableaboutincidentsthatoccurredinforeigncountries.Duetotightercontroloverjournalismorlanguagebarriers,othercountriesarelikelynotreleasingfulldetailsfrominci-dentsthathaveoccurredornotdoingsoinlanguagesfamiliartotheauthors.Insomecases,entireeventsmaynotbereleasedtothepublic,eitherbyforeigngovernmentsorthecompaniesthemselves.

Inordertoaddresstheaboveconcerns,severalmethodswereused.Datawasgatheredfromestablished,andideallytrustworthy,sources.Thisincludesreportsfromreputablenewssites,companyorgovernmentpublications,orscholarlypapers.Also,everyeffortwasmadetotrackdowntheoriginalsourceoftheinformationfoundinreports,orcross-examineitwithothersources.Multiplesourceswerefoundwhereverpossibleandscrutinizedinordertoobtaincorroboratingdata.Ofequalinterestisinformationwhichwascontradictorybetweensources.Thesecontradictionswerepresentedandaddressedwhereappropriate.

Finally,despiteevidencefoundinsupportofanygivenactor,alternatehypothesesmustbeconsidered.Aswithanyintelligencegathering,thereisthepossibilityoferror,whetherinformationismisreportedortakenoutofcontext,andthisisespeciallytrueofOSINT.Thepurposewasnottoselectanoutcomeandattempttosupportitbutrathertofindrefutationaswell.Informationthatmayexculpateaparticularactorwasthoroughlyconsidered.Althoughhumanerroriscommonincyberincidents,itisimportanttodeterminewhethertheerrorwastakenadvantageofbyothers.

9

Cyber EspionageOneofthemosteasilydistinguishablepatternsontheabovetimelineisthegrowingfrequencyofreportedcyber

espionage.Thissagaoflong-termcampaignshasbeengarneringalotofattention,andwithgoodreason.Somehaveassertedthatcertaincampaignshaveexistedsincetheearly2000’s1,yettheirexistencehasonlyrecentlycometolightintheprivatesector.Thedamagecausedbythesetypesofbreachesisdifficulttoestimatebecauseitoccurredoversuchalongtimespan,butinsomecasesterabytesofdatawerestolenovertheperiodofafewmonths.2Whentakeninrelationtotheoilindustry,whereproprietaryinformationlikebidexplorationdataisthelifebloodoftheorganization,thiscanbeadisastrousblow.However,whilecampaignslike“NightDragon”arepointedlytargetedattheoilindustry,othersarefarmoreencompassingintheirbreadthandappearmoredisparate.

Establishingabaselineorpatternwithinthisindustryaloneexcludesalargeandpotentiallyusefulamountofcontext.Notonlyweremostofthesecyberespionagecampaignslargerinscopethansimplytheoilandgasindustry,butsomealsocompletelyexcludedit.Interestingly,thereareothercyberespionagecampaignsnotlistedinthetimeline(suchastheinfamousFlameandMahdiviruses)thattargetcountrieswithsomeofthelargestoilreservesintheworld,buttheattacksthemselveswerenottargetedattheOil&GasIndustries.

Giventhesheernumberofincidents,itwouldseemlikelythatthereismorethanonesource,yetthetechnicaldataavailableseemstosuggestotherwise.Itisclearthattheseincidentsrepresentahugedangertotheprofitabilityandcompetitiveness,eventhefuturesuccess,ofvictimcompanies;Yettheseconsequencescarrywiththemsomelevelofinherentattribution.Theverynatureofproprietaryinformationmeansthatifanentitywhohadacquireditweretousetheinformation,itcouldidentifythemashavingaconnectiontotheincident,whetherdirectlyorthroughathirdparty.Also,attacksofthisscalerequiresomeleveloforganizationthatmanifestsitselfintheformofrepeatedpatternsofbe-haviorandresourceusagethatcansuggestacommonorigin.Thisorganizationcoupledwiththeresourcesandexpertisenecessarytoprocessandanalyzetheexorbitantvolumeofstoleninformationleadstoahighlikelihoodofstateactorororganizedcriminalinvolvement.

OneofthelargestdifficultiespresentinidentifyingtheprovenanceandtotalityoftheseattacksisthatthereisnopubliclyavailableaggregationofthebodyofinformationcollectedonthevariousAPTactivities.Instead,Antivirus&IncidentResponsefirmswhichhavethebestvantagepointonthesituationareprovidingseparatereportsinwhichtheyusetheirowncolloquialnamesandtermsfortheattacks,thetools,andthecampaigns.Thiscreatesoverlap,wherecampaignswithdifferentnamesmayinfactbepartofthesamecampaign,andthetechnicaldatathatisotherwiseseparatedacrossthereportscouldtogetherrepresentamoreapparentpattern.Onlyonereport,theMandiantAPT1report,includedabrieftablenotingthattheyhadcomparedsomeoftheotherattacksandruledoutAPT1astheculprit.Additionally,thesefirmsareentrustedwiththesafeguardoftheircustomers’information,andsooftenwillnotreleasethefullextentofwhatwasfound,noradefinitivelistofvictims–addingtotheobscurity.Thesesourcesalsointroducetheirownbiaseswhichmustbeaccountedfor.

Forthisreason,whatfollowsisanoverviewofthevariousreportsthatmentiontheoilandgasindustryastargets,andananalysisofimportanttechnicalaspectsandgoalsofthesecampaigns.Throughthisanalysis,hopefullyamorecompleteviewoftheactionmaybeobtainedtoseeifthegoals,resources,techniques,andtimeframesexhibitcommonalitybetweenattacks.

1 Mandiant, APT1 (Feb 13, 2013). Retrieved from http://www.mandiant.com/apt12 Ibid.

10

Oil/Gas Inclusive or Specific Campaigns‘Countries affect’ lists only countries where oil and gas companies were compromised.

Campaign:NightDragon Publisher:McAfeeSynopsis:TheNightDragonreportreleasedbyMcAfeewassomewhatofaseminaleventinthatitwasthefirstwellknownreleaseofafairlydetailedAPTanalysisandtechnicalattribu-tion.TheattacksconglomeratedinNightDragonwerenearlyallconductedagainstunspecified“globaloil,energy,andpetrochemicalcompanies.”Theattacksfollowedamethodicalseriesofsteps:

1. usingSQL-injectiontoobtainaccesstoanextranetserver,orusingspear-phishingagainst“mobileworkerlaptops”and“compromisingcorporateVPNaccounts”toob-tainaccesstothecompanyintranet

2. uploadingcommonhashdumpingtools&passwordcrackingtoolsharvestActiveDirectorycredentialstogainaccesstosensitivedesktops&servers

3. Accesssensitivedocuments

4. UploadRATmalwaretoexfiltratesensitivedata

5. Movelaterally

McAfeewasalsoabletoidentifymuchofthegenericmalwareused,andcommunicationstechniques.Theyalsosuggestedthattheattackersworkedbetween9:00amand5:00pmBei-jingtimeduringweekdays,andthatmosttrafficwasoriginatingfromtheShandongProvinceofChina.

Published:Feb10,2011Earliest Date: “[At-tackshavebeenongo-ingfor]atleasttwoyears,andlikelyasmanyasfour”

Circa2007-2009

Purpose:Exfiltrationof“competitiveproprietaryoperationsandproject-financinginformationwithregardtooilandgasfieldbidsandoperations”&collectionofdatafromSCADASystemsEntry Method:SocialEngineering,SpearPhishing,SQL-injectionCountries with Companies Affected:U.S.,Taiwan,Kazakhstan,Greece

Campaign:Elderwood Publisher:Symantec Synopsis: SymantecobservedagroupitreferstoastheElderwoodgangoperatingacon-certedcampaignagainstavarietyofindustriesincludinganundisclosedoilandgascompany.Symantecalsoassertsthatthesearethesamehackerswhooperatedinthe“Aurora”cam-paignagainstGooglein2009.ThiscampaignisuniquetosomedegreeinthatitusedahighnumberofzerodayexploitsinAdobeFlashandMicrosoft’sInternetExplorer.Whileitappearsthattheattackersusedspear-phishing(viaemail),theirprimarytechniquewastheuseofa“watering-hole”attackwherebytheyattackwebsitesknowntobefrequentedbythetargetusingtechniquessuchasSQLinjection,anduploadmaliciousfilestothesewebsite.Thetargetthenvisitsthesiteandgetsinfected.Thisisinterestingbecausethetargetdoesnothaveanyindicationthatithasbeencompromised,butthenumberofoverallinfectionsgoesupbecauseofuntargetedvictimswhichalsovisitthesite.Thisattackrequirestheattackerstofindsecurityvulnerabilityinthedesiredwebsiteafterselection,requiringmoretechnicalskillthansomeoftheothercampaignsinitiallyexhibit.SymantecbelievesthattheexploitswerepackedwithaTrojanandCommand&Control(C2)serveraddressusingaplatformthatgivesthegroupitsname:“Elderwood.”

Published:Sept06,2012EarliestDate:Decem-ber2009

Purpose:“thewholesalegatheringofintelligenceandintellectualproperty”Entry Method:Watering-Holeattacks,SpearPhishingCountries with Companies Affected:Undisclosed

11

Campaign:ShadyRAT Publisher:McAfeeSynopsis: ThisreportreleasedbyMcAfeediscussesaRATtheyclaimtobeincrediblyprolific,infectingavarietyofindustriesacrossmultiplecountries.Thereportitselfisverysparseonanytechnicaldetailsorevidence,largelylackingsubstance.Itprovidesalistofvictimsbyindustryandtheircountryoforigin.Italsoprovidesadetailedtimelinefortheattacks.

Interestingly,EugeneKasperskyheavilycriticizedthereportforbeingalarmistandskewed,statingthatmanyoftheconclusionswerepresumptive.

Published:August02,2011Earliest Date: July 2006

Purpose:Exfiltrationof“ahistoricallyunprecedentedtransferofwealth—closelyguardednationalsecrets(includingthosefromclassifiedgovernmentnetworks),sourcecode,bugdatabases,emailarchives,negotiationplansandexplorationdetailsfornewoilandgasfieldauctions,documentstores,legalcontracts,supervisorycontrolanddataacquisition(SCADA)configurations,designschematics,andmuchmore”Entry Method: Spear PhishingCountries with Companies Affected:U.S.

Campaign:Mirage Publisher:DellSe-cureWorks

Synopsis: DellSecureWorksgivesafairlygoodcollectionoftechnicaldetailsaboutthecam-paignthey’vedubbed“Mirage”forthestringusedtoconnecttotheC2serverbytheRemoteAccessTrojan,butlargelytheyfocusedonstudyingthetool,notmonitoringtheAPTactivity.SomepointsofnotearetheuseofHTRAN(arelaythatDell’sCyberThreatUnitassertswasdevelopedbytheHonkerUnionofChina,orHUC)forrelaying,andregistryofafewdomainstoanemailaddress([email protected])andIPrangesinChina.

Published:Sep182012Earliest Date:April2012

Purpose:Theftof“intellectualpropertyandcompanysecrets”Entry Method:SocialEngineering,SpearPhishing,SQL-injectionofwebserversCountries with Companies Affected: Philippines, Canada

12

Campaign:RedOctober Publisher:KasperskySynopsis: RedOctoberisasophisticatedespionagenetworkverymuchunlikeotherattackswhichhadbeenreported.Whileforthemostpart,thetargetswerediplomatic,therewereseveralinstanceswhereKasperskynotedthatoilandgasindustrieshadbeentargeted.TheattackuseddomainsregisteredtoRussianemailaddresses,andIPrangesidentifiedwereser-vicedbylargelyGermanandRussianISPs,howeverKasperskybelievesthatthethree“mother-ship”C2serversidentifiedareactuallythemselvesproxiesforanasyetunidentifiedC2serverwhichcouldthenbeoperatingnearlyanywhere.AsalientpointisthatRedOctobermadeuseofexploitcodethatwas“createdbyotherattackersandemployedduringdifferentcyberattacks.Theattackerslefttheimportedexploitcodeuntouched,perhapstohardentheidenti-ficationprocess.”Additionally,RedOctoberissomewhatuniqueamongstattacksthattargetedoilandgasinthatitiscapableofstealinginformationfromavarietyofembeddeddevicessuchasphoneandrouters.

