CERIAS Tech Report 2013-9Crude Faux: An analysis of cyber conflict within the oil & gas industries
by Kambic, K., Aurthor, K,. Ellis, W., Jensen, T., Johansen, K., Lee, B., Liles, S.Center for Education and ResearchInformation Assurance and Security
Purdue University, West Lafayette, IN 47907-2086
1
Crude Faux
An Analysis of cyber Conflict Within the Oil & Gas Industries
Authors AbstractJake Kambic, Kristine Aurthor, Will Ellis, Mary Horner, Tyler Jensen,
Kyle Johansen, Brian Lee
Under the direction ofDr. Samuel Liles
The oil & gas industry is a mul-tibillion-dollar industry that has a history of conflict. As modern technology has developed, both the corporate aspects and technical as-pects of the oil & gas industry have become heavily reliant on the Cy-ber domain. The inherently insecure origins and evolution of computing has led that dependence to become a severe vulnerability. This report examines how these vulnerabilities have been exploited, and what that means to the future of the industry.Purdue University
Cyber Conflict & Transational
Cyber-Crime Course
2
Executive Summary Theoil&gasindustryisamultibillion-dollarindustrythathasahistoryofconflict.Asmoderntechnologyhasdeveloped,boththecorporateaspectsandtechnicalaspectsoftheoil&gasindustryhavebecomeheavilyreliantontheCyberdomain.Theinherentlyinsecureoriginsandevolutionofcomputinghasledthatdependencetobecomeaseverevulnerability.Recenteventshavebroughtthisfacttolightwithadelugeof“cyberattacks”launchedgloballyagainsttheindustry.Theseattacksraisespecterofcyberconflictandthequestionofculpabil-ity.Thisreportseekstoanalyzeaselectionoftheseevents,lookingforpatternsthatwouldindicateoneormoreadvancedactors.Byobservingthemotivesmeansandopportunitiespresentedtoactors,andlookingatacrosssectionoftheseattacksovertime,conclusionswillbedrawnastothepast,present,andfutureofcyberconflictwithintheindustry.
TheUSArmynotesintheirCyberConcept&Capabilitiesplanfor2016-2028thatcybercapabilitiesposeauniqueandattractiveopportunitytoaninferiorenemytogainequivalencetemporaryequivalencewithasuperiorenemythroughtheuseofCyber.Thisappliesnotonlytonationstates,butnon-stateactorsaswell.Thereareseveralfac-torscompoundingthisissue:
Unfetteredaccesstotheinfrastructureandtoolsusedtoconductcyberoperationsbyanyone
Alowbarriertoentryfiscallyandlimitedexperiencerequiredtoachieveanoutsizedimpact
Ahighandattractivereturnoninvestment
Plausibledeniabilityduetoissueswithattribution
Thesefactsmakeithighlylikelythatmultipleforeignagenciesaswellaspowerfulcorporatedenizenshaveusedandcontinuetomakeuseofcybercapabilitiestoaffectfavorableoutcomes.
Methods:UsingOSINTtechniques,informationwasgatheredfromgovernmentwebsites,corporatewebsites,newsagencies,andsearchenginequeries.Thisinformationwasthensynthesizedandscrutinizedforpossiblelinksandattribution.Bylookingatthesurroundinggeopoliticalevents,gainsandlossesaswellasindirectoutcomes,eventscanbecorrelatedandattributedtoactorswhichpossessthemeansmotiveandopportunitytodoso.Theprimarypurposeistoanalyzetheeventregardlessofattribution.Becauseofthenatureofopensourceinforma-tion,biasesarenaturallyintroducedwhichmustbeacknowledged,ifnotaccountedfor.
Events:Incidentswereselectedbasedonrelevanceandtheirtimeliness,alongwithotherfactorsdiscussedinthemethodology.Incidentswerelargelygroupedintooneofthreecategories:espionage,sabotage,andincidental/miscellaneous.WhiletheseincidentsdonotqualifyaswarfarebytheClausewitzdefinition,theyareaformofconflict.
Cyber Espionage:Thereissignificantevidenceofprotracted,insidiousespionagecarriedoutbyastateactorwithinthecyberrealm.Chinahaslikelylaunchhundredsofcyberattacksagainsttheoilandgasindustrysinceasearlyas2002.WiththeadventofRedOctober,theymaynotbetheonlyactorsinthegame.Withalevelofsophisticationnotyetobservedpubliclyinthisrealm,RedOctobercouldrepresentanevolutiontoChina’scurrenttechniques,oranotheractorenteringthegame.Bylookingatsomeofthetechnicalaspectsoftheevents,alinkwasestablishedbetweenByzantineCandorandAPT1,aswellasapossiblelinkbetweentheMirageCampaignandElderwoodProj-ect.
3
Sabotage: TheMiddleEasthassceneperhapsthemostevidenceandvarietyofcyberconflictofall.Whilestayingawayfromeventswhichdonotdirectlyrelatetotheoilindustry,aseriesofsabotageincidentsusingcyberasthemediumareexamined.Itispossiblethatthereeventsweresalvosbetweennationstatesinanexampleofbidirectionalconflict.Ifthisisnotthecase,andincidentslikeShamoonweresimplytheactofnon-stateactors,thenitrepresentsaffirmationoftherevelenceofnon-stateactorsinfuturecyberconflict.ThisisonlylogicalsincemostofAmerica’scriticalinfrastructureiscontrolledbytheprivatesector,andeconomicinfluencecanbeleveragedtogaingreatpower.
Incidental:BytakinganadversariallookattheDeepwaterHorizonoilspill,anexampleofhowastateactorcouldactinaviolent,kineticwayagainstanon-statethroughcyberwhileremaininganonymousisexaminedthroughavignette.ItisdeterminedthatwhiletheDeepwaterhorizonspillwasnotanattack,iteasilycouldhavebeen.Thistypeofconflictisbothdeadlyandcatastrophic,andwhileitisunlikelytobeusedlightly,itsetsthetoneforpossibilitiesgoingforward.
Conclusions:
Basedontheobservedevents,thepossiblethreatactors,andthecorrelationoftheseevents,itappearsthatthereisongoingcyberconflictwithintheoilindustry.Thecorrelationofseveralincidentshasshowncoordinatedattacksbyanadvancedforeignthreatactoragainstmultipleentitieswiththeuseofespionage.Ithasalsosuggestedthepos-sibilityofmoredestructiveattacks,andpointedoutthebenefitstobothstateactorsandnon-stateactorswithintheoilindustry.Insomecasestherehasbeenanobviousalignmentofpolitical,strategic,operational,andtacticalgoalsandprincipalstoaffectfavorableoutcomes.Theculminationofthesefindingsisthattherearemanythreatactorswhoarecurrentlyengagedin,ormaybeengagedin,ongoingconflictwhichmayhavethepotentialtoescalate.Thisshouldbebothaprimaryconcernandacauseforfutureresearchandanalysis.