Published:Jan14,2013Earliest Date:May2007

Purpose:“gatherintelligencefromthecompromisedorganizations”Entry Method:SocialEngineering,SpearPhishing,SQL-injectionofwebserversCountries with Companies Affected:Azerbaijan,Belarus,Turkmenistan,UAE

Campaign:APT1 Publisher:MandiantSynopsis:TheAPT1Reportisperhapsthemostdetailedreporttodate.Theyalsomincednowords,directlyaccusingChinaasastateactorofengaginginCyberEspionage.ResearchersatMandianttrackedbackactivitiesofanAPTgrouptheyreferredtoasAPT1totheChinesePLAUnit61398withrelativelysolidevidence.TheyevenwentsofarastoreportthebuildingwhichtheybelievedAPT1wasoperatingoutof,andunmaskthreeoperators–UglyGorilla,DOTA,andSuperHard–givingpossiblerealnames,onlinepersonasandotheridentifyinginfor-mationaboutthem.APT1operatedoverhalfadecadeatleast,stealing“hundredsofterabytesofdatafromatleast141organizations,”oftenconductingsuchoperationsinparallel.Theattackersmaintainaccesstoagivennetworkfornearlyayearonaverage.Theattackersoper-atedduringthe9:00amto5:00pmBeijingTimeandthyfollowedafairlystrictmethodologyofattack,similartotheonenotedintheNightDragonreport:

1. Initialreconnaissance

2. Initialcompromiseofasystem,largelythoughspearphishing

3. EstablishingafootholdinthenetworkthroughTrojandroppingtoaC2server

4. Escalatingprivilegesthroughcredentialharvesting

5. Internalreconnaissanceofthenetworkand

WhileMandiantgenericallyreferstoenergycompanies,oneofthetrojanedfilestheynotewasusedinthespearfishingattackbearsthename“Oil-Field-Services-Analysis-And-Outlook.zip”whichreallyties.MandiantnotesthatAPT1isalsoreferredtoastheCommentGroup,anamegivenforthecommunicationsmethodusedbytheirRATswhichwouldsetattributesinwebpagesasameansofC2.

Published:Feb19,

2013Earliest Date:2004-2006

Purpose:Exfiltrationof“competitiveproprietaryoperationsandproject-financinginformationwithregardtooilandgasfieldbidsandoperations”Entry Method: Spear PhishingCountries with Companies Affected:Undisclosed

13

Campaign:ByzantineCandor Publisher:BloombergSynopsis:AnexposérunbyBloombergin2012chronicledtheundertakingsofasecurityresearchcoalitionwhichdecidedtotrackoneofthelargestCyberEspionagegroupsoperatingoutofChina.BloombergclaimsthatUSIntelligencehadbeenkeepingtabsonthegroupforyears,whichtheyreferredtoasByzantineCandor.Inthesamebreath,Bloombergnotesthatthegroupisoftenreferredtoasthe“CommentGroup.”BloombergjournalistChloeWhiteakeralsopublishedashortbuttechnicalarticlethatdetailedsomeoftheCommentGroupsactivi-tiesandtools.Thereportincludedaninfographicthatidentifiedoilandgasvictimsofthecom-mentgroup.

Published:July26,2012Earliest Date:2002

Purpose:“thebiggestvacuumingupofU.S.proprietarydata…everseen”Entry Method:SocialEngineering,SpearPhishingCountries with Companies Affected:U.S.,UnitedKingdom

Report Based Attack Timeline

Technical SimilaritiesBetweenthecampaignsidentifiedabove,thereareafewtechnicalsimilaritiesthatarise.Aswasalreadyad-

dressed,theseattackshavebeenselectedforonecommonthreadtheyshare–targetswithintheoilandgasindustry.Otherbetweenthemwillnowbescrutinizedtofindanyadditionallinks.Thisisnotintendedtosuggestthatthesamegroupisbehindeveryattack,butratheridentifytacticalandoperationalsimilaritiesthatwouldpointtoaunifiedsourceoftrainingorcontrol.

Oneofthemostobvioussimilaritiesbetweenalloftheattacksisthemotive:thelargescaletheftofcorporatedata.ThemethodologyofdataextractionisverysimilarbetweenNightDragon,ShadyRAT,Elderwood,APT1,andByz-antineCandor.Onenoteonthisisthatalthoughtheattacksallfollowedasimilarmethodology,thisverymethodologyiscommoninthenetworkpenetrationtworld,andsonotentirelyunique.SlidesfromapresentationgivenbySANSaffili-ateJamesShewmakerin2008highlightthismethodologyinbrief:Reconnaissance,Port/VulnerabilityScan,Exploitation,andRepeatfromthenewvantagepoint.Theonlythinglargelydifferentisthatthedataexfiltrationoccursafterexploita-tion–thatandtheattackerswereworkingfromtheoutsideinitially,sotheyusedsocialengineeringtogetin.Withthat

2002 201320122011201020092006200520042003 20082007

Byzantine Candor

Red October

The Elderwood Project

APT1

Night Dragon

Mirage

ShadyRAT

14

saidthefactthatthemajorityoftheseusedhighlytargetedspearphishingandexfiltratedsimilardatausingRATsisnottobediscounted.Additionally,theseattacksallappeartobeoperatingoutofeitherBeijing,Shanghai,andShandongprovince.

ThedatabelowwillshowthatByzantineCandorandAPT1areoneinthesame–theyshareoperators(UglyGorilla)anduniquetechnicalinfrastructurelikeFullyQualifiedDomainNames(FQDNs).MandianttiedAPT1backtothePLA,anda.MandiantevenacknowledgesthearticlewrittenbyBloombergintheirreport,andidentifiesthe“CommentGroup”asanalias

IP Addresses & OriginsWhileabouthalfofthereportsomittedIPranges,themajorityofIPaddressrangesmentionedcamefrom

serviceprovidedbyChinaUnicomtooneoftwolocales:BeijingorShanghai.ThemajorexceptiontothisisRedOctober,whichlargelyhadIPaddressrangescomingfromGermanyandRussia.ExcludingRedOctober,incaseswhererangesdidnotcomefromBeijingorShanghai,theywereoftenidentifiedashostthatwerecompromisedandusedasproxiesloadedwithtoolssuchasHTRAN.

NightDragon Elderwood Mirage RedOctober APT1[unspecifiedIPrange–mostC2serversoperatingoutofHezeCity,China]

114.240.0.0/20 141.101.239.225 223.166.0.0/15178.63.208.49 58.246.0.0/15

112.64.0.0/15139.226.0.0/15114.80.0.0/20101.80.0.0/20

InterestinglyNightDragon,whichdoesnotprovidearangeofIPaddresses,offeredinsteadthatanindividualoperatingoutofHezeCity,Shandong,ChinawasresponsibleforprovidingtheC2serversthroughhiscompany.AnarticlepublishedintheWallStreetJournalnotesthatMcAfeeidentifiedthisindividualas“SongZhiyue.”3

DomainsAfulllistofdomainsretrievedfromthevariousreportscanbefoundintheappendices.Ofthedomainswhich

appearedinthereports,onlymatchesbetweenAPT1andByzantineCandorwereidentified.TherestwereinconclusiveassomeofthereportsdidnotincludeFQDNsandotherswhichdidincludethemdidnotprovideafulllist.Additionally,alargeportionoftheattacksmadeuseofDynamicDNSservices,wheretheparentdomainisnotinherentlymalicious.Butsubdomainsmaybeusedbyservicesubscribersfortheirownpurposeswithoutpolicing.

Registered domains common be-tween APT1 & Byzantine Candor

*.hugesoft.orgwww.arrowservice.netwww.blackcake.netwww.dnsweb.orgwww.globalowa.comwww.purpledailt.comwww.worthhummer.netwww1.earthsolution.org

3 Hodge, N. & Entous, A. (Feb 10, 2011). Oil Firms Hit by Hackers From China, Report Says. Retrieved From http://online.wsj.com/article/SB10001424052748703716904576134661111518864.html

15

wwwt.infosupports.comWiththatsaid,thereisanothersomewhattenuousconnectionbetweentwoofthecampaigns:MirageandElderwood.NightDragonisnottheonlyinstancewhereanindividualinChinaischargedwithprovidinginfrastructuretotheattack-ersviatheirbusiness–HBGaryauthoredareportinthewakeofOperationAurorawhichimplicatedabusinesscalledBentiumoperating3322.orgoutofChangzhouandamannamedPengYongasprovidingdynamicDNSservicestotheattackers.4OperationAurorawastiedtoElderwoodinSymantec’sElderwoodProjectreportandelsewhere.DellSecure-workswhichauthoredtheMirageReportalsoauthoredapieceknownastheSinDigooAffair.5TheconnectingfactorbetweentheSinDigooaffairandMiragewasthatanoperatorreusedseveralemailaddresses([email protected]&[email protected])andinfrastructurebetweenthem.TheC2serversusedaDynamicDNSserviceoperatedby3322.org.TheSinDigooAffairalsotiesthesebacktoGh0stNetvia3322.organdtheRSAbreachbasedonthereuseofIPaddressblocksbelongingtothe“ChinaBeijingProvinceNetwork(AS4808).”PengYongalsoownsotherdomainstiedbacktomalicioususebothinAuroraandelsewhere.AccordingtoSteveRaganoftheTechHerald,PengYongispossiblytheauthoroftheCRCfunctionusedinsomeoftheAuroramalware.6

Itisentirelypossiblethat3322.orgwasprovidingservicestomultipleseparateAPTgroups,itisafterallafairlysuccessfullyDynamicDNSservicewhichhasbeendocumentedinothermalwarecases.However,Peng’slevelofin-volvementintheAuroracampaignshouldbescrutinized.InterestinglytheSinDigooreportalsoattemptstoidentifythejeno_1980accountwhichhadthealias“TawnyaGrilith”attachedtoit.Intheprocessoftheirinvestigation,theytiedbacktheaccounttoanoperatorgoingbythescreenname“xxgchappy.”TheyalsofoundapieceofmalwareostensiblywrittenbyxxgchappyappearingtodatebacktoMarchof2002.ThisispotentiallysignificantbecauseitisthetimeframearoundwhichtheleakedUSembassycablehadnotedpossiblePLAcyberespionageactivity.Malwareusedbythisactor,aswellasappearinginMirageandGh0stNet,wasdiscoveredin2011and2012tohaveinfectedgovernmentministriesinVietnam,Brunei,andMyanmar.AdditionallythereareafewinfectedvictimsinEuropeandtheMiddleEastbelongingto“governmentministriesindifferentcountries,anembassy,anuclearsafetyagency,andotherbusiness-relatedgroups.”7 ThisisofinterestinpartbecauseRedOctoberalsotargetedgovernmentministriesandembassies.

However,inordertomorefullyanalyzeanyconnectionsbetweenthedomainsthatwerelistedineachofthereports,thewhoisandARINrecordscouldbeexamined.Thecontactinformationcouldthenbecross-referencedtofindsimilarities.Unfortunately,manyofthedomainshadtheircontactinformationscrubbedorhavesincechangedhandsinthewakeofthereportsbeingreleased,soananalysisatthispointwouldbeerroneousandincompleteatbest.

Afinalnoteondomainsisthatmanyofthereportsdidlookforregistrantinformation–inthecaseofAPT1forinstance,manyregistrantsblatantlyputChinaastheirplaceoforigin,orpoorlymaskedthisfactbymisspellingtheplacestheychoseorincludingaShanghaiphonenumber.InthecaseofRedOctoberhowever,allregistrationswiththeexcep-tionofoneweredonewith“.ru”emailaddresses,andaddresseswerenotreusedashadbeenthecaseinotherinstanc-es.Thissignalsamuchmoreconcertedefforttoremainanonymous,andalevelofprofessionalismnotseenintheotherattacks.

4 HB Gary. (Feb 10, 2010). Operation Aurora. Retrieved From http://hbgary.com/hbgary-threat-report-operation-aurora5 Stewart, J. (Feb 29, 2012). The Sin Digoo Affair. Retrieved from http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/6 Ragan, S. (Jan 27, 2010). Was Operation Aurora really just a conventional attack? Retrieved from http://www.thetechherald.com/articles/Was-Operation-Aurora-really-just-a-conventional-attack/9124/7 Stewart, J. (Feb 29, 2012). The Sin Digoo Affair. Retrieved from http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/

16

Revised Attack TimelineConsidering the information which was discussed and presented, below is a revised attack timeline, consolidating indi-vidual campaigns into the likely perpetrator of the attack and extending as necessary.

Events that CorrelateUsing the technical data and behavioral analysis above, individual incidents of reported hacking in news media can be connected to campaigns. Below are several incidents that demonstrate strong correlation to the information discussed above.

Norway,November2011

Norwayhadthemostprolificseriesofcyber-attacksinthecountry’shistoryinNovember2011.8AsreportedbyNorway’sNationalSecurityAgency(NSM),morethan10firmsweretargetedbyanadvancedpersistentthreatusingspear-fishingattacks,manyofwhichwereintheoilindustry.9Theattacksmayhavebeenongoingforoverayear.Thecompanieswereunawareoftheattacksuntilconcernedemployeesreportedreceivingsuspiciousemails.

Nospecificinformationwasreleasedonthetoolsormalwarethatwereusedtoconducttheseattacks;howeverNSMnotedthataviruswasusedinconjunctionwithtailoredspear-fishingattacksmakinguseoftrojanattachments.10 Itappearedthatthepurposeoftheattackswaslarge-scaledataexfiltration.AswasthecaseinNightDragon,theNSMbulletinsuggeststhattheattacksvariedslightlyeachtimesoastoavoidAVdetection.AnarticlebyDefenseNewsquotesNSMasstatingthat“theattackshave,onseveraloccasions,comewhenthecompanieshavebeeninvolvedinlarge-scalecontractnegotiations.”11Thiscouldsuggestthattheattackerswereprivytothenegotiations.Interestingly,in2010Nor-way’sStatoilwasengagedinnegotiationswithChinaOilfieldServices,Ltd.(COSL).AccordingtotheWallStreetJournal,COSListhe“oil-fieldservicesandrig-constructionunitofstate-controlledChinaNationalOffshoreOilCorp.,thecountry’s

8 BBC News. (2011, November 18). Hackers attack norway’s oil, gas, and defence businesses. BBC News Technology. Retrieved from http://www.bbc.co.uk/news/technology-157900829 France-Presse, A. (2011, November 18). Norwegian defense firms hacked, intel reports. Defense News. Retrieved from http://www.defensenews.com/article/20111118/DEFSECT04/111180309/Norwegian-Defense-Firms-Hacked-Intel-Reports10 NSM (2011) Samme aktør bak flere datainnbrudd . Retrieved From https://www.nsm.stat.no/Aktuelt/Nytt-fra-NSM/Samme-aktor-bak-flere-datainnbrudd/11 France-Presse, A. (2011, November 18). Norwegian defense firms hacked, intel reports. Defense News. Retrieved from http://www.defensenews.com/article/20111118/DEFSECT04/111180309/Norwegian-Defense-Firms-Hacked-Intel-Reports

2002 201320122011201020092006200520042003 20082007

PLA Unit 61398 [APT1, Byzantine Candor]

The Elderwood Project

The Beijing Group [Mirage]

Red October

Night Dragon

ShadyRAT

17

largestoffshoreoilandgascompanybyoutput.”12

Thegoaloftheattacksappearedtobethecollectionofconfidentialinformation,suchasusernames,passwords,industrialdrawings,andotherproprietarydocuments.13Thiswouldseemtobeconsistentwiththetypesofinforma-tionsoughtinbothNightDragonandAPT1.ThetimeframeoftheattackalignswiththeeventtimelinelistedintheAPT1report,andwithinthereportthereisaneventappearinginNorway.Thisisthenaconvergenceoftimeandobjectivesacrosstheseoperationswhichcomplementthetacticalsimilaritiesinvolvingtheuseofsocialengineering,persistentbackdoors,andlargescaledataexfiltration.

Telvent,September2012

InSeptember2012CanadianenergycompanyTelventwasinfiltrated.TelventisresponsibleforsupplyingcontrolprogramsandsystemsforoverhalfoftheoilandgaspipelinesinNorthandLatinAmerica.14Theattackersinstalledmal-warewhichtheyusedtostealprojectfilesrelatedtoTelvent’sOASySSCADAproduct.AccordingtosecuritybloggerBrianKrebbs,OASySis“aproductthathelpsenergyfirmsmesholderITassetswithmoreadvanced‘smartgrid’technologies.”

15

TheinfiltrationfollowsthesamemethodicalapproachexhibitedintheNightDragonandNorwegianintrusions.Notonlywasthemalwaredifficulttodetect,butitwasplantedusingspear-phishingmethodsthattargetedmidtohighlevelexecutives16 17.

Perhapsthemostconvincingpieceofevidenceastotheoriginsoftheattackiswhatappearstobeanotifica-tionreleasedbyTelventwhichidentifiedmaliciousfilesanddomainsusedforCommandandControl(C2).Thefilenames“fxsst.dll”and“ntshrui.dll”whichappearintheTelventnotificationalsoappearintheAPT1report,alongwiththedomains“hugesoft.org”and“bigish.net”whicharenotedasmainstaysofAPT1byMandiant.Severalsecurityfirmsatthetimealsoreportedthebeliefthattheattackhadbeenperpetratedbythe“commentgroup”analiasintheMandiantReportforAPT1.Infact,MandiantactuallymentionedtheTelventattackintheirreportunderasectionentitled“APT1intheNews.”

ThereasontheTelventattackissoimportantisthatitrepresentsthepossibilityfordeparturefromsimplydataexfiltration.Althoughavailableinformationindicatesthatthegoaloftheattackwasstealingsoftware,thesoftwarecouldjusthaveeasilybeenmodifiedandreplaced.AttackingaprolificenergyICScompanylikeTelventmeansthatatrojancouldbeplantedinthesoftware,beingunintentionallydistributedtoTelvent’scustomersandofferingtheperpetratoranavenueformoreinsidiousattacks.

12 Simon Hall (2013, December 13). China,NorwayStrikeOilDealDespiteTensions. Wall Street Journal. Retrieved from http://online.wsj.com/article/SB10001424052748703727804576016841533225226.html13 Ibid.14 Vijayan, J. (2012, September 26). Energy giant confirms breach of customer project files. Computer-world. Retrieved from http://www.computerworld.com/s/article/9231748/Energy_giant_confirms_breach_of_customer_project_files15 Krebs, B. (2012, September 26). Chinese hackers blamed for intrusion at energy industry giant telvent. Retrieved from http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/#more-1693616 Vijayan, J. (2012, September 21). Cyber espionage campaign targets enery companies. Computerworld. Retrieved from http://www.computerworld.com/s/article/9231596/Cyber_espionage_campaign_targets_energy_companies17 Ibid.

18

Attribution

ChinaPerhapsthemostreadilyapparentattributionistoChinaasastateactor–theAPT1reportmakesaconvincing

argumentforthiswhichoffersalotofverywellconstructedcircumstantialevidence.NightDragonhighlightstheuseofaRATknownaszwSheelwhichwasusedbothasatoperformC2andtocreatecustomtrojans.Interestingly,uponlaunchzwShelldisplaysanerrordialogwithahiddentextfieldandtheprogramwillnotfunctionunlessthepassword‘zw.china’isenteredintothishiddentextfield.TherangesofconsecutiveIPaddressesusedwerelargeenoughthatitislikelythattheChinesegovernmenthadtobeinvolvedinsomecapacity.

Chinacertainlypossessesthemotivetocommittheattacks–accordingtotheWashingtonTimes,ChinaisalreadysurpassingtheUnitedStatesasthenumberoneoilimporterfromtheMiddleEast18,andpoisedtobecomethenumberoneoilimporterglobally.

IncreasingDemand

Chinesedemandforoilhasgrowndramaticallyasitseconomycontinuestoexpand.Sincethemid-1990s,Chinahasbeenanetimporterofoil.19ThecontinuousgrowthoftheChineseeconomyhasresultedinvastincreasesintheneedforfuelandpetroproducts.Chinahasdoubleditsoilconsumptioninthelast10yearsandbecomethesecondlargestconsumerofoilintheworldbehindtheU.S.20LiketheU.S.,Chinaisnowdependentonitsoilimportstofeeditsthrivingeconomy.ItisestimatedthatChina’simportdependencycouldrisetoover50%by2020.1

China’soilrefineriesarenotcapableofhandlingthecurrentdemandtheeconomyisplacingonthem.Thereisevidencethattherefineriesusedforfuelareatacompetitivedisadvantagewhencomparedtoothercountries.Tocom-plicatematters,manyChineseoilrefineriesarealsoorientedtothemakingofdieselandnotgasoline,whichisinincreas-ing demand1.

ThismeansChinaisingreatneedofmoresourcesofoilandmoreefficientrefineries.Thedevelopmentofim-provedrefiningandminingequipmenttakesyearsandcancostmillionsofdollars.Explorationcostsforfindingnewoilreserveshavealmosttripledinthepastdecade.21Theycouldsavebillionsofdollarsandshaveyearsofresearchoffbyacquiringtechnologyfrompetrochemicalcorporationsthatarealreadyheavilyinvestedinthiscontinuingprocess.ItalsomeansthatChinawouldbeabletocompeteintheglobalmarketplacemuchsoonerandmorecompetitivelythaniftheywaitedtodevelopthetechnologyontheirown.ThisestablishesthattherearesignificantreasonsforChinatoactonbehalfofitsownoilindustryanduseitsstateresourcestoconductcyber-attacksagainstcorporateentitiesworldwide.

18 Hill, P. (March 14, 2013). China poised to top U.S. as oil buyer; increased car sales spur jump. Retrieved from http://www.washingtontimes.com/news/2013/mar/14/china-poised-to-top-us-as-top-oil-buyer/?page=all19 Skeer, J. (2007). China on the move: Oil price explosion?. Energy policy, 35(1), 678-691.http://discover.lib.purdue.edu:3210/purdue?ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&ctx_tim=2013-03-09T15%3A59%3A35IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi%2Ffmt%3Akev%3Amtx%3Actx&rfr_id=info%3Asid%2Fprimo.exlibrisgroup.com%3Aprimo3-Article-wos&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3A&rft.genre=article&rft.atitle=China%20on%20the%2020 Index Mundi, (2012). Country comparison > Oil – consumption > Top 10. Retrieved from http://www.indexmundi.com/g/r.aspx?v=91&t=1021 Johnson, C., (2010). Oil exploration costs rocket as risks rise. Retrieved from http://www.reuters.com/article/2010/02/11/us-oil-exploration-risk-analysis-idUSTRE61A28X20100211

19

China’sOilProduction

China’sOilProductioninThousandsofBarrelsperDay22

Asseeninthechartabove,Chinaexperiencedasignificantincreaseinoilproductionduring2009.ThisspikeinproductioncouldbeduetoinformationthatChinagainedfromUSfirmsthroughcyberespionageactions,suchasNightDragon.TheNightDragonattackswerebelievedtohavebeguncirca2007.AccordingtoKirk,informationtakenduringtheseattacksincludesmarketintelligencereportsandinformationonoperationalproductionsystems.23 Similarly, the MandiantreportshowsthattheAPT1grouphasmonitoredMandiant’senergyindustrycustomersfromapproximatelythebeginningof2009to2012.24Duringtheseattacks,APT1wouldexportterabytesofdatafromthevictimstoChina.Intandemwiththeserevelations,China’salsoaggressivelypursuedoilsupplycontractsduring2009.25DuringthistimemajorChinesestateoilcompaniesacquiredholdingsin18differentcountries.Chinaisdeterminedtotakeonoilandgasinfrastructuredevelopmentandtoacquireoilindustryassets.26

AlthoughthereisevidencethatChinahasbeenconductingcyberespionageactivitiesagainstoilindustrytargetsasfarbackas2007,thereisonlytrivialgrowthuntil2009.Thiscouldbearesultofthetimeandrecoursecommitmentrequiredtoprocessthedatathatwasacquired.Asmentioned,boththeNightDragonandAPT1attacksstoleanenor-mousamountofdatafromEnglishspeakingcompanies.ItisnecessaryforEnglish-fluentoperatorstosiftthroughthisdataandextractactionableinformationtoreport.Thisinformationwouldalsoneedtobeprovidedtoexpertsinthefieldwhocouldrecognizetheitsvale,andthatprocesswouldhavetobedonediscreetlysoasnottoarousesuspicions.Thiswouldtaketime.TheMandiantreportcommentsonthefactthattherearelimitedEnglish-fluentoperatorsdirectlyinvolvedinthetechnicalendofAPT1,whichwouldsignificantlyhinderprogress.27Consideringthesefactorsandthetimeframeforgrowthpresentedabove,itisconceivablethattheinformationandstrategyforitsusewouldnotbeavail-ableuntil2009.Atthispoint,Chinacouldacttoincreasetheoutputoftheholdingsthattheycurrentlyowned.Also,theinformationgainedfrommarketintelligencereportsandpossiblyexplorationreportscouldguidethestatecompaniesindecidingwhichnewholdingstopurchaseduringthistimeperiod.Thenewholdingswouldallowforincreasedoutputoverall.