4
IntroductionRecenteventsofnationalsignificancewithintheoil&gasIndustryhavebroughttolightboththequestionof
definingthreatsourcesandthatofplausiblyattributingknowneventstoathreatsource.Theunprecedentedriseincy-bereventsbegetsthequestionofwhetherthisisincidentaltothecontinuedadvancementoftechnology,orsuggestsanongoingconflictthatmayescalate.Thisreportwillaggregaterelevantevents,presentcriteriaforoutliningthreatorigins,anddeterminethelikelihoodthattheincidentsarerelated.Italsoseekstodeterminewhetherornotanyobservedcor-relationpointstoapersistentaggressororsimplycircumstantialcoincidence.Thepurposeofthisanalysisistoprovidedecision-makerswithaclearerideaofthecurrentsecurityoutlookfortheoilandgasindustry,andpinpointwhatcurrentandfuturecausesforconcernappeartobe.Alleventsandpresentedoptionsshouldbeconsideredcautiouslyandasempiricallyaspossible;anyassumptionsthataremadewillbeexplicitlystated.
Timeline of EventsOneofthefirstprioritiesistooutlineatimelineofeventswhichhaveoccurredandthenexaminewhatsignifi-
cancetheymayhaveorrelationshipstheymayshareinordertoscopetheconversation.Theseeventswillconstitutetheframefortheanalysis.Eventswerechosenafterapreliminaryoverviewofcontentfromopensourcessuchasestablishednewsmediasites,oil&gascompanywebsites,Googlequeryresults,governmentbulletins,andtechnicalreportsbysecuritycompanies.Fromthisbriefoverview,eventswithintheOilandGasIndustrywhichexhibiteda“cyber”componentwereselected.Theseeventsarenotmeanttobeallinclusive,andduetotheentirelyopensourcenatureoftheresources,thevantagepointontheinformationmaybebiasedandinmanyinstancesislikelyincomplete.Howeverevenanincompleteviewmaycontainenoughinformationtoidentifysignificantpatterns,andbyacknowledgingthequalityconcernswiththeinformation,amoreaccurateandobjectiveanalysismaybeperformed.Belowisatimelineofobservedeventswhichwillbediscussedingreaterdetail.Thetimelinewilllisttheeventandtheapparenttargetoftheevent.
5
Cyber Espionage
Sabotage
Incidental/Misc
Signi�cant Open-Source Cyber-Related Incidents within Oil & Gas Industries[2008-2013]*
0 MMbbl
2009 2010 2011 2012 2013
Top 20 CountriesProven Oil Reserves
[2011]
211,169 MMbbl
20,000 MMbbl
2 4
3
5
6
7 8 9
10
11
12
13
14
15
16
171819
ImportersExporters
Top 5 [2011](in thoursands of barrel per day)
SA
RU
IR
AE
NG
US
CN
JP
IN
DE
Earliest known intrusion of Shady RAT in the Gas industry–sophisticated infection and data ex�ltration of corporate secrets
A disgrunted former contractor for PER intentionally disables o�shore oil rig safety controls remotely o� the coast of California
McAfee starts monitoring the Night Dragon cyber espionage campaign against oil, energy, and petrochemical companies
Symantec ties back a Google hack to a campaign referred to as the Elderwood Project that targets Oil/Gas targets amongst others
Deepwater Horizon Oil Rig su�ers catastrophic failure; Control safety Systems had been rendered inhibited
BG Group Plc and CHK. are alleged to be victim of sophisticated data ex�ltration of corporate secrets reported by Bloomberg
Talisman Energy & Halliburton Co. are targeted by the comment group as part of a corporate espionage campaign
Sophisticated infection and data ex�ltration of corporate secrets from unspeci�ed oil & gas companies in Norway
Virus infects a series control systems on Kharg Island, Iran’s main oil exportation station, causing them to shut down the terminals
Dell’s Counter Threat Unit begins tracking the Mirage cyber espionage campaign—Sophisticated data ex�ltration of corporate secrets
Anonymous hackers target oil industry giants, exposing more than 1,000 email credentials
Shamoon virus systematically ex�ltrates corporate data and wiped hard drives of over 30,000 computers at Saudi’s Aramco
Sophisticated infection and data ex�ltration of corporate secrets from Telvent, ltd.
Sophisticated infection and data ex�ltrationin Iraq of corporate secrets suspected to be part of the Night Dragon campaign
Virus infects a series control systems on Kharg Island, Iran’s main oil exportation station, causing them to shut down the terminals
Anonymous announces their intent to attack international oil companies in “#OpFuelStrike”
Kaspersky announces Red October, a highly �exible cyber espionage virus which targets, amongst others, global oil & gas companies
Mandiant releases a document entitled APT1 which implicates China’s PLA sponsored espionage, including within the Oil Industry
The CSM highlights a “restricted” DHS report states 23 gas pipeline companies were targeted via spear-�shing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Timeline & Details of Sampled Events
1
6
Giventhisdataset,anaturalescalationofeventsappearstooccur,withthefrequencyofincidentscontinuingtorise.Thiscanpartiallybeexplainedbyagrowinginternationalawarenessofthevulnerabilitiesandperilsinvolvedininternet-facingcontrolsystemsofallkinds;aseventsoccur,theygarneradditionalattentionandthereforeinducead-ditionalincidents.
However,thereareotherinterestingobservationstobemadefromthisdata.Largely,theincidentsofgreatnotehaveoccurredineitherNorthAmericaortheMiddleEast.Whenconsideringthatthreeofthetopfiveoilproducingcountriesareintheseregions(SaudiArabia,theUnitedStates,andIran),thisisnotsurprising.Yetsubstantivereportsofsimilarincidentsaremarkedlyabsentintheothertwoofthetopfiveoilproducingcountries(ChinaandRussia),andthisisnoteworthy.Theargumentcouldbemadethatthisisduetolanguagebarriersandtightcontroloninformationdissemination,butitisimprobablethatasignificantincidentwouldhavegoneentirelyunnoticedbyallmediaoutlets.Astheincidentsthemselvesmakeapparent,humanthreatactorsareinvolved,andwhatremainstobeidentifiediswhetherthereisthecomplexity,overarchingcoordination,orrecurringthreatsourcethatwouldpointtoanadvancedthreatsuchasastateactororcomplexnon-stateactor.
Beforecontinuingwiththepossibleattributionofevents,somebasediscussionandcriteriaforthethreatsourc-esmustbeestablished.Athreatsourceisconsideredtobeahuman-basedornaturalentitywhichpossessesacapabil-itythatalignswithanunmitigatedvulnerability.Thethreatsourceswhichwillbeconsideredmustmeettheminimumrequirementofhavingboththemotiveandthemeanstocarryouttheattack.Onceahypothesisconsistingoftheseele-mentsisestablished,itwillbescrutinizedtodeterminewhetherornottheeventssurroundingtheincidentorseriesofincidentsaligninanyobviouspolitical,strategic,operationalandtacticalmanner.Themeansinthiscaseconsistsofboththeopportunityandthetechnologicalcapabilitytocausetheincidenttooccur,andthemotivesthatwillbeconsideredareeconomicgain,retribution,orpoliticalagenda(toincludeideology).
TheUSArmynotesintheirCyberConcept&Capabilitiesplanfor2016-2028thatcybercapabilitiesposeauniqueandattractiveopportunitytoaninferior,asymmetricenemytotemporarilygainequivalencewithasuperioren-emybecauseofitsrelativelylowinitialcost,highreturnoninvestment,andplausibledeniabilityduetoissueswithattri-bution.Becauseofthisfact,itishighlylikelythatmultipleforeignagenciesaswellaspowerfulcorporatedenizenshaveusedandcontinuetomakeuseofcybercapabilitiestoaffectfavorableoutcomes.Therestofthereportwillattempttosubstantiatethisclaimthroughcriticalanalysis.