China’sInvestments

China’sfervorforoilacquisitionhasnotbeenlimitedtoaggressiveincreasesinholdingsandcontracts.Theseac-tivitiesarelikelyonlyonepieceofaglobalstrategytosecureChina’sfutureoilrequirements,includingreservesthatmaynotbeproductivetodayorintheimmediatefuture.Thisoverarchingstrategyhasapparentlyledtoapatternofquietinvestment,whichmaybeadirectcauseforconcerninAmerica.AnarticleappearingintheAssociatedPressdiscussestheseChineseinvestmentsinVenezuela,thecountrywiththelargestprovenoilreservesasof2011,andthroughouttheCaribbeanandSouthAmerica.Thearticlenotesthat“whenVenezuelaseizedbillionsofdollarsinassetsfromExxonMo-

22 U.S. Energy Information Administration. (2013, February 12). International Energy Statistics [Data file]. Retrieved from http://www.eia.gov/cfapps/ipdbproject/iedindex3.cfm?tid=5&pid=53&aid=1&cid=CH,&syid=2006&eyid=2012&unit=TBPD23 Kirk, J. (2011, February 10). ‘Night dragon’ attacks from china strike energy companies. Retrieved from http://www.networkworld.com/news/2011/021011-night-dragon-attacks-from-china.html24 Mandiant. (2013, February 18). APT1: Exposing one of China’s cyber espionage units. Retrieved from http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf25 Hayward, D.L.L. (2009, June 18). China’s oil supply dependence. Journal of Energy Security. Retrieved from: http://www.ensec.org/index.php?option=com_content&view=article&id=197:chinas-oil-supply-dependence&catid=96:content&Itemid=34526 Ibid.27 Mandiant. (2013, February 18). APT1: Exposing one of China’s cyber espionage units. Retrieved from http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

20

bilandotherforeigncompanies,Chinesestatebanksandinvestorsdidn’tblink.OverthepastfiveyearstheyhaveloanedVenezuelamorethan$35billion.”TheyhavesimilarlyprovidedaidtocountrieslikeEcuador,anothercountrywithinthetop20ofprovenoilreserves.InsomecasesitappearsthattheChinesearemakingloansthatthecountrieswilllikelybeincapableofrepaying,placingthemsquarelywithinChina’scontrol.Manyofthedealsincluded“repaymentinoilandnaturalgas”andbillionsofdollarshavebeenloaneddirectlytoenergycompaniesinRussiaandTurkmenistan,bothofwhichhavebeentargetedincyberespionagecampaignsandareinthetop5forprovennaturalgasreserves.

AlthoughtheIEAhaspredictedthatAmericaismovingtowardsenergyindependenceandispoisedtobecomethenumberoneoilexporterby2017,theloansarebreedingclosenesswithandrelianceonChinabycountriesincloseproximitytotheUS.ThiscouldallowfortheChinesetoweakenAmericaninfluenceintheregionandcreateagitationagainsttheUSorbetweenothercountrieswithintheregioninordertodistracttheUSfromitsgoalsinotherareasstra-tegictotheChinese.ThesedealsalsoplaceChinainthesupplychainforborrowers’projectswhereChinahasinsistedonChinesecompaniesbeinginvolvedasastipulationoftheloan.Theseloanshavenotrequiredanyeconomicreformstoaccompanythem,meaningthatcountrieswhichcouldnotsecurealoanfromtheIMFduetopoorfinancialdecisionsmaycontinuetoflounderinspiteofaid,perhapsevenmoresobecauseofit.Intheworstcasescenario,thesecountriesbecomeunstable.WhilethismaycauseissuestotheChineseinsomelogisticalcapacities,itwouldalsoservetodivertsomeofAmerica’sattention,makingthesituationapalatableoutcomeforChina.

Other actorsAnanalysisoftheseeventswouldberemisswithoutexploringanyotherpossibleattribution.Thoughunlikely,

itispossiblethattherewereotheractorsinvolved.AspointedoutbyEugeneKasperskyinhiscriticismoftheShadyRATreport,someofthetoolsandtechniquesaregenericenoughtonotlendthemselvestoattributiontoaparticularentity.EventheonesthatareofChineseorigindonotofthemselvesimplicatetheChinesegovernment,onlyanactorfamiliarwithhowthetoolworksorminimallytrainedinMandarin.Alargeportionofthesetoolswerefreelyavailableonunder-groundChinesehackingsites.Chinesehackingcollectivesorcorporationsmayhavebeenindependentlyinvolved.How-ever,duetothesuspicionsvoicedintheleakeddiplomaticcablessuggestingPLAinvolvement28andMandiant’sresearchonthetopicindicatingthesame29,itishighlyunlikelythattheChinesegovernmentwasnotinvolvedwhatsoever.Thesesources,andthetimeframeinwhichtheattacksoccurred--betweenroughly9amand5pmconsistentlyoveraprotract-edperiodoftime3031--isindicativeofaformalizationoftheactivity.ThisisfurtherevidencedbytheresourcesrequiredtocarryouttheattackandtheChinesegovernment’sgraspsoncensorshipoftheircitizensthroughtechnicalcontrols.Terabytesofdatainfiltratingthecountryisunlikelytohavebeenmissed,particularlyoverthecourseofadecadeofactivity.

IfChinahadbeeninvolvedinanycapacityincyberespionageattacksandthishadbeendiscoveredbyanotherentity,saidentitymighthaveleveragedthisknowledgetocolludewiththemeitherthroughcoercion,cooperation,orclandestinelywithouttheChinesegovernmentknowing.Thoughthismayseemfarfetched,areportreleasedbyaLuxemburgsecurityfirmdetailshow,inthewakeofMandiant’sAPT1report,theydecidedtoengageinanintelligencegatheringoperationontheAPTgroupsoperatingoutofChina.ByscanningChineseIPrangesforC2serversknowntobeusedintheAPT1attacksandexploitingweaknessesintheattackers’C2infrastructure,theywereabletoaccess,monitor,andcontroltheAPTinfrastructurewithouttheadversary’sknowledge.BloombergalsohintedatthepossibilityofAmeri-cansecurityfirmsactinginasimilarwaywhenthey“exploit[ed]aholeinthehackers’security…loggingtheintruders’everymoveastheycreptintonetworks...”KnowingthattheChinesewereactivelyengagedinsuchoperationsandlikelyturningablindeyetoanyinfiltrationofdata,anotheractoroperatingthroughChinaandattemptingtoincriminateChinacouldhaveengagedincyberespionageaswell.Thisistrulyastretchoftheimagination,andthereisnoevidencewhat-soevertosupportthistheory.ThemostlikelycaseforanyattributioninvolvestheChinesegovernmentinsomecapacity.

28 Glanz, J. & Markoff, J. (Dec 4 2010). Vast Hacking by a China Fearful of the Web. Retrieved from http://www.nytimes.com/2010/12/05/world/asia/05wikileaks-china.html?pagewanted=all&_r=029 Mandiant. (Feb, 2013). APT1: Exposing One of China’s Cyber Espionage Units. Retrieved from http://www.mandiant.com/APT130 Ibid.31 McAfee® Foundstone® Professional Services and McAfee Labs™. (Feb 10, 2011). Global Energy Cyberat-tacks: “Night Dragon”. Retrieved from http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf

21

Significance Going Forward

ThemostimportanttakeawayfromtheseincidentsisthesignificancetheyholdtothefutureoftheOil&Gasindustry.Inexorably,OilandGasisintertwinedwiththeCyberdomain,andwillonlycontinuetobecomemoresoasthetimeprogresses.Theincreasedrelianceontechnologymeansthatmoreandmoredataandcontrolwillbeaccessibletotheattackersinthefuture.Alargecontingentoftheattacksreliedonsocialengineeringandspearphishingasapointofentry,thoughthereisashifttoward“wateringhole”attacks.Thisissignificantbecauseevenastechnicalcontrolsgetbetter,unwittingemployeesandtheirbehaviorwillcontinuetobeafocalpointintargetedattacks.

AutomationviaSCADA/ICShasbeenanintegralpartoftheOilindustry’spastandwillbeevenmoresointhefu-ture.AttacksliketheTelventattackheraldaninsidiousturnofeventsforSCADAwithinOil&Gas.TheattackersseemedintentonstealingSCADAsoftware,butitisconceivablethattheycouldhavetakensuchanopportunitytoembedtheirowncodewithinit,providingacapabilitytomanipulatelargeswathsofNorthAmericanpipelineatwill.Thisisnotmeanttobealarmist,butratherconsidersthenextevolutionofattack.LeveragingmaliciousSCADAsoftwaretoachieveakineticoutcomeisnotthebaselinegoingforward,butitiswellwithintherealmofpossibility.Thenatureofacapabil-itylikethismeansthatitcanonlybeleveragedtocatastrophiceffectonce,sothepossibilityofanentityusingitoutsideofsustainedorardentconflictislow.Howeverusingthisonamicro-scale,anddegradingserviceorqualityofservicethroughmanipulationofmalicioussoftwareonthePLCsorHMIscouldbemoreviableinapeacetimesetting,andlessnoticeable.Thistypeofactivitycouldbeusedattheheightofnegotiationsordisputestoputanadversaryinacompro-misingposition,orsimplydistractthem.

TheCyber-warfaredoctrineoflargenation-stateslikeChinaandRussiathathaveahugestakeintheOil&GasIndustriesisoneofperpetualconflict.TimothyThomasdiscussesthisinhisbooksRecastingtheRedStarandTheDragon’sQuantumLeap.Theideaofan“activedefense”andkeepingpotentialcompetitors“offbalance”istheposturegoingforward.Theconceptofpeacebeingatimewithoutconflictisrapidlydisappearing.Asglobalizationhasbecomethestatusquoandglobaleconomiesbecomeevermoreentangled,threatofalarge-scalekineticconfrontationbetweentoptiereconomicpowerhousesisnearlystrategicallyunviable.Instead,bothstateandnon-stateactorswilluseconstantconflictintheCyberrealmasamethodforaccruingresourcesandexercisingcontrol.WhilecyberconflictoftenbringstomindtheideaofSCADAinitiatedpipelineexplosions,thetheftofintellectualpropertyandbusinesscommunicationsisfarmorelikelytocontinue.Thistypeoflowintensityconflictiscost-effectiveandpoliticallysustainableinanenviron-mentwheredirectattributionisattimesdifficult.Theideaofaconstantorlongterm“ally”or“strategicpartner”isnolongervalid–coordinationwillbelargelyissuespecific,andonlytotheextentrequiredtoachieveanend.Whilecoor-dinatingononetopicnationswillbeinconflictonanother.Thisisnotinanywayarevolutionaryornewidea;howeveritisbecomingmoreandmorerelevanttosalientindustriesoperatingwithintheirownnationstateandabroadastheybecomefarmoreaccessibleandtargetableinthistypeofconflict.

Non-stateactorswillplayahugeroleinfuturecyberconflictwithintheoilandgasindustry.TheNorwayattackwhichcoincidedwithameetingbyastate-backedOil&Gascompanymaysuggestthattheyalreadyareplayingarole.CertainlyAntivirus&IncidentResponsecompaniesareplayingaroleasnon-stateactorsbyreleasingthesereports.ButasidefromcooperationwithSateactors,non-stateactorsmayoperateindependentlyagainstothernon-stateactorsinpursuitofcompetitiveadvantageorsabotage.Hackercollectiveslikeanonymouscouldhaveanout-sizedimpactifmorehighlyorganized,andtheattackstheyhavealreadycarriedoutcouldbecomemoresevere–insteadofsimplyreleasingemailaddresses,theycouldreleasebiddata,orattemptsomethingmoredestructiveakintoaShamoontypeattack.

ThereleaseofreportsonAPTisinawayitsownformofcyberconflict;therhetoricofthesereportsisaninfor-mationinfluenceoperation,bothtargetedatpotentialcustomersandatadversaries.Thesereportsalsoallowadversar-iestoseehowtheyweredetectedandcorrectmistakesgoingforward.Itislikelythatfutureattackswilllackthetypesofunprofessionalmistakesmadeduringthesecampaigns.Theembeddingofpersonalsignatures(alaUglyGorilla)ortheuseofpasswordslike“zw.china”willdiminishsignificantly.Ifanattackerwishedtobemoreanonymous,itwouldstarttotransitiontoopen-sourceandgenerictoolsexclusively–toolswhicharecommonenoughthattheydonotprovidesignificantattribution.ToolsliketheMetasploitframeworkprovideahighdegreeofextensibilitywithoutofferinga

22

significantamountinthewayofattributionbytoolchoice.Ifnotatransitionlikethis,thenusingtoolsstolenfromotherattackersorwritteninotherlanguageswouldcomplicateattribution.ThemovewithintheInformationTechnologyworldtowardmoreforensicallyresistanttechnologiessuchasSSDsandCloudServiceinfrastructureswhichmakeattributionandlegaljurisdictionmuchmoreconvolutedwillcontinuetobeacatalystforfutureattacksalongsideservicesalreadyinuselikeDynamicDNS.

ThesecyberespionageattacksarelikelythenewlyestablishedbaselineforfuturecyberconflictwithintheOil&GasIndustry.Attacksofthisnatureandmagnitudewillcontinuetooriginatefromplaceswhichdonothavelawsagainstitorarecomplicit,includingChinawhichhasaneedtosecureoildominanceinthefuture.However,increasinginterna-tionalpressurewillnecessitatemorecovertaction,withattackersdispersingtheiroperatorsorproxiesthroughoutlargegeographicareas.Non-stateactorswilllikelypresentAPTthreatsinthefuture,includingState-backedandindependentcompetitors.

23

SabotageMiddle East, 2012 Anotherseriesofeventsmaybeconnectedaswell,andwhiletheybearnoimmediatelyapparentrelationship,closerinspectionissuggestiveofthepossibilityofanotherunderlyingandongoingconflict.Tounderstandthecontextoftheexchange,anon-oil-relatedcybereventmustbebrieflydiscussed.Arelativelyunprecedentedcyber-attackcametolightin2010whentheStuxnetvirushittheuraniumenrichmentcentrifugesinIran.Iranbelievestheattackwascon-ductedbyIsraelortheUnitedStates.Thisattackhadtargetedtheinformationnetworksofoffshoreplatforms;howevertheyreportedthattheywereabletodefendagainsttheattack.32IranmayhavethoughtitwasIsraelbecausetheyhadthreatenedtotakemilitaryactionifthesanctionsonTehran’sbankingandoilsectorsdidnotstopIranfromcontinu-ingtheirnuclearprogram.TheattackstargetedIran’sinfrastructureandcommunicationscompanies,whichslowedtheInternetinIran.IsraelandtheUnitedStateshavedeniedbeingapartofthisattack.

ThenInAprilof2012,Iranwasagainthetargetofacyber-attack.TheIslamicrepublicreportedthatacomputerviruswasdetectedinsidethecontrolsystemsofKhargIsland,whichcontrolsIran’scrudeoilexports.33ThisvirusbegantoattackseveralofthemainPersianGulfoilterminalsinIran,whichforcedtheIranianofficialstodisconnectthemfromtheInternettoavoidspreadingthevirus.34Thisvirus,knownasWiper,successfullyerasedinformationfromharddisksattheOilMinistry’sheadquartersinTehran.35Theheadquartershadapparentlybeentheinitialtargetofthevirus.OilMinistryofficialsreportedthattheinternationalsellingdivisionhadnotbeeninfected,butitmanysecurityvulnerabilitieswereexposed.Iranisoneoftheworld’slargestoilproducersandanattackcouldaffectthemarket,andraiseoilpricesglobal-ly.36

AswiththeStuxnetworm,IranblamedIsraelandtheUnitedStatesforthespreadofWiper.Iranianofficialsbe-lievetheyweretargetedbecauseoftheirgrowingnuclearprogram.37OtheraffectedorganizationsincludetheNationalIranianOilProcessingandDistributionCompany,NationalIranianGasCompany,IranianOffshoreOilCompany,ParsOilandGas,andothercompaniescontrolledbytheNationalIranianOilCompany.38Thedestructionofthisdatadoesn’tprovidemuchinthewayofdirectmonetarygainforanycriminalelements.TherealadvantagegainedbyunleashingWiperistoputpressureonIranbycausingeconomiclossandremindingthemthattheyarevulnerable.ThepresidentoftheTehranWorldTradeCenter,MohammadRezaSabzalipour,believesthecyber-attackwasindeedadirectmessage.TheaimwastoincreasepressuresothatIranwillcompromiseintheupcomingnucleartalksonMay23,2012.Helaterstates,“Weareinabloodlesswar.Ifthetalksfail,Irancanexpectmuchmoreofthis39”.

32 Erdbrink, T., (2012, April 23). Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet. The New York Times. Retrieved from http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amid-cyberattack.html?_r=033 Reuters.,(2012,October08).CyberattackerstargetIranianoilplatforms:official.Reuters.Retrievedfromhttp://www.reuters.com/article/2012/10/08/us-iran-cyber-idUSBRE8970B82012100834 Ibid35 Erdbrink, T., (2012, April 23). Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet. The New York Times. Retrieved from http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amid-cyberattack.html?_r=036 Ibid37 Ibid38 Ibid39 Ibid

24

AnoilembargoinconcertwithothereconomicsanctionsbytheUnitedStatesandEUwasannouncedinlate2011inanefforttodiscourageanyfurtherIraniannuclearactivity.InMarchof2012,theObamaadministrationan-nouncedthatthemarketcouldwithstandtheembargoofIranianoil,andraisedUS-Irantensionsovertheissue40.SaudiArabiahadalsoindicatedthatitwouldboostoilexportstotheUSandabroadtocompensateforthevoidthatwouldbeleftbythesanctionsonIran41.Asthefifthlargestoilproducerintheworld,theIranianoilindustryaccountsforabout20percentofIran’sGDP42.BoththeembargoandthevirusrepresentseriousanddirectconcernsfortheIraniangovern-ment.

TheninAugustof2012,onlyfourmonthsaftertheembargo,avirusnamedShamoonstruckSaudiArabianoilgiantAramco.43TheviruswastriggeredonaMuslimholidaywhenmostofthecompany’semployeeswereabsentfromwork.ShamoonwasdesignedtoreplacedataonharddriveswithapictureofaburningAmericanflagandreportthead-dressofthecomputerbacktoaseparatecomputerinsidethecompanynetwork.44ThisispotentiallysignificantbecauseAramcoistheworld’slargestproducerofoil,andwasoriginallyajointeffortwiththeUnitedStates(ArabianAmericanOilCompany).45,46Additionally,Shamooncontainedafunctioncalled“Wiper”whichwasresponsibleforthedeletingoffiles.Thename“Wiper”andthesharedfunctionalityofthetwoaresomewhatsuggestive.Interestingly,apreviouslyunheardof“hacktivist”groupidentifyingthemselvesas“TheCuttingSwordofJustice”tookcreditfortheattackandnotanationstate.TheyclaimthevirushasgiventhemaccesstodocumentsonAramco’scomputers,butnonehavebeenpublishedyet.47Theattackwasbelievedtohavebeenassistedbyaninsideratthecompany.Anothernoteofsignifi-canceaboutShamoonisthatthetext“ArabianGulf”wasfoundinthecodewhichispertinentbecauseIranhaszealouslyguardedthetitleoftheregionasthe“PersianGulf.48”

AlthoughWiperandShamoonshareafewcommoncharacteristics,theyaresignificantlydifferent.BothviruseshavebeenanalyzedbyKasperskyLabswhohasconcludedthatalthoughShamooncontainsawiperfunctionthatisdesignedtooverwritedata,itisnotaswell-designedasWiperandnotnearasefficient.49ThecarethatwastakenbywhoevermadeWipertoinsureitdidasmuchdamageaspossibleintheshortestamountoftimeiswhatdifferentiatesitfromShamoon’swipingfeature.Sincewipingadiskwithhundredsofgigabytesofstoragecantakeanextremelylongtime,Wiperwasdesignedtotargetfileswithcertainextensionsorincertainfolderstodoasmuchirreparabledamageasfastaspossible.KasperskyclaimsthatShamoonwasmerelyacopycatvirusthatwas“theworkofscriptkiddiesinspiredbythestory.”50TheyalsoclaimthatShamoonwasprobablytheworkofanon-stategroupandthatWiperwasmostlikely40 Mathews, C., (2012 Mar. 30). Obama moves forward with Iran sanctions despite oil price spike. Re-trieved from http://blogs.wsj.com/corruption-currents/2012/03/30/obama-moves-forward-with-iran-sanctions-despite-oil-price-spike/41 Flintoff, C., (2012). Sanctions may squeeze Iran…and raise oil prices. NPR. Retrieved from http://www.npr.org/2012/06/30/155993909/sanctions-may-squeeze-iran-and-raise-oil-prices42 Katzman,K.,(2012Mar.28).Iransanctions.Congressional Research Service Report for Congress. Re-trieved from http://fpc.state.gov/documents/organization/187388.pdf43 Perlroth, N., (2012, Oct. 23). In cyberattack on Saudi firm, U.S. sees Iran firing back. The New York Times. Retrieved from http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all44 Ibid45 Forbes (2012). The world’s biggest oil companies. Retrieved from http://www.forbes.com/pictures/mef45ggld/1-saudi-aramco-12-5-million-barrels-per-day/46 Encylopedia Britannica, (2013). Aramco. Encyclopedia Britannica. Retrieved from http://www.britan-nica.com/EBchecked/topic/31594/Aramco47 Reuters, (2012, Dec. 9). Aramco says cyberattack was aimed at production. The New York Times. Re-trieved from http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html48 Perlroth, N., (2012, Oct. 23). In cyberattack on Saudi firm, U.S. sees Iran firing back. The New York Times. Retrieved from http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all49 GReAT-Kaspersky Labs., (2012, Aug. 16). Shamoon the Wiper – Copycats at Work. Securelist. Retrieved from https://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work50 Ibid

25

theproductofanation-state.51EventhoughShamoonwasnotonthesamelevelasWiper,itisstillanimpressivepieceofmalwarethatwasabletododamagetoimportantsystems.Whetheritwastheunimpressiveworkofanation-stateortheworkofaskilledgroupofnon-stateactors,itmadeanimpactandhadaneffectonSaudiAramco.

Theseinsightsraisethequestionofwhetherornotthiswasanisolatedattackbyanon-stateactor,orwhetheritwasoneinanongoingseriesofsalvosbetweentheIranandUScybercommunities.Irancertainlypossessedthemotive–retributionforsanctionsleviedagainstit,andthecooperationbySaudiArabia,aSunniMuslimnationwhichhasbeenatoddswithShiiteIranbefore.Typically,however,inanactofretributiontheattackerinvitesattributionwhichIrandidnot.Also,despitecausingdestructiveactiontothedataonthecomputers,thevirusdidnotattacktheactualcontrolsystemsandasaresultdidnotmanagetodamageoilproduction.Therelativecrudenessofthecodeanduseoftheterm“Ara-bianGulf”inconcertwiththeinsiderknowledgeofthehacktivistgroup“TheCuttingSwordofJustice”andtheuseofanAramcoinsidertofacilitatetheattackcouldsuggestthatitwassimplyasingularattackbyanon-stateactor.

Iran’sdoctrineisoneofasymmetricandproxywarfare.IthasbeensuggestedthatIranusedunofficialhackergroupssuchasthe“IranianCyberArmy”tobothdefendagainstandengageinattacks52.Itispossiblethat“ArabianGulf”wasaredherringintendedtofurtherobscuretheoriginofShamoon.53UsingaproxytolaunchanattackalignswithIran’sstrategicculturebuttheexactauthorisnotknown.ItispossiblethatIrandidnotwishtoengageindirectconflict,butintendedtomakethesanctionslessviablebyensuringAramcowouldbeunabletosupplythenecessaryvolumeofoil.IfthiswerethecasethentheattackwouldshowasevereflawinIran’sunderstandingoftheoilproductionsystemsbynotattackingthecontrolsystems,instead,whichshouldbeunlikelyduetoIran’sownexpertiseinoilproduction;oritmayhavebeenintendedtosendamessageadvertisingthecapabilitywhilenotcrossingadirectlinebyinflictingsignificantinfrastructuredamage.This,however,ispurespeculationandnotempiricallyderivedanalysis.IfIrandidinfactorches-tratetheShamoonattack,itwouldsuggestthattheseriesofattacksonIraniancriticalinfrastructurewerefollowedbyretaliationontheAmericanoilsupplychain.Thiswouldindicateanongoingandescalatingconflictthatshouldbecauseforconcern.

51 Ibid52 Rezvaniyeh, F., (2010, Feb. 26) Pulling the strings of the net: Iran’s Cyber Army. PBS. Retrieved from http://www.pbs.org/wgbh/pages/frontline/tehranbureau/2010/02/pulling-the-strings-of-the-net-irans-cyber-army.html53 Perlroth, N., (2012, Oct. 23). In cyberattack on Saudi firm, U.S. sees Iran firing back. The New York Times. Retrieved from http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all

26

An Incident of NoteOneincidentwhichappearsonthelistissingularinthatunliketheothernotedeventsitdoesnotappeartobe

theresultofadirectcyber-attack:theDeepwaterHorizonoilspill.OnApril20th,theculminationofsevereneglectofsafetyprotocolsandaslewofdesignandimplementationflawsincurredtheworstenvironmentaldisasterinUShis-tory.54WhiledrillingtheMacondowellintheGulfofMexico,theDeepwaterHorizonoilrighada“blowout”inwhichanuncontrolledmixtureofmudandgaswasreleasedafterfailureofpressurecontrolsystems.Thegasspreadacrosstherigandisbelievedtohavefirstignitedintheengineroom,initiatingseveralexplosionsandcausingtherigtoeventuallybeengulfedinflamesandsink.55Thereasonthe“DeepwaterHorizon”eventappearsonalistof“cyber-relatedoilindustryevents”isbecause,regardlessofthecause,theincidenthadseveralfailuresinnetworkedcontrolandsafetysystemswhichcouldhavepreventedthecatastrophefromoccurringaftertheblowout.