7
Methods Toreachtheconclusionspresentedintheensuingreportincidentswerecollectedandchosenbasedontheinclusionofcybereitherasthemediumfortheevent,orassomecomponentfactorthatplayedadirectorotherwiseinstrumentalroleintheoutcome.Aftercollectingasamplingofincidentsintoadataset,theseincidentswereexaminedandseveraldirectlyattributablefeatures/impactsweretakenintoaccount,including:
Thevictim(s)targeted
Evidenceofcyberinvolvement
Economiclosses
Fatalitiesincurred
Geopoliticalimpacts
Beyondthedirectimpacts,itwasalsonecessarytoconsiderpossibleindirect“ripple”effects.Forexample,itcouldbeimportanttoconsidersomethinglikethepricesofcrudeoilpriortoandafteragivenincident.Acircumstancemaybesuchthatparticularcompaniesorcountriesunaffectedbytheincidentwouldfindthemselvesbenefitingfromarippleeffectlikehighercrudeprices.Othereffectstoidentifyincludechangesinthestatusoftheinvolvedcompaniesthrough-outanincident.Thiscouldinvolvelookingatearningsreports,thesellingorbuyingofassets,oranylegalactionsthecompanyisinvolvedin,aswellascontextualeventsthataresignificantorcontentiousandoccurdirectlypriortoorafteranincident.
Throughtheinvestigationoftheseoutcomesandcontexts,thereisthepossibilityoffindingcorrelationsbe-tweenvariousincidents.Thesecorrelationsmaybemadeplainbyobservablepatternsamongthedetailsoftheevents.Anobservedpatternmaysuggestarecurringactor—thesepatternsincludetacticalandmethodicalsimilaritiesbetweenallegedattacks,recurringtargets,entitiesthatdirectlyorindirectlybenefittedorincurredlossesasanoutcome,andgeo-graphicdispersionorclosenessoftheevents.Incaseswhereanattackisapparent,tacticalelementssuchastoolswerescrutinizedaswell,asameansofattribution.Forexample,atoolmayunintentionallyexhibitculturaltendenciessuchasthelanguageused,colloquialisms,idioms,religiouspreference,andrecurringpersonalhabitsofthecreatororoperator.Thesesignaturescoupledwithaspectsofthetacticalassetslikeexclusiveness(asinthecaseofapurchaseddomainusedasaC2point)cansignificantlyraisetheconfidencelevelofanattribution.
Possibleactorsinthecyberexchangecanostensiblybeidentifiedfromthesecorrelations.Ifitisdeterminedthattheincidentwasanattack,motivesofthepotentialactorscanbeconsidered.Akeyelementofthisthatshouldbeconsideredisanyprecedencefortheattack.Thehistoryofpoliticalrelationshipsbetweencountries,suchasanyex-pressedhostilitiesorallegiancesandtreaties,mayalsoproverelevant.Historyalsotellsusthatmostconflictsariseovertheacquisitionofresources.Assuch,theenergyresourcesandrequirementsofnation-statesmustbeanalyzed.Forex-ample,istheentitybeingexaminedamajorimporterorexporterofoil?Istheentitycapableofenergyself-sufficiency?Orhasthecountrybeenexperiencingamajorinfluxinenergydemand?Thisinformationcanthenbeaggregatedandsynthesizedintoamoreinformedviewoftheevent.
Afinalmajorcomponentoftheanalysiswastheexaminationofwhetherthemotivesandmethodsalignwiththeactor’sstrategicculture.Thisincludesdefiningtheoverallstrategictheoriesthatthecountryadherestoandgoalsitdesirestoaccomplish.Asmentionedearlier,thetacticsemployedduringtheattackcanbeincrediblypotentasanattri-butionmechanism—ifanattackisfarremovedfromanation’scapabilities,itislesslikelythattheywereinvolvedintheincident.Likewise,ifthetacticsarewithinagivennation’stechnicalprowessandfollowestablishedpatternsexhibitedbythatnation,itsignificantlyimprovestheconfidenceinattribution.However,cautionwastakenwhenattributingtacticstoactors,asdeceptionisacommonelementinmanycyberwarfarestrategies.Therefore,tacticalsimilaritiesordissimilari-
8
tiesalonedonotimplicitlyidentifyorruleoutagivenactor.
Biases
ThenatureofOSINTgatheringposesobstaclestoobjectiveanalysis.Whilegatheringthedata,itshouldbenotedthattherearesourcebiases.Allofthesourcesusedareopensource,andassuchtheprovenanceoftheinforma-tioncannotalwaysbeindependentlyverified.Theinformationitselfmaybelegitimate,butpresentedinanincompleteorskewedmanner.Itisalsolikelythatnotallofthedetailsofthecollectedincidentsareavailable.Insomecasesthecompaniesreportingtheincidents,suchasSymantecandMacAfee,arenotlegallydisposedtodivulgeselectinformationabouttheircustomers.Anotherlimitationisinformationavailableaboutincidentsthatoccurredinforeigncountries.Duetotightercontroloverjournalismorlanguagebarriers,othercountriesarelikelynotreleasingfulldetailsfrominci-dentsthathaveoccurredornotdoingsoinlanguagesfamiliartotheauthors.Insomecases,entireeventsmaynotbereleasedtothepublic,eitherbyforeigngovernmentsorthecompaniesthemselves.
Inordertoaddresstheaboveconcerns,severalmethodswereused.Datawasgatheredfromestablished,andideallytrustworthy,sources.Thisincludesreportsfromreputablenewssites,companyorgovernmentpublications,orscholarlypapers.Also,everyeffortwasmadetotrackdowntheoriginalsourceoftheinformationfoundinreports,orcross-examineitwithothersources.Multiplesourceswerefoundwhereverpossibleandscrutinizedinordertoobtaincorroboratingdata.Ofequalinterestisinformationwhichwascontradictorybetweensources.Thesecontradictionswerepresentedandaddressedwhereappropriate.
Finally,despiteevidencefoundinsupportofanygivenactor,alternatehypothesesmustbeconsidered.Aswithanyintelligencegathering,thereisthepossibilityoferror,whetherinformationismisreportedortakenoutofcontext,andthisisespeciallytrueofOSINT.Thepurposewasnottoselectanoutcomeandattempttosupportitbutrathertofindrefutationaswell.Informationthatmayexculpateaparticularactorwasthoroughlyconsidered.Althoughhumanerroriscommonincyberincidents,itisimportanttodeterminewhethertheerrorwastakenadvantageofbyothers.
9
Cyber EspionageOneofthemosteasilydistinguishablepatternsontheabovetimelineisthegrowingfrequencyofreportedcyber
espionage.Thissagaoflong-termcampaignshasbeengarneringalotofattention,andwithgoodreason.Somehaveassertedthatcertaincampaignshaveexistedsincetheearly2000’s1,yettheirexistencehasonlyrecentlycometolightintheprivatesector.Thedamagecausedbythesetypesofbreachesisdifficulttoestimatebecauseitoccurredoversuchalongtimespan,butinsomecasesterabytesofdatawerestolenovertheperiodofafewmonths.2Whentakeninrelationtotheoilindustry,whereproprietaryinformationlikebidexplorationdataisthelifebloodoftheorganization,thiscanbeadisastrousblow.However,whilecampaignslike“NightDragon”arepointedlytargetedattheoilindustry,othersarefarmoreencompassingintheirbreadthandappearmoredisparate.