Theformerchiefelectronicstechnicianontherig,MichaelWilliams,notedduringtestimonybeforeagovern-mentpanelthatthealarmswhichwouldnotifythecrewofagassituationwasplacedinan“inhibited”modeforoverayearbecause“theydidnotwantpeoplewokeupat3o’clockinthemorningduetofalsealarms[sic].”56Additionally,othermonitoringandcontrolsystemsintermittentlyfroze,andafireandalarmsystemwassetto“overrideactive.”De-spiteaseriesoffourtestsconductedinthehoursbeforetheincidenttoascertainthattheintegrityofthewell,noalarmsweresoundedorreporteddirectlybeforetheincident.Thesecontrolissuessolidifytheideathattherewasacyber-componenttothecatastrophe.Whentakenintothecontextofothereventswhichoccurinandaroundthesametimeperiod,itbecomesclearthatthoughthereisnodirectevidencepointingtoamalignthreatactor’sinvolvement,suchanattackistechnicallyviable.

Itisincrediblyunlikelythatanystateornon-stateactorwasinvolvedinanattackontheDeepwaterHorizon;howeverthecircumstancesprecludetheexclusionofthispossibility,remotethoughitmaybe.TheBlowoutPreventer(BOP)wasrecoveredandforensicallyexamined,butmostotherevidencecannotbeexamined–ithaseitherceasedtoexistorisinaccessible.Thedestructivenatureoftheaccidentandtheapparentcorporateneglectmakescollectinganycyber-forensicevidencelinkingtheincidenttoanactorinfeasible.Mostevidenceisdestroyed,unusable,orlargelyinac-cessibleatthebottomoftheocean.ItislikelythatanycontrolsystemauditreportsorlogscapableofprovidinginsighteitherwouldnothaveattributedanomalousactivitytoanunidentifiedAPT,orwouldnotbecomprehensiveenoughtoprovideevidencethatcouldretroactivelysuggestanAPT.TheauditlogsthemselvesaredubiousduetoallegationsthatTransoceanandBPwerehastilyrushingproceduresbecauseoflargeschedulingoverruns.57FurtherallegationshavesurfacedagainstBPemployeesandcontractorsaccusingthemofdestroyingevidenceinthewakeofthedisaster.58Bear-inginmindthatthereisnodirectorforensicallysoundevidenceandthatonlycircumstantialevidenceisavailable,thevignettewhichwillnowbeexploredistheusecaseoftheDeepwaterHorizonincidentasacyber-attack.

SeveraleventsthathaveoccurredbothbeforeandsincetheBPoilspillsuggestthatanattackwouldbetechni-callyfeasible.AccordingtoanarticleattributedtoDorothyE.Denning,aprofessorofcomputerscienceatGeorgetownUniversity,in1992adisgruntledformeremployeeofChevronintentionallydisabledalarmsystemsatChevron’soilrefin-eriesfor10hoursby“hackingintocomputersinNewYorkandSanJosé,California.”59Whilethisonlyaffectedon-shorerefineriesandisdatedenoughthattechnicalcontrolsmayhaveimprovedsincethen,anotherattackin2009showedthatcontrolsystemsonoff-shorerigsmaybealsodisabledremotely.MarioAzar,adisgruntledcontractorformerlyworkingforPacificEnergyResources,sabotagedanoffshoreoilrig“computersystemthatPERusedtocommunicatebetweenits

54 (DavidBarstow,2010)55 (HowtheRigCrewRespondedtotheBlowout,2010)56 (InvestigationofDeepwarerHorizonExplosion,MikeWilliams,2010)57 (Drilling,2011)58 (Affairs,2012)59 (Denning,2000)

27

officesanditsoilplatforms.Thecomputersystemalsoserveda‘leakdetection’functionforPER.”60ThesystemsweredisabledfromMay8thuntilJune29thbeforeitwasnoticed.61AndasrecentlyasFebruary23rd2013anarticleintheHustonChroniclestatedthat“Malicioussoftwareunintentionallydownloadedbyoffshoreoilworkershasincapacitatedcomputernetworksonsomerigsandplatforms,exposinggapsinsecuritythatcouldposeseriousriskstopeopleandtheenvironment.”62

Thesearticleswouldseemtostatethatacyber-attackonanoff-shorerigisnotonlypossible,butareality.ComplicatedcontrolsystemattackssuchasStuxnethavealreadyproventhateveninconditionswherenetworkaccessisunavailable,intelligentvirusescanstillperformapredeterminedfunctionatadesignatedtime.Byextensionoftheseoccurances,itmaybeconcludedthatacapableattackercouldmanipulatesafetycontrolsystemsofanoilrigfromshore,anddosothroughasophisticatedcontrolsystemviruswhichcanoperateevenwhennotincontactwithaC2server.

IfitisassumedthatDeepwaterHorizonwasanattack,itgivesrisetothequestionofattribution.Inordertoattributeanattackforwhichthereisnodirectorforensicevidence,onemustinsteadturntopoliticalattribution.Thisincludesconsideringwhichactorshadthemotive,means,andtheopportunitytoperformtheattack.Motivescaninpartbedivinedthroughobservationofthedirectandindirectoutcomesoftheeventanditsbeneficiaries.Afternarrow-ingthescopeofactors,onemaythenexaminethepolicies,strategicculture,operations,andtacticsofrelevantactorsagainstdifferentdimensionsoftheeventtorevealalignmentorcorrelation.

ImmediateanddirectimpactsoftheDeepwaterHorizonoilspillwereasfollows:

AmoratoriumonanydrillingintheGulfofMexicofortheensuing6months

TheMacondowellbecomingunusable,atleastintheimmediate

EcologicaldisasterintheUnitedStatesandotherGoMadjacentcountries

Heavypoliticaldamage,fines,andchargesleviedagainstbothBPandcontractorssuchasTransocean,Ltd.

BPhasbeenbyfarthebiggestfigureattachedtotheincident.AsofMarch2013BPhasbeenforcedtospendorprovision$40BillionasaresultofDeepwaterHorizon.63Toputthisinperspective,BP’scombinedprofitsfortheyearsof2010-2012amounttoabout$34.6billion.64

Theseimpactsinandofthemselvesarenotable,buttheyalsocreatedarippleeffectofindirectconsequencesaswell.Theseindirectoutcomesincludethepossiblefluctuationinoilandgaspricesandpotentialforgeopoliticalfalloutfromtheecologicaldisaster.Additionallythough,andperhapsmostsignificantly,in2011BPannounceda$38billionassetdivestmentprograminordertocoverthecostsoftheenormousfinesincurredbytheDeepwaterHorizonspill.65 So whatdidBPdivest,andtowhom?

60 (Mrozek,2009)61 (UnitedStatesofAmericav.MarioAzar,2009)62 (Shauk,2013)63 (Williams,2013)64 (BP,2012,p.34)65 (BP,FinancialandOperatingInformation2007-2011,2011,p.3)

28

ThisdatawouldsuggestthatoneofthemainbeneficiariesoftheoilspillisRosneft,astate-ownedoilcompanybelongingtoastateactorwhichpossessesbothacyber-capabilityandvestedinterestintheoilindustry.Itistheonlyoneofthetopfiveoilproducingcountriesyettobementioned:theRussianFederation.InJulyof2012ForbesreleasedanarticleontheWorld’slargestoilcompanies.Whatwasnotableaboutthearticlewasthisquote:“ButwhensortingthroughtherankingsoftheWorld’s25BiggestOilCompaniesandlookingatwhocontrolsandinfluencesthebiggestofbigoilonethingbecomesclear:noindustryleaderhasmoresway,hastwistedmorearmsormademoredealsthanRus-sianPresidentVladimirPutin.”ThearticlegoesontopointouttheRussianPresident’spastuseofGazprom—thestate-runoilgiantandsecondlargestproducerintheworld—asapoliticaltoolandhisvastinfluenceoverothernon-Russianoilcompanies.Russia,anacknowledgedforceincyberandthesecondlargestexporterofoilintheworld,ismarkedlyabsentinthelastdecadefromthemastertimelineeitherasanaggressororasatarget,barringofafewleakedemailsbytheAnonymoushackinggroup.Thisappearsaberrant,evendespitethepossiblelanguagebarriermentionedatthebeginningofthisreportorRussia’stightlycontrolleddisseminationofinformation.

WhileclearlytheRussianFederationwasthelargestbeneficiaryofBP’spost-spilldivestmentsandalsobenefitedfromahaltinGulfofMexicooilproduction,thequestionthatremainsiswhetherornotthepossibleacquisitionofTNK-BP(whichwouldbedifficulttopredict)ismotivationenoughtoengageinariskyenterprisesuchasacyber-attackthatresultsinakineticoutcome—particularlywhenweighedagainstthepossibilityofdirectattributionthatcouldhavefarreachingimplicationstorelationswithboththeUKandtheUS.Ifthesebenefitsalonearenotenough,thenwhatothermotivatorsexistedwhich,inconcert,wouldhavebeencauseforRussiatolaunchacyber-attackonaUKcompanyoper-atingintheGulfofMexico?Inordertoproperlyanswerthesequestionsmanyfactorsneedtobeexamined,including:

theextentofBP-RussianrelationsleadinguptoandbeyondtheDeepwaterHorizonincident

Geopoliticalconsiderationsofthetime

Anycompetitioninmarket-sharebetweenBPandRussianstate-controlledoilcompanies

Russia’soverallrelationtoanddependenceontheoilindustry

Russia’sstrategicgoalsatthetime

Ahigh-levelunderstandingoftheRussianapproachtocyberwarfare

2010 2011 2012 2013

Deepwater Horizon Spill

BPAsset

DivestmentProgram*

2010-2013

Anadarko Petroleum CorpSOCAR

TAQA

Plains Exploration & ProductionRosneft

Apache CorpEcopetrol & TalismanMarubeni GroupUnited Energy Group

Tesoro Corp

Sold To

Upstream Assets

Downstream Assets

Countries with BP presence as of 2012

Key

29

AninterestingrelationshipbetweenRussiaandBPhasunfoldedoverthepastdecade,revealingaseriesofexchangesthathighlightatenuousco-existence.Thefigurebelowdisplaysthisindetail,alignedwithgeopoliticalevents.Theexchangebeginsin2006whentheRussianstate-rungascompanyRosneftwentpublicontheLondonstockex-changeandBPpurchased1billioninshares.Thisisaseeminglystraightforwardstrategicpartnering;howevertherewasspeculationthatBPwas“pressuredintoinvestinginordertosecurefutureoilexplorationrightsforitsownRus-sianjoint TNK-BP.”66RobertAmsterdam,alayerfortheformerheadofYukos(anoilcompanyabsorbedbyRosneft),wasquotedassayingthatBP“hasagunheldtoitshead.”67TheninJune2007,TheRussiangovernmentpressuresBPtoselloneoftheworld’slargestnaturalgasfieldstostate-runGazpromorlosethelicensetodevelopit.682008pre-sentedperhapstheheightoftensionswhenarmedpoliceraidedBP-TNK’sMoscowoffices69inwhatappearedtobeanefforttointimidateshareholders.ThiscameontheheelsofspeculationthatRussiawishedto“buyoutthesharehold-ersofTNK-BPaspartofitscampaigntotightencontrolofthecountry’senergyassets.”70Inarelatedvein,theBP-TNKCEOwasforcedtoleavethecountryafterRussianauthoritiesrefusedtorenewhisvisa.71Alsoin2008,animportantBPincidentwhichdidnotappeartodirectlyinvolveRussiaoccurred.OffthecoastofAzerbaijanattheCentralAzeriplatformintheCaspianSea,oneofBP’soff-shorerigssufferedablowoutnearlyidenticaltothatoftheDeepwaterHorizon.Thegasdidnotignite,andnoonewaskilled,howeveritdidcostaround$50MillionadayinlossesfortheAzerigovernment.BPpurposefullykeptalldetailsoftheincidentunderclosewrapsvergingonacover-up.ThentheDeepwaterHorizoneventoccursin2010,followedbythesaleofTNK-BPtoRussianstate-runRosneftin2012aspartoftheassetdivestmentprograminitiatedtopayforthespill.Inthatdeal,BPalsopurchasedsharesinRosneft,uppingtheirstakefrom1.25%to20%andreceivingtwoseatsontheboardofdirectors,includingonewhichwasawardedtoBP’scurrentCEORobertDudley—thesamegentlemanwhowasforcedtofleein2008overanun-renewedvisa.How-ever,accordingtoaReuter’sarticlepublishedonMarch4thofthisyear“…asastateappointee,Dudleywouldhavetovotebygovernmentdirectiveonmajorissues,suchaslargedealsandkeyappointments.”72Thisremarkisincontrasttoanotherindividualwhohad“beennominatedasanindependentandassuchcandecideforhimselfhowtovote.”73

66 (Kennedy,2006)67 Ibid.68 (Kramer,2007)69 (Hodgson,2008)70 Ibid.71 (Webb,2008)72 http://uk.reuters.com/article/2013/03/04/uk-bp-rosneft-idUKBRE92310W20130304?feedType%3DRSS%26feedName%3DbusinessNews73 Ibid.

30

TheseRussia-BPrelationscoincidewithanamalgamofgeopoliticaleventsnotdirectlyrelatedtoBP,butofferingsupportingcontextforeventualconclusionsdrawnabouttheDeepwaterHorizonoilspill.FollowingthecollapseoftheSovietUnionin1991,manyofthestateownedoilandgasassetsweresoldatsignificantlydiscountedvaluestoprivateindividualscreatinganeconomicvoidforafragilenewcountryalreadyplaguedbymonetaryissuesinothersectors.Russiafalteredeconomicallyformostofthe1990’suntilVladimirPutinwaselectedPresidentin2000underabannerofplannedeconomicprosperity.Putinisaninterestingfigure,andhasplayedprominentlyinRussia’sreturntotheworldstage.AformerKGBmember,PutinhassoughttheconsolidationandreclaimofcriticalsectorsoftheRussianeconomy,mostnotablytheenergysector.Usingstrong-armtacticsandpoliticalpressure,hehassetthetoneforRussia’sfuturepolicy.In2006,RussiatemporarilyturnedoffthegasitwassupplyingtotheUkraine,incitingconflictandunrestwithotherEuropeancountries.ThemovewascastasanovertattempttoregulatenaturalresourcepricesforamarketinwhichRussiacontrolsproductionandreapsprofitsfromacustomerbasewithlimitedalternatesupply.Russiausedthetacticagainin2009,shuttingoffgassuppliesfortwoweekstoUkrainianNaftogazostensiblybecauseofadisputeovercontracttermswhichhadbeennegotiatedin2002regardingtheappropriationofgasbyNaftogas.TheordealwasonlyresolvedafterUkraine’sPrimeMinistersatdownwithVladimirPutinandrenegotiatedanewcontractforRussiangas,forwhichshelaterreceiveda7yearsentenceonchargesofabuseofpower.

TheseeventsservetohighlighttheimportanceRussiaplacesontheenergysectorasbothavitalportionofitseconomyandapotentpoliticaltool.TheRussianeconomyisheavilydependentontheoil&gasindustries,with62.7%ofitseconomybeingservicebasedindustriesin2010.74ManyeconomistshavepointedtooilandgaspricesastheAchil-lesheeloftheRussianeconomy.757677Thiswasmadeevidentin2008whenoilpricesplummeted(asseeninthefigurebelow),sendingtheRussianeconomyspiralingintoarecession.Priceshitalowin2009,oneyearbeforeDeepwaterHorizonandatatimewhenreportswerealsostatingthattheoveralloutputofRussianoilfor2010wasprojectedtodecline.78ThisstagnationintheeconomycombinedwithfutureprojectionsofslowedoilproductionpresentedahugethreattoRussia,anditislikelythatthissentimentresonatedwithRussianauthorities.AspointedoutbyaForbescolum-nist,asustaineddropinoilpriceslikethatin2008wouldmeanpossiblecivilunrestandpoliticalinstability–oilandgashavethatmagnitudeofeffect.79

ThisresonancemayperhapsbeseenintheRussianNationalSecurityStrategyto2020publishedinMayof2009.ThedocumentoutlinesapathforRussiatocontinuetoregainprominentglobalpower,andwithinitthereareseveralpointswhichlendcredencetoastrategicviewofoilandgasresources.Thedocumentstatesthat“thelonger-termfocusofinternationalpoliticswillconcentrateonthepossessionofenergyresources,notablyintheMiddleEast,ontheBarentsSeashelfandotherareasoftheArctic,intheCaspianSeaBasin,andinCentralAsia.“80Thesamepublication

74 CIA Factbook 201275 http://www.forbes.com/sites/kenrapoza/2012/04/03/oil-a-problem-for-russian-economy-official-says/76 http://www.ssb.no/a/publikasjoner/pdf/DP/dp617.pdf77 http://oilprice.com/Energy/Crude-Oil/Putin-Plays-Down-Russias-Deadly-Dependence-on-Oil-Gas-Revenues.html78 http://www.reuters.com/article/2009/10/14/russia-oil-production-idUSLE7018632009101479 http://www.forbes.com/sites/markadomanis/2012/12/01/russia-and-oil-a-recipe-for-preservation-of-the-status-quo/80 Thomas, T. (2011). Recasting the Red Star. Fort Leavenworth: Foreign Military Studies Office. ,p.87.

31

alsostatesthat“thecompetitivesearchforresourcesdoesnotexcludetheuseofforce.”81Forceinthiscasedoesnotnecessarilyindicateamilitarykineticaction,butexertionofbothsoftandhardpoweracrossalldomains,includingcyber.

Whatfollowsisapurelyspeculativenarrativeofonepossibleattackscenario,intendedtohighlightelementsofRussiandoctrinewhichalignwithaspectsoftheBPoilspill.Itwillalsoincludetechniquesandtoolswhichprovidefunc-tionalitythatmakessuchanattackfeasible.

Soitispossiblethataftertheoilpricecrashin2008,Russianofficialssawthedangertosocialandpoliticalstabil-ityinthecountry.ForecastsforRussianoiloutputaround2009alsosuggestedthatnotonlywerepricesdropping,butoverallproductionwouldaswell,envisagingthespecteroffutureunrestandhardship.Realizingthestrategicimportanceofoilandthesuccesstheyhadgarneredwithpreviousmarkethalts,theyneededawaytoeitherartificiallyinflateoilprices,increasedemandforRussianoil,orincreaseoiloutput.Itisworthnotingthatpriceofnaturalgas(anotherhugecomponentoftheRussianeconomy)isinextricablylinkedtooilpricesinmostofEuropeduringthisperiodbecausegasisprice-indexedagainstoil.UnlikethenaturalgasincidentswhereRussiawasabletousestate-controlledGazpromtohaltgasleavingthecountry,asizeableportionoftheoilleavingthecountrywasfromprivatizedcompanies.Itwouldbedifficulttoovertlypreventthemfromexportingwithoutsignificantbacklashfrominternationalcommunities(suchastheWorldTradeOrganizationwheretheyhadbeenseekingentryforsometime),soactionwouldneedtobemorecovert.OneofthelargestoftheseprivateoilfirmswasTNK-BP,whichRussianauthoritieshadalreadyattemptedtostrong-armintogovernmentcontrolastheyhaddonewithothersmalleroilcompanieslikeYukos.TheothermainexporterofoiltoWesternEuropeatthistimewasBPplc,the50%ownerofTNK-BP.Therefore,controlofTNK-BPwouldbothincreaseoilrevenuesandstate-output,andsimultaneouslydecreaseaprimecompetitor’soveralloutput.Itwouldalsogivethemalargerpoliticalweaponthatcouldbeusedasabargainingchiportomeettheaforementionedgoalofpricecontrol.How-ever,BPhadprovenrecalcitrantanddefiantaboutrelinquishingTNK-BPinspiteofthepressureswhichhadalreadybeenapplied.ApastrockyrelationshipwithBPcombinedwiththeirrecentsafetyfailuresandcover-upintheCaspianSeaalsomadethemaviabletarget.

Iftheycouldnotbemotivatedbyconventionalmeans,thenRussiawouldhavetoreverttoforceaspointedoutearlierintheirNationalSecurityStrategyto2020(“thecompetitivesearchforresourcesdoesnotexcludetheuseofforce”).Sabotagecouldbeaviableoption,howeveritwouldhavetobeonalargeenoughscalethatBPwouldbeputintoapositionwheretheywouldfoldtoRussianinterestsundertheadditionalpressure.Whileanon-shoreexplosionwouldcausesomedelaysinproductionandpotentiallossoflifeleadingtolitigation,off-shoredestructionwouldhavethepotentialtobesignificantlymoredamagingpublicly,couldalsoincludelossoflife,andwouldincursignificantenvi-ronmentalfinesinadditiontosafetyfines.

Thequestionwouldthenbewheretostrike–BPholdingsintheCaspianSeawouldbetoodangerousasanyfail-urescouldeasilyimplicateRussiaandanysuccesscouldcausecollateraldamagetoRussianoilassetsandcoastalregions.TheNorthSeawouldbeapotentiallyviablecandidatewithmultiplecountriesbeingaffectedresultinginmoreeconomicimpactonBP,howeverthecurrentsaresuchthatcollateraldamagecouldoccurtootherareasthatRussiaidentifiedasvitalfieldsofcompetition,namelytheBarentsSea.BP’sothermajordevelopmentswereinrelativelynewfieldsintheGulfofMexico(GoM)whereBPplannedtoinvestheavily.Russiahaslongseen(andcontinuestosee)Americanpowerasadangerouscountertoitsown,markingtheUSasitstopglobalcompetitor.TheGoMthenwouldproveveryattrac-tiveasitofferedatwo-foldbonus.Acash-strappedUnitedStates,riddledbyitsownrecession,wouldbearthebruntofthecollateraldamageresultinginheavyfinestoBP,perhapsmadeheavierbecauseofthestateoftheAmericanecono-my.Secondly,BPwouldpossiblyloseitsasset(s)andrighttodrilloffshoreintheGoM,aregionBPconsideredstrategic.ItwouldallowforaninformationinfluenceoperationontheAmericanpublic–poisoningthemarketagainstBP,butalsopotentiallyagainsttheAmericangovernmentiftheyrepeatedanymistakesintheirhandlingofanincidentlikethe2005HurricaneKatrinarescueandreliefeffort.

Americain2008and2009wasalreadyfacinginternalcontentionoverdeepwaterdrillingpractices,meaningthatasignificanteventintheregioncouldperhapshaltproductionbygovernmentaldirective.Evenwiththecontention,BPhadalreadymadehistoryintheGulf;inmid-2009theDeepwaterHorizonrigfinisheddrillingthedeepestoilwellinhistoryintheTiberOilFieldoffthecoastofTexas.ThismeantthatoneofthetopcompetitorsforRussianoilexportswasmakingheadwayinthisregion.Americaisalsothelargestimporterofoil,soeventhoughoilpricesareacomplicatedaf-fairthattakesintoaccountaspectsliketheeconomicstabilityofdifferentregionsandfutureprojectionsofdemand,anydamagingeffectsonAmericanproductionorsupplycouldpotentiallyincreaseoilprices.

InMarchof2009,drillingofanewwell,Macondo,wasapprovedandscheduledtobeginlaterthatyear,creating

81 Ibid., p.87.

32

anidealtarget.Realistically,inaclandestineprojectofsuchimportanceitislikelythatRussiawouldhaveidentifiedsev-eralGoMtargets,perhapsalongsideBPNorthSeaassetsaswell.HavingtheGulfofMexicoinmind,Russianowneededamethodfordelivery.Analyzingthe2008incidentintheCaspianSeawhichwasstillfreshatthistime,itmayhavebeennotedthatoneoftherootcausesoftheblowoutwasaflawintheconcrete—concretepossiblyprovidedbythesameUScontractorwhoworkedforBPintheGoM:Halliburton.TheymayhavealsosurmisedthatifthealarmsandsafetysystemshadnotactivatedintheCaspianSeaincident,thecrewmaynothavebeencapableofreactingquicklyenoughtopreventanexplosion,thuscreatingaterribleecologicaldisasterandcausinglossoflife.

So,aworkableoptionappearedtobeacovertcyber-attackonrigsoperatinginthegulfwhichdisabledsafetymeasuresorcreatedasituationwhereablowoutwouldoccur.Ifdonecorrectly,theycouldeasilyhideanyattributionbehindChina(whohadbeenactivelystealingsecretsfromoilcompaniesatthistime),anon-statehackinggroup,aspo-radicvirus,ormerelyaglitch/accident.BecauseofthehighstakesinvolvedinanyattributiontoRussia,thebestoptionwouldbemakingitpurelyappeartobeanaccidentorneglectbyBPanditscontractors.Thiscouldbeachievedbyplay-ingonknownpatternsandbehaviorsbyBPthatwererisky.ThetypeofintelligenceRussiawouldhavebeenintimatelyfamiliarwiththroughtheirowndealingswithBPandanalysisofotherBPsafetyincidentintherecentpast.ThisblendsseamlesslywiththeRussianconceptof“ReflexiveControl.”