Establishingabaselineorpatternwithinthisindustryaloneexcludesalargeandpotentiallyusefulamountofcontext.Notonlyweremostofthesecyberespionagecampaignslargerinscopethansimplytheoilandgasindustry,butsomealsocompletelyexcludedit.Interestingly,thereareothercyberespionagecampaignsnotlistedinthetimeline(suchastheinfamousFlameandMahdiviruses)thattargetcountrieswithsomeofthelargestoilreservesintheworld,buttheattacksthemselveswerenottargetedattheOil&GasIndustries.
Giventhesheernumberofincidents,itwouldseemlikelythatthereismorethanonesource,yetthetechnicaldataavailableseemstosuggestotherwise.Itisclearthattheseincidentsrepresentahugedangertotheprofitabilityandcompetitiveness,eventhefuturesuccess,ofvictimcompanies;Yettheseconsequencescarrywiththemsomelevelofinherentattribution.Theverynatureofproprietaryinformationmeansthatifanentitywhohadacquireditweretousetheinformation,itcouldidentifythemashavingaconnectiontotheincident,whetherdirectlyorthroughathirdparty.Also,attacksofthisscalerequiresomeleveloforganizationthatmanifestsitselfintheformofrepeatedpatternsofbe-haviorandresourceusagethatcansuggestacommonorigin.Thisorganizationcoupledwiththeresourcesandexpertisenecessarytoprocessandanalyzetheexorbitantvolumeofstoleninformationleadstoahighlikelihoodofstateactorororganizedcriminalinvolvement.
OneofthelargestdifficultiespresentinidentifyingtheprovenanceandtotalityoftheseattacksisthatthereisnopubliclyavailableaggregationofthebodyofinformationcollectedonthevariousAPTactivities.Instead,Antivirus&IncidentResponsefirmswhichhavethebestvantagepointonthesituationareprovidingseparatereportsinwhichtheyusetheirowncolloquialnamesandtermsfortheattacks,thetools,andthecampaigns.Thiscreatesoverlap,wherecampaignswithdifferentnamesmayinfactbepartofthesamecampaign,andthetechnicaldatathatisotherwiseseparatedacrossthereportscouldtogetherrepresentamoreapparentpattern.Onlyonereport,theMandiantAPT1report,includedabrieftablenotingthattheyhadcomparedsomeoftheotherattacksandruledoutAPT1astheculprit.Additionally,thesefirmsareentrustedwiththesafeguardoftheircustomers’information,andsooftenwillnotreleasethefullextentofwhatwasfound,noradefinitivelistofvictims–addingtotheobscurity.Thesesourcesalsointroducetheirownbiaseswhichmustbeaccountedfor.
Forthisreason,whatfollowsisanoverviewofthevariousreportsthatmentiontheoilandgasindustryastargets,andananalysisofimportanttechnicalaspectsandgoalsofthesecampaigns.Throughthisanalysis,hopefullyamorecompleteviewoftheactionmaybeobtainedtoseeifthegoals,resources,techniques,andtimeframesexhibitcommonalitybetweenattacks.
1 Mandiant, APT1 (Feb 13, 2013). Retrieved from http://www.mandiant.com/apt12 Ibid.
10
Oil/Gas Inclusive or Specific Campaigns‘Countries affect’ lists only countries where oil and gas companies were compromised.
Campaign:NightDragon Publisher:McAfeeSynopsis:TheNightDragonreportreleasedbyMcAfeewassomewhatofaseminaleventinthatitwasthefirstwellknownreleaseofafairlydetailedAPTanalysisandtechnicalattribu-tion.TheattacksconglomeratedinNightDragonwerenearlyallconductedagainstunspecified“globaloil,energy,andpetrochemicalcompanies.”Theattacksfollowedamethodicalseriesofsteps:
1. usingSQL-injectiontoobtainaccesstoanextranetserver,orusingspear-phishingagainst“mobileworkerlaptops”and“compromisingcorporateVPNaccounts”toob-tainaccesstothecompanyintranet
2. uploadingcommonhashdumpingtools&passwordcrackingtoolsharvestActiveDirectorycredentialstogainaccesstosensitivedesktops&servers
3. Accesssensitivedocuments
4. UploadRATmalwaretoexfiltratesensitivedata
5. Movelaterally
McAfeewasalsoabletoidentifymuchofthegenericmalwareused,andcommunicationstechniques.Theyalsosuggestedthattheattackersworkedbetween9:00amand5:00pmBei-jingtimeduringweekdays,andthatmosttrafficwasoriginatingfromtheShandongProvinceofChina.
Published:Feb10,2011Earliest Date: “[At-tackshavebeenongo-ingfor]atleasttwoyears,andlikelyasmanyasfour”
Circa2007-2009
Purpose:Exfiltrationof“competitiveproprietaryoperationsandproject-financinginformationwithregardtooilandgasfieldbidsandoperations”&collectionofdatafromSCADASystemsEntry Method:SocialEngineering,SpearPhishing,SQL-injectionCountries with Companies Affected:U.S.,Taiwan,Kazakhstan,Greece
Campaign:Elderwood Publisher:Symantec Synopsis: SymantecobservedagroupitreferstoastheElderwoodgangoperatingacon-certedcampaignagainstavarietyofindustriesincludinganundisclosedoilandgascompany.Symantecalsoassertsthatthesearethesamehackerswhooperatedinthe“Aurora”cam-paignagainstGooglein2009.ThiscampaignisuniquetosomedegreeinthatitusedahighnumberofzerodayexploitsinAdobeFlashandMicrosoft’sInternetExplorer.Whileitappearsthattheattackersusedspear-phishing(viaemail),theirprimarytechniquewastheuseofa“watering-hole”attackwherebytheyattackwebsitesknowntobefrequentedbythetargetusingtechniquessuchasSQLinjection,anduploadmaliciousfilestothesewebsite.Thetargetthenvisitsthesiteandgetsinfected.Thisisinterestingbecausethetargetdoesnothaveanyindicationthatithasbeencompromised,butthenumberofoverallinfectionsgoesupbecauseofuntargetedvictimswhichalsovisitthesite.Thisattackrequirestheattackerstofindsecurityvulnerabilityinthedesiredwebsiteafterselection,requiringmoretechnicalskillthansomeoftheothercampaignsinitiallyexhibit.SymantecbelievesthattheexploitswerepackedwithaTrojanandCommand&Control(C2)serveraddressusingaplatformthatgivesthegroupitsname:“Elderwood.”
Published:Sept06,2012EarliestDate:Decem-ber2009
Purpose:“thewholesalegatheringofintelligenceandintellectualproperty”Entry Method:Watering-Holeattacks,SpearPhishingCountries with Companies Affected:Undisclosed
11
Campaign:ShadyRAT Publisher:McAfeeSynopsis: ThisreportreleasedbyMcAfeediscussesaRATtheyclaimtobeincrediblyprolific,infectingavarietyofindustriesacrossmultiplecountries.Thereportitselfisverysparseonanytechnicaldetailsorevidence,largelylackingsubstance.Itprovidesalistofvictimsbyindustryandtheircountryoforigin.Italsoprovidesadetailedtimelinefortheattacks.
Interestingly,EugeneKasperskyheavilycriticizedthereportforbeingalarmistandskewed,statingthatmanyoftheconclusionswerepresumptive.
Published:August02,2011Earliest Date: July 2006
Purpose:Exfiltrationof“ahistoricallyunprecedentedtransferofwealth—closelyguardednationalsecrets(includingthosefromclassifiedgovernmentnetworks),sourcecode,bugdatabases,emailarchives,negotiationplansandexplorationdetailsfornewoilandgasfieldauctions,documentstores,legalcontracts,supervisorycontrolanddataacquisition(SCADA)configurations,designschematics,andmuchmore”Entry Method: Spear PhishingCountries with Companies Affected:U.S.
Campaign:Mirage Publisher:DellSe-cureWorks
Synopsis: DellSecureWorksgivesafairlygoodcollectionoftechnicaldetailsaboutthecam-paignthey’vedubbed“Mirage”forthestringusedtoconnecttotheC2serverbytheRemoteAccessTrojan,butlargelytheyfocusedonstudyingthetool,notmonitoringtheAPTactivity.SomepointsofnotearetheuseofHTRAN(arelaythatDell’sCyberThreatUnitassertswasdevelopedbytheHonkerUnionofChina,orHUC)forrelaying,andregistryofafewdomainstoanemailaddress([email protected])andIPrangesinChina.
Published:Sep182012Earliest Date:April2012
Purpose:Theftof“intellectualpropertyandcompanysecrets”Entry Method:SocialEngineering,SpearPhishing,SQL-injectionofwebserversCountries with Companies Affected: Philippines, Canada
12
Campaign:RedOctober Publisher:KasperskySynopsis: RedOctoberisasophisticatedespionagenetworkverymuchunlikeotherattackswhichhadbeenreported.Whileforthemostpart,thetargetswerediplomatic,therewereseveralinstanceswhereKasperskynotedthatoilandgasindustrieshadbeentargeted.TheattackuseddomainsregisteredtoRussianemailaddresses,andIPrangesidentifiedwereser-vicedbylargelyGermanandRussianISPs,howeverKasperskybelievesthatthethree“mother-ship”C2serversidentifiedareactuallythemselvesproxiesforanasyetunidentifiedC2serverwhichcouldthenbeoperatingnearlyanywhere.AsalientpointisthatRedOctobermadeuseofexploitcodethatwas“createdbyotherattackersandemployedduringdifferentcyberattacks.Theattackerslefttheimportedexploitcodeuntouched,perhapstohardentheidenti-ficationprocess.”Additionally,RedOctoberissomewhatuniqueamongstattacksthattargetedoilandgasinthatitiscapableofstealinginformationfromavarietyofembeddeddevicessuchasphoneandrouters.
Published:Jan14,2013Earliest Date:May2007
Purpose:“gatherintelligencefromthecompromisedorganizations”Entry Method:SocialEngineering,SpearPhishing,SQL-injectionofwebserversCountries with Companies Affected:Azerbaijan,Belarus,Turkmenistan,UAE
Campaign:APT1 Publisher:MandiantSynopsis:TheAPT1Reportisperhapsthemostdetailedreporttodate.Theyalsomincednowords,directlyaccusingChinaasastateactorofengaginginCyberEspionage.ResearchersatMandianttrackedbackactivitiesofanAPTgrouptheyreferredtoasAPT1totheChinesePLAUnit61398withrelativelysolidevidence.TheyevenwentsofarastoreportthebuildingwhichtheybelievedAPT1wasoperatingoutof,andunmaskthreeoperators–UglyGorilla,DOTA,andSuperHard–givingpossiblerealnames,onlinepersonasandotheridentifyinginfor-mationaboutthem.APT1operatedoverhalfadecadeatleast,stealing“hundredsofterabytesofdatafromatleast141organizations,”oftenconductingsuchoperationsinparallel.Theattackersmaintainaccesstoagivennetworkfornearlyayearonaverage.Theattackersoper-atedduringthe9:00amto5:00pmBeijingTimeandthyfollowedafairlystrictmethodologyofattack,similartotheonenotedintheNightDragonreport:
1. Initialreconnaissance
2. Initialcompromiseofasystem,largelythoughspearphishing
3. EstablishingafootholdinthenetworkthroughTrojandroppingtoaC2server
4. Escalatingprivilegesthroughcredentialharvesting
5. Internalreconnaissanceofthenetworkand
WhileMandiantgenericallyreferstoenergycompanies,oneofthetrojanedfilestheynotewasusedinthespearfishingattackbearsthename“Oil-Field-Services-Analysis-And-Outlook.zip”whichreallyties.MandiantnotesthatAPT1isalsoreferredtoastheCommentGroup,anamegivenforthecommunicationsmethodusedbytheirRATswhichwouldsetattributesinwebpagesasameansofC2.
Published:Feb19,
2013Earliest Date:2004-2006
Purpose:Exfiltrationof“competitiveproprietaryoperationsandproject-financinginformationwithregardtooilandgasfieldbidsandoperations”Entry Method: Spear PhishingCountries with Companies Affected:Undisclosed
13
Campaign:ByzantineCandor Publisher:BloombergSynopsis:AnexposérunbyBloombergin2012chronicledtheundertakingsofasecurityresearchcoalitionwhichdecidedtotrackoneofthelargestCyberEspionagegroupsoperatingoutofChina.BloombergclaimsthatUSIntelligencehadbeenkeepingtabsonthegroupforyears,whichtheyreferredtoasByzantineCandor.Inthesamebreath,Bloombergnotesthatthegroupisoftenreferredtoasthe“CommentGroup.”BloombergjournalistChloeWhiteakeralsopublishedashortbuttechnicalarticlethatdetailedsomeoftheCommentGroupsactivi-tiesandtools.Thereportincludedaninfographicthatidentifiedoilandgasvictimsofthecom-mentgroup.
Published:July26,2012Earliest Date:2002
Purpose:“thebiggestvacuumingupofU.S.proprietarydata…everseen”Entry Method:SocialEngineering,SpearPhishingCountries with Companies Affected:U.S.,UnitedKingdom
Report Based Attack Timeline
Technical SimilaritiesBetweenthecampaignsidentifiedabove,thereareafewtechnicalsimilaritiesthatarise.Aswasalreadyad-
dressed,theseattackshavebeenselectedforonecommonthreadtheyshare–targetswithintheoilandgasindustry.Otherbetweenthemwillnowbescrutinizedtofindanyadditionallinks.Thisisnotintendedtosuggestthatthesamegroupisbehindeveryattack,butratheridentifytacticalandoperationalsimilaritiesthatwouldpointtoaunifiedsourceoftrainingorcontrol.
Oneofthemostobvioussimilaritiesbetweenalloftheattacksisthemotive:thelargescaletheftofcorporatedata.ThemethodologyofdataextractionisverysimilarbetweenNightDragon,ShadyRAT,Elderwood,APT1,andByz-antineCandor.Onenoteonthisisthatalthoughtheattacksallfollowedasimilarmethodology,thisverymethodologyiscommoninthenetworkpenetrationtworld,andsonotentirelyunique.SlidesfromapresentationgivenbySANSaffili-ateJamesShewmakerin2008highlightthismethodologyinbrief:Reconnaissance,Port/VulnerabilityScan,Exploitation,andRepeatfromthenewvantagepoint.Theonlythinglargelydifferentisthatthedataexfiltrationoccursafterexploita-tion–thatandtheattackerswereworkingfromtheoutsideinitially,sotheyusedsocialengineeringtogetin.Withthat
2002 201320122011201020092006200520042003 20082007
Byzantine Candor
Red October
The Elderwood Project
APT1
Night Dragon
Mirage
ShadyRAT
14
saidthefactthatthemajorityoftheseusedhighlytargetedspearphishingandexfiltratedsimilardatausingRATsisnottobediscounted.Additionally,theseattacksallappeartobeoperatingoutofeitherBeijing,Shanghai,andShandongprovince.