TimothyThomaspointsoutinhisbookentitled“RecastingtheRedStar”theconceptofreflexivecontrol—asTimothyputsit:“Reflexivecontrolisdefinedasameansofconveyingtoapartneroranopponentspeciallypreparedinformationtoinclinehimtovoluntarilymakethepredetermineddecisiondesiredbytheinitiatoroftheaction.”82 Purposefullysettingfalsealarmsoffintheearlyhoursofthemorningsothatsomeonewilldisablethemwouldbeagoodexampleofthis.RussianhackerssuchastheGLEGgrouphavedemonstratedproficiencyinfindingexploitsinICSsoftwarebyreleasingtheAgoraSCADA+exploitkitwhichhadaplethoraofzero-dayexploitsinit.83Thisdemonstrativeproficiency,combinedwiththepreviouslynoted2009MarioAzarincidentwouldsuggestthatthetechnicalcapabilitytosetthisinmotionwasreadilyavailable.AfteridentifyingseveraltargetsintheGoM,Russianoperatorscouldeasilyhaveexploitedamultitudeofattackvectors.Employee’spersonalsystems(whichcouldhaveVPNaccesstoonshorecontrolstationsortherigdirectly),mobiledeviceslikesmart-phones,portablestoragedevicessuchasusbdrives,engineerlaptops,oranonshorecontrolcenterwithaccesstotherigscouldhavebeenleveragedtogainaccess.Suchattackscouldbetriviallydoneevenwithopen-sourceorfreetoolssuchastheiconicMetasploitFramework.Metasploit’scustompay-load,Meterpreter,forexampleiscapableofresidingpurelyinvolatilememory,oftenleavingfewresidualtracesonper-sistentstorage,ifany.Afteridentifyinganentrypointsuchassocialengineering(perhapstoohighprofile)ormorelikelyexploitation,Russianoperativescouldfindaseriesofserversattheonshorecontrolcenterwithalongup-timeorthatwerenotregularlyupdated(andthereforenotregularlyrestarted).Theattackerscouldhaveleveragedthesetocreateredundantavenuesofaccesswhichrunentirelyinvolatilememory,thusleavingminimaltonopermanenttraces.Morelikelyandstablehoweverwouldbetheuseofsuchexploitationtoinstallapersistentbackdoor.FromheretheycouldhavestolencredentialsorotherwiseescalatedprivilegestogainaccesstothesafetysystemsontheDeepwaterHorizonandotherrigsoperatinginthearea.Itislikelythatthesameattackvectorwouldnothavebeenusedineveryinstancetoobscureanypatternanalysisanddiversifyopportunitiesforsuccess.Atthispointsettingoffalarmsintheearlyhourstoencourageemployeestodisablethem,impairingothersafetysystemsandcausinggeneralinstabilitywouldhavebeenenoughtosubtlymagnifytheeffectsbeyondamanageablelevelresultingincatastrophe.

Afterhavingdiscussedinsomedetailthepossibilityofastateactor’sinvolvement,itmustequallybeconsideredthatthereisalsoplentyofevidencesuggestingthatthiswasnothingmorethanatragicincident.Itmayalsobestatedthatthereisevidencecontrarytotheposedscenario.TheDeepwaterhorizonincidentandthe2008CaspianSeaincidentbeforeitweremerelytwoincidentsinanindustryfraughtwithothers.Additionally,twoincidents—regardlessofsimi-larity—arenotconclusiveenoughtorepresentapattern.Shouldtheybeapartofalargerpattern,itisfarmorelikelythattheseparticularincidentspointedtoapatternofcorporateneglectthananythingelse.Theinherentlydangerousnatureofoilrefineryworkwouldimplythataccidentsandlossoflifeareanunfortunaterealityoftheindustry.Accord-ingtotheCentersforDiseaseControlandPrevention,“ThefatalityrateforoilandgasworkersintheU.S.between2002and2007wasmorethan29deathsper100,000workers,oraboutseventimestheaverageforalloccupations.”84BPisnostrangertosuchhazards.DeepwaterHorizon,thoughperhapstheirworsttodate,wasnottheirfirstprolificdisaster.BPwasrequiredtopay1.6billiondollarsinvictimcompensationfortheTexasCityrefineryexplosionfromMarch23,2005.Theywerealsorequiredtopay50.6milliondollarsinfinesforfailingtofixthesafetyviolationsthatwerebrought

82 Recasting the Red Star83 https://ics-cert.us-cert.gov/pdf/ICSA-11-096-01.pdf84 Centers for Disease Control. (2013, March, 3). Retrieved from http://www.cdc.gov/niosh/programs/oil-gas/risks.html

33

tothembyOSHAbeforetheexplosion.85ThesesamecorporatefailingswerepresentintheDeepwaterHorizonincidentandwerebroughtupduringthesenatehearings.Thisinpartservestohighlightthefactthateveniftheincidentweretobeastate-sponsoredattack,theimpactofthelossofasinglerigorsmallwellisrelativelyinconsequentialtotheoveralloilproductionofthevictim.ThetimelineoftheDeepwaterHorizonincidentalsospeaksvolumes–theincidenttookplaceoverthecourseofatleastayearandwastheproductofmanybudget-savingdecisionsthatwereacknowledgedtobedangerousbytheengineerswhowereworkingontheMacondowelldrillingeffort.ThesemeasuresandacultureofriskarelikelywhatultimatelysealedthefateoftheDeepwaterHorizon.Theseoccurrencesaretoointricatewhilstspreadoversuchanextendedperiodoftimeforanyoneentitytohavereasonablycontrolledthemall.

Itiswithinhumannaturetolookforapatternordesignforaneventevenwhenthereisn’tany–thiscanbeaug-mentedbytimeasmorepossible“clues”becomeapparent.Forthisreasonsuchattributionwhichseeksoutaconclu-sionisaslipperyslopeandmustbeapproachedwithcaution—ithasatendencytoenticeanalyststofindfactstofitthehypothesisasopposedtoahypothesiswhichfitsthefacts.It’simportanttorememberthatcorrelationdoesnotequalcausation;infactcorrelationmaybecoincidentalortheresultofanotherunanticipatedfactor.Likewisethecircumstan-tialevidencealoneisnotconclusive.Between1969and2005therehavebeenover30separateincidentsonoilrigsrangingfromfiresandexplosions,tostructuralfailures,someofwhichwereblowoutsnotunliketheonethatoccurredonDeepwaterHorizon.Itislikelythatcircumstantialinformationaboutoneormoreofthesecouldbestrungtogethertoprovideareasonablyconvincingpolitical‘attribution.’

Regardlessoftheattributionorrefutationofanattack,thetakeawayfromtheDeepwaterHorizonanalysisisthattheoilindustryisundeniablytiedtothecyberdomainandanattackonthissectorisconceivable;thatbyusingcurrentlyavailablecybermeansakinetic,violent,andinstrumentaloutcomecouldverypossiblybeaffectedonaprivatesectorbyaforeignstateactororotherhuman-basedagenttogainafavorableoutcome.

85 BBC News, BP agrees to pay record 50.6m fine for Texas explosion. (2010, August, 12) http://www.bbc.co.uk/news/business-10960486

34

ConclusionTheobservationofamoderatelysizedcross-sectionofcybereventswithintheoilandgasindustryclearly

indicatesthatthereisongoingcyberconflict.Thisconflictexistsintheformofespionageandsabotage,anditinvolvesbothstateandnon-stateactors.Inthecaseofcyberespionage,theseactorsareadvancedinthesensethattheyhavelaunchedmulti-yearcampaignswhichhavegoneundetectedastheyhaveexflitratedwhatislikelyuntoldbillionsofdol-larsinintellectualproperty.Theretacticsrepresentaformalizationandritualizationoftheconflictwhichwillsuggeststhatithasbeenweaponizedandwillcontinuetoescalateinthefuture.TheChinesegovernmentisabsolutelyinvolvedinsomecapacity,andstandstogainthemostoutifthesetransactions.Chinawillneedtocontinuetomakeaggressivemovestosustainitsneedforoilgoingforwardasitsabilitytomeetgrowingdemandbecomesoverwhelmed.RedOcto-ber,whilelargelytargetedatdiplomaticentities,alsotargetedtheoilandgasindustry.Thesophisticationoftheinfra-structureusedinRedOctober,aswellasthemethods,suggestarevolutioninthetypeofcyberconflictthatwillbeseenintheoilandgasindustry.AmajorityofthesegroupsarestillactiveasofApril2013,evenafterbeingoutedinreportsreleasedbyantivirusandincidentresponsecompaniesoverthelastfewyears.Thesereportsthemselvesrepresentoneaspectinwhichnon-stateactorswillbecomeevermoreimportantincyberconflict,particularlywithinimportantindus-triessuchasoilandgas.Americancompaniesareparticularlyvulnerabletargetstostate-backedorstate-ownedforeigncompetitorswhomayinthefutureleveragetheircountries’cyberforcestogaincompetitiveadvantage,orpossibledeveloptheirown.

ThistypeofcompetitivenessmayleadtothetypesofsabotageexchangesseenintheMiddleEast.Theseattacksmayeitherhavebeentheworkofnation-statesbattlingoutpolicyinthecyberrealm,orunconnectedeventswiththeShamoonattacksmerelybeingadisaffectedhacktivistgroupexpressingdissent.Regardlessoforigin,theseexchangesareclearexamplesofcyberconflictofadestructivenature.Goingforward,thesophisticationofthevirusesusedintheseattackswilllikelyonlyincrease.AttacksliketheflameandStuxnetvirusesmaybeseenbyAmericancompanieswithintheindustry.Thelinebetweenespionageandsabotageattackscanbesomewhatblurredwithvirusesbeingmodularandhavingthecapabilitytoperformboth;gatheringintelwhilewaitingundetectedtounleashamoresinistercapability.Theveryuseofthesetypesofmalwarebreedsandintimacyandfamiliaritywiththemthatallowsfortheirfurtherprolifera-tionbythepartieswhowerepreviouslyattacked.Eveniftheycannotreverseengineerthem,theymayunderstandthebehaviorswellenoughtocrudelymimicthem.

Asdiscussedatthebeginningofthepaper,cyberconflictisattractive.Itisattractivetocriminalelements,corpo-rateelements,individuals,hacktivists,stateactors,andothersundrynon-stateactorsalike.Becauseofitslowbarriertoentry,availability,andoutsizedimpact,theoilindustrymustprepareforsustainedfutureconflictinthisrealm.

35

Appendix A - DefinitionsAdvanced Persistent Threat:Anadvancedpersistentthreat(APT)usesmultiplephasestobreakintoanetwork,avoiddetection,andharvestvaluableinformationoverthelongterm.ThesephasesareIncursion,Discovery,Capture,andExfiltrationaccordingtoSymantec.86

Anonymous:Adecentralizedgroupofindividualswholabelthemselvesas“hactivists.”Theindividualsareanon-statesponsoredgroup.Thegroupfrequentlypickstheirtargetsbasedoncurrenteventsordecisionsofcompaniesthatcon-flictwithaneverchangingmantraofthegroup.TheattacksperpetratedbyAnonymousarefrequentlynotcomplexinnatureandoftenaredesignedjusttorestrictaccesstopublicwebsitesthroughadenialofserviceattack.

C2: Command and Control

Cyber Warfare:“Actionsbyanation-statetopenetrateanothernation’scomputersornetworksforthepurposesofcaus-ingdamageordisruption.“87

Dropper virus:AtypeofTrojanthatservestotransportandextractaviralpayloadontothedestinationsystem.Thedropperisfrequentlymadetomasqueradeasaninnocuousexecutablethatonceexecutedtheviralpayloadhasbeendeployed.Thedropperserviceatthispointnolongerneedstoberunning.88

Exfiltration:Theoppositeofinfiltrate.Theactofsecretlystealinginformationfromtheenemy’scontrol.Itisaformofespionage.

Malware:Agenerictermusedtodescribesoftwaredesignedtocausemaliciousactionsonacomputersystem.Trojans,Viruses,andWormsareexamplesoftypesofMalware.

Reflexive control:“Ameansofconveyingtoapartneroranopponentspeciallypreparedinformationtoinclinehimtovoluntarilymakethepredetermineddecisiondesiredbytheinitiatoroftheaction.”89

SCADA:Supervisorycontrolanddataacquisitionareatypeofindustrialcontrolsystemusuallydeployedtomonitorsystemsoverlongdistances.

Spear phishing:Theprocessofattempting,oftenthroughemail,toacquiresomeoneelse’suserinformation.Thisisachievedthroughsocialengineeringandofteninvolvessendingemailsthatappeartobefromaknownandtrustedindi-vidual.

Trojan:Atypeofcomputermalwarethatdoesnotreplicate,ratheritsprimaryfunctionistoallowunauthorizedaccesstothecomputersystems,stealinformation,orcauseharmtotheinfectedsystem.ATrojanoftenpresentsitselfasaninnocuousfilethustrickingtheuserintoexecuting.

Virus:Atypeofcomputermalwarethatisabletoself-replicateandinfectmultiplesystems.Thereplicationisusuallytiedtoahumaninteraction.

86 http://www.symantec.com/theme.jsp?themeid=apt-infographic-187 Clarke,RAandKnake,RK(2010).CyberWar, the next threat to national security and what to do about it.NewYork:Ecco/HarperCollins.88 Symantec. (2012, April 26). Trojan.Dropper. Retrieved March 9, 2013, from Symantec: http://www.sy-mantec.com/security_response/writeup.jsp?docid=2002-082718-3007-9989 Thomas, T. (2011). Recasting the Red Star. Fort Leavenworth: Foreign Military Studies Office.