ThedatabelowwillshowthatByzantineCandorandAPT1areoneinthesame–theyshareoperators(UglyGorilla)anduniquetechnicalinfrastructurelikeFullyQualifiedDomainNames(FQDNs).MandianttiedAPT1backtothePLA,anda.MandiantevenacknowledgesthearticlewrittenbyBloombergintheirreport,andidentifiesthe“CommentGroup”asanalias
IP Addresses & OriginsWhileabouthalfofthereportsomittedIPranges,themajorityofIPaddressrangesmentionedcamefrom
serviceprovidedbyChinaUnicomtooneoftwolocales:BeijingorShanghai.ThemajorexceptiontothisisRedOctober,whichlargelyhadIPaddressrangescomingfromGermanyandRussia.ExcludingRedOctober,incaseswhererangesdidnotcomefromBeijingorShanghai,theywereoftenidentifiedashostthatwerecompromisedandusedasproxiesloadedwithtoolssuchasHTRAN.
NightDragon Elderwood Mirage RedOctober APT1[unspecifiedIPrange–mostC2serversoperatingoutofHezeCity,China]
114.240.0.0/20 141.101.239.225 223.166.0.0/15178.63.208.49 58.246.0.0/15
112.64.0.0/15139.226.0.0/15114.80.0.0/20101.80.0.0/20
InterestinglyNightDragon,whichdoesnotprovidearangeofIPaddresses,offeredinsteadthatanindividualoperatingoutofHezeCity,Shandong,ChinawasresponsibleforprovidingtheC2serversthroughhiscompany.AnarticlepublishedintheWallStreetJournalnotesthatMcAfeeidentifiedthisindividualas“SongZhiyue.”3
DomainsAfulllistofdomainsretrievedfromthevariousreportscanbefoundintheappendices.Ofthedomainswhich
appearedinthereports,onlymatchesbetweenAPT1andByzantineCandorwereidentified.TherestwereinconclusiveassomeofthereportsdidnotincludeFQDNsandotherswhichdidincludethemdidnotprovideafulllist.Additionally,alargeportionoftheattacksmadeuseofDynamicDNSservices,wheretheparentdomainisnotinherentlymalicious.Butsubdomainsmaybeusedbyservicesubscribersfortheirownpurposeswithoutpolicing.
Registered domains common be-tween APT1 & Byzantine Candor
*.hugesoft.orgwww.arrowservice.netwww.blackcake.netwww.dnsweb.orgwww.globalowa.comwww.purpledailt.comwww.worthhummer.netwww1.earthsolution.org
3 Hodge, N. & Entous, A. (Feb 10, 2011). Oil Firms Hit by Hackers From China, Report Says. Retrieved From http://online.wsj.com/article/SB10001424052748703716904576134661111518864.html
15
wwwt.infosupports.comWiththatsaid,thereisanothersomewhattenuousconnectionbetweentwoofthecampaigns:MirageandElderwood.NightDragonisnottheonlyinstancewhereanindividualinChinaischargedwithprovidinginfrastructuretotheattack-ersviatheirbusiness–HBGaryauthoredareportinthewakeofOperationAurorawhichimplicatedabusinesscalledBentiumoperating3322.orgoutofChangzhouandamannamedPengYongasprovidingdynamicDNSservicestotheattackers.4OperationAurorawastiedtoElderwoodinSymantec’sElderwoodProjectreportandelsewhere.DellSecure-workswhichauthoredtheMirageReportalsoauthoredapieceknownastheSinDigooAffair.5TheconnectingfactorbetweentheSinDigooaffairandMiragewasthatanoperatorreusedseveralemailaddresses([email protected]&[email protected])andinfrastructurebetweenthem.TheC2serversusedaDynamicDNSserviceoperatedby3322.org.TheSinDigooAffairalsotiesthesebacktoGh0stNetvia3322.organdtheRSAbreachbasedonthereuseofIPaddressblocksbelongingtothe“ChinaBeijingProvinceNetwork(AS4808).”PengYongalsoownsotherdomainstiedbacktomalicioususebothinAuroraandelsewhere.AccordingtoSteveRaganoftheTechHerald,PengYongispossiblytheauthoroftheCRCfunctionusedinsomeoftheAuroramalware.6
Itisentirelypossiblethat3322.orgwasprovidingservicestomultipleseparateAPTgroups,itisafterallafairlysuccessfullyDynamicDNSservicewhichhasbeendocumentedinothermalwarecases.However,Peng’slevelofin-volvementintheAuroracampaignshouldbescrutinized.InterestinglytheSinDigooreportalsoattemptstoidentifythejeno_1980accountwhichhadthealias“TawnyaGrilith”attachedtoit.Intheprocessoftheirinvestigation,theytiedbacktheaccounttoanoperatorgoingbythescreenname“xxgchappy.”TheyalsofoundapieceofmalwareostensiblywrittenbyxxgchappyappearingtodatebacktoMarchof2002.ThisispotentiallysignificantbecauseitisthetimeframearoundwhichtheleakedUSembassycablehadnotedpossiblePLAcyberespionageactivity.Malwareusedbythisactor,aswellasappearinginMirageandGh0stNet,wasdiscoveredin2011and2012tohaveinfectedgovernmentministriesinVietnam,Brunei,andMyanmar.AdditionallythereareafewinfectedvictimsinEuropeandtheMiddleEastbelongingto“governmentministriesindifferentcountries,anembassy,anuclearsafetyagency,andotherbusiness-relatedgroups.”7 ThisisofinterestinpartbecauseRedOctoberalsotargetedgovernmentministriesandembassies.
However,inordertomorefullyanalyzeanyconnectionsbetweenthedomainsthatwerelistedineachofthereports,thewhoisandARINrecordscouldbeexamined.Thecontactinformationcouldthenbecross-referencedtofindsimilarities.Unfortunately,manyofthedomainshadtheircontactinformationscrubbedorhavesincechangedhandsinthewakeofthereportsbeingreleased,soananalysisatthispointwouldbeerroneousandincompleteatbest.
Afinalnoteondomainsisthatmanyofthereportsdidlookforregistrantinformation–inthecaseofAPT1forinstance,manyregistrantsblatantlyputChinaastheirplaceoforigin,orpoorlymaskedthisfactbymisspellingtheplacestheychoseorincludingaShanghaiphonenumber.InthecaseofRedOctoberhowever,allregistrationswiththeexcep-tionofoneweredonewith“.ru”emailaddresses,andaddresseswerenotreusedashadbeenthecaseinotherinstanc-es.Thissignalsamuchmoreconcertedefforttoremainanonymous,andalevelofprofessionalismnotseenintheotherattacks.
4 HB Gary. (Feb 10, 2010). Operation Aurora. Retrieved From http://hbgary.com/hbgary-threat-report-operation-aurora5 Stewart, J. (Feb 29, 2012). The Sin Digoo Affair. Retrieved from http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/6 Ragan, S. (Jan 27, 2010). Was Operation Aurora really just a conventional attack? Retrieved from http://www.thetechherald.com/articles/Was-Operation-Aurora-really-just-a-conventional-attack/9124/7 Stewart, J. (Feb 29, 2012). The Sin Digoo Affair. Retrieved from http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/
16
Revised Attack TimelineConsidering the information which was discussed and presented, below is a revised attack timeline, consolidating indi-vidual campaigns into the likely perpetrator of the attack and extending as necessary.
Events that CorrelateUsing the technical data and behavioral analysis above, individual incidents of reported hacking in news media can be connected to campaigns. Below are several incidents that demonstrate strong correlation to the information discussed above.
Norway,November2011
Norwayhadthemostprolificseriesofcyber-attacksinthecountry’shistoryinNovember2011.8AsreportedbyNorway’sNationalSecurityAgency(NSM),morethan10firmsweretargetedbyanadvancedpersistentthreatusingspear-fishingattacks,manyofwhichwereintheoilindustry.9Theattacksmayhavebeenongoingforoverayear.Thecompanieswereunawareoftheattacksuntilconcernedemployeesreportedreceivingsuspiciousemails.
Nospecificinformationwasreleasedonthetoolsormalwarethatwereusedtoconducttheseattacks;howeverNSMnotedthataviruswasusedinconjunctionwithtailoredspear-fishingattacksmakinguseoftrojanattachments.10 Itappearedthatthepurposeoftheattackswaslarge-scaledataexfiltration.AswasthecaseinNightDragon,theNSMbulletinsuggeststhattheattacksvariedslightlyeachtimesoastoavoidAVdetection.AnarticlebyDefenseNewsquotesNSMasstatingthat“theattackshave,onseveraloccasions,comewhenthecompanieshavebeeninvolvedinlarge-scalecontractnegotiations.”11Thiscouldsuggestthattheattackerswereprivytothenegotiations.Interestingly,in2010Nor-way’sStatoilwasengagedinnegotiationswithChinaOilfieldServices,Ltd.(COSL).AccordingtotheWallStreetJournal,COSListhe“oil-fieldservicesandrig-constructionunitofstate-controlledChinaNationalOffshoreOilCorp.,thecountry’s
8 BBC News. (2011, November 18). Hackers attack norway’s oil, gas, and defence businesses. BBC News Technology. Retrieved from http://www.bbc.co.uk/news/technology-157900829 France-Presse, A. (2011, November 18). Norwegian defense firms hacked, intel reports. Defense News. Retrieved from http://www.defensenews.com/article/20111118/DEFSECT04/111180309/Norwegian-Defense-Firms-Hacked-Intel-Reports10 NSM (2011) Samme aktør bak flere datainnbrudd . Retrieved From https://www.nsm.stat.no/Aktuelt/Nytt-fra-NSM/Samme-aktor-bak-flere-datainnbrudd/11 France-Presse, A. (2011, November 18). Norwegian defense firms hacked, intel reports. Defense News. Retrieved from http://www.defensenews.com/article/20111118/DEFSECT04/111180309/Norwegian-Defense-Firms-Hacked-Intel-Reports
2002 201320122011201020092006200520042003 20082007
PLA Unit 61398 [APT1, Byzantine Candor]
The Elderwood Project
The Beijing Group [Mirage]
Red October
Night Dragon
ShadyRAT
17
largestoffshoreoilandgascompanybyoutput.”12
Thegoaloftheattacksappearedtobethecollectionofconfidentialinformation,suchasusernames,passwords,industrialdrawings,andotherproprietarydocuments.13Thiswouldseemtobeconsistentwiththetypesofinforma-tionsoughtinbothNightDragonandAPT1.ThetimeframeoftheattackalignswiththeeventtimelinelistedintheAPT1report,andwithinthereportthereisaneventappearinginNorway.Thisisthenaconvergenceoftimeandobjectivesacrosstheseoperationswhichcomplementthetacticalsimilaritiesinvolvingtheuseofsocialengineering,persistentbackdoors,andlargescaledataexfiltration.
Telvent,September2012
InSeptember2012CanadianenergycompanyTelventwasinfiltrated.TelventisresponsibleforsupplyingcontrolprogramsandsystemsforoverhalfoftheoilandgaspipelinesinNorthandLatinAmerica.14Theattackersinstalledmal-warewhichtheyusedtostealprojectfilesrelatedtoTelvent’sOASySSCADAproduct.AccordingtosecuritybloggerBrianKrebbs,OASySis“aproductthathelpsenergyfirmsmesholderITassetswithmoreadvanced‘smartgrid’technologies.”
15
TheinfiltrationfollowsthesamemethodicalapproachexhibitedintheNightDragonandNorwegianintrusions.Notonlywasthemalwaredifficulttodetect,butitwasplantedusingspear-phishingmethodsthattargetedmidtohighlevelexecutives16 17.
Perhapsthemostconvincingpieceofevidenceastotheoriginsoftheattackiswhatappearstobeanotifica-tionreleasedbyTelventwhichidentifiedmaliciousfilesanddomainsusedforCommandandControl(C2).Thefilenames“fxsst.dll”and“ntshrui.dll”whichappearintheTelventnotificationalsoappearintheAPT1report,alongwiththedomains“hugesoft.org”and“bigish.net”whicharenotedasmainstaysofAPT1byMandiant.Severalsecurityfirmsatthetimealsoreportedthebeliefthattheattackhadbeenperpetratedbythe“commentgroup”analiasintheMandiantReportforAPT1.Infact,MandiantactuallymentionedtheTelventattackintheirreportunderasectionentitled“APT1intheNews.”
ThereasontheTelventattackissoimportantisthatitrepresentsthepossibilityfordeparturefromsimplydataexfiltration.Althoughavailableinformationindicatesthatthegoaloftheattackwasstealingsoftware,thesoftwarecouldjusthaveeasilybeenmodifiedandreplaced.AttackingaprolificenergyICScompanylikeTelventmeansthatatrojancouldbeplantedinthesoftware,beingunintentionallydistributedtoTelvent’scustomersandofferingtheperpetratoranavenueformoreinsidiousattacks.
12 Simon Hall (2013, December 13). China,NorwayStrikeOilDealDespiteTensions. Wall Street Journal. Retrieved from http://online.wsj.com/article/SB10001424052748703727804576016841533225226.html13 Ibid.14 Vijayan, J. (2012, September 26). Energy giant confirms breach of customer project files. Computer-world. Retrieved from http://www.computerworld.com/s/article/9231748/Energy_giant_confirms_breach_of_customer_project_files15 Krebs, B. (2012, September 26). Chinese hackers blamed for intrusion at energy industry giant telvent. Retrieved from http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/#more-1693616 Vijayan, J. (2012, September 21). Cyber espionage campaign targets enery companies. Computerworld. Retrieved from http://www.computerworld.com/s/article/9231596/Cyber_espionage_campaign_targets_energy_companies17 Ibid.
18
Attribution
ChinaPerhapsthemostreadilyapparentattributionistoChinaasastateactor–theAPT1reportmakesaconvincing
argumentforthiswhichoffersalotofverywellconstructedcircumstantialevidence.NightDragonhighlightstheuseofaRATknownaszwSheelwhichwasusedbothasatoperformC2andtocreatecustomtrojans.Interestingly,uponlaunchzwShelldisplaysanerrordialogwithahiddentextfieldandtheprogramwillnotfunctionunlessthepassword‘zw.china’isenteredintothishiddentextfield.TherangesofconsecutiveIPaddressesusedwerelargeenoughthatitislikelythattheChinesegovernmenthadtobeinvolvedinsomecapacity.
Chinacertainlypossessesthemotivetocommittheattacks–accordingtotheWashingtonTimes,ChinaisalreadysurpassingtheUnitedStatesasthenumberoneoilimporterfromtheMiddleEast18,andpoisedtobecomethenumberoneoilimporterglobally.
IncreasingDemand
Chinesedemandforoilhasgrowndramaticallyasitseconomycontinuestoexpand.Sincethemid-1990s,Chinahasbeenanetimporterofoil.19ThecontinuousgrowthoftheChineseeconomyhasresultedinvastincreasesintheneedforfuelandpetroproducts.Chinahasdoubleditsoilconsumptioninthelast10yearsandbecomethesecondlargestconsumerofoilintheworldbehindtheU.S.20LiketheU.S.,Chinaisnowdependentonitsoilimportstofeeditsthrivingeconomy.ItisestimatedthatChina’simportdependencycouldrisetoover50%by2020.1
China’soilrefineriesarenotcapableofhandlingthecurrentdemandtheeconomyisplacingonthem.Thereisevidencethattherefineriesusedforfuelareatacompetitivedisadvantagewhencomparedtoothercountries.Tocom-plicatematters,manyChineseoilrefineriesarealsoorientedtothemakingofdieselandnotgasoline,whichisinincreas-ing demand1.
ThismeansChinaisingreatneedofmoresourcesofoilandmoreefficientrefineries.Thedevelopmentofim-provedrefiningandminingequipmenttakesyearsandcancostmillionsofdollars.Explorationcostsforfindingnewoilreserveshavealmosttripledinthepastdecade.21Theycouldsavebillionsofdollarsandshaveyearsofresearchoffbyacquiringtechnologyfrompetrochemicalcorporationsthatarealreadyheavilyinvestedinthiscontinuingprocess.ItalsomeansthatChinawouldbeabletocompeteintheglobalmarketplacemuchsoonerandmorecompetitivelythaniftheywaitedtodevelopthetechnologyontheirown.ThisestablishesthattherearesignificantreasonsforChinatoactonbehalfofitsownoilindustryanduseitsstateresourcestoconductcyber-attacksagainstcorporateentitiesworldwide.
18 Hill, P. (March 14, 2013). China poised to top U.S. as oil buyer; increased car sales spur jump. Retrieved from http://www.washingtontimes.com/news/2013/mar/14/china-poised-to-top-us-as-top-oil-buyer/?page=all19 Skeer, J. (2007). China on the move: Oil price explosion?. Energy policy, 35(1), 678-691.http://discover.lib.purdue.edu:3210/purdue?ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&ctx_tim=2013-03-09T15%3A59%3A35IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi%2Ffmt%3Akev%3Amtx%3Actx&rfr_id=info%3Asid%2Fprimo.exlibrisgroup.com%3Aprimo3-Article-wos&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3A&rft.genre=article&rft.atitle=China%20on%20the%2020 Index Mundi, (2012). Country comparison > Oil – consumption > Top 10. Retrieved from http://www.indexmundi.com/g/r.aspx?v=91&t=1021 Johnson, C., (2010). Oil exploration costs rocket as risks rise. Retrieved from http://www.reuters.com/article/2010/02/11/us-oil-exploration-risk-analysis-idUSTRE61A28X20100211
19
China’sOilProduction
China’sOilProductioninThousandsofBarrelsperDay22
Asseeninthechartabove,Chinaexperiencedasignificantincreaseinoilproductionduring2009.ThisspikeinproductioncouldbeduetoinformationthatChinagainedfromUSfirmsthroughcyberespionageactions,suchasNightDragon.TheNightDragonattackswerebelievedtohavebeguncirca2007.AccordingtoKirk,informationtakenduringtheseattacksincludesmarketintelligencereportsandinformationonoperationalproductionsystems.23 Similarly, the MandiantreportshowsthattheAPT1grouphasmonitoredMandiant’senergyindustrycustomersfromapproximatelythebeginningof2009to2012.24Duringtheseattacks,APT1wouldexportterabytesofdatafromthevictimstoChina.Intandemwiththeserevelations,China’salsoaggressivelypursuedoilsupplycontractsduring2009.25DuringthistimemajorChinesestateoilcompaniesacquiredholdingsin18differentcountries.Chinaisdeterminedtotakeonoilandgasinfrastructuredevelopmentandtoacquireoilindustryassets.26
AlthoughthereisevidencethatChinahasbeenconductingcyberespionageactivitiesagainstoilindustrytargetsasfarbackas2007,thereisonlytrivialgrowthuntil2009.Thiscouldbearesultofthetimeandrecoursecommitmentrequiredtoprocessthedatathatwasacquired.Asmentioned,boththeNightDragonandAPT1attacksstoleanenor-mousamountofdatafromEnglishspeakingcompanies.ItisnecessaryforEnglish-fluentoperatorstosiftthroughthisdataandextractactionableinformationtoreport.Thisinformationwouldalsoneedtobeprovidedtoexpertsinthefieldwhocouldrecognizetheitsvale,andthatprocesswouldhavetobedonediscreetlysoasnottoarousesuspicions.Thiswouldtaketime.TheMandiantreportcommentsonthefactthattherearelimitedEnglish-fluentoperatorsdirectlyinvolvedinthetechnicalendofAPT1,whichwouldsignificantlyhinderprogress.27Consideringthesefactorsandthetimeframeforgrowthpresentedabove,itisconceivablethattheinformationandstrategyforitsusewouldnotbeavail-ableuntil2009.Atthispoint,Chinacouldacttoincreasetheoutputoftheholdingsthattheycurrentlyowned.Also,theinformationgainedfrommarketintelligencereportsandpossiblyexplorationreportscouldguidethestatecompaniesindecidingwhichnewholdingstopurchaseduringthistimeperiod.Thenewholdingswouldallowforincreasedoutputoverall.
China’sInvestments
China’sfervorforoilacquisitionhasnotbeenlimitedtoaggressiveincreasesinholdingsandcontracts.Theseac-tivitiesarelikelyonlyonepieceofaglobalstrategytosecureChina’sfutureoilrequirements,includingreservesthatmaynotbeproductivetodayorintheimmediatefuture.Thisoverarchingstrategyhasapparentlyledtoapatternofquietinvestment,whichmaybeadirectcauseforconcerninAmerica.AnarticleappearingintheAssociatedPressdiscussestheseChineseinvestmentsinVenezuela,thecountrywiththelargestprovenoilreservesasof2011,andthroughouttheCaribbeanandSouthAmerica.Thearticlenotesthat“whenVenezuelaseizedbillionsofdollarsinassetsfromExxonMo-
22 U.S. Energy Information Administration. (2013, February 12). International Energy Statistics [Data file]. Retrieved from http://www.eia.gov/cfapps/ipdbproject/iedindex3.cfm?tid=5&pid=53&aid=1&cid=CH,&syid=2006&eyid=2012&unit=TBPD23 Kirk, J. (2011, February 10). ‘Night dragon’ attacks from china strike energy companies. Retrieved from http://www.networkworld.com/news/2011/021011-night-dragon-attacks-from-china.html24 Mandiant. (2013, February 18). APT1: Exposing one of China’s cyber espionage units. Retrieved from http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf25 Hayward, D.L.L. (2009, June 18). China’s oil supply dependence. Journal of Energy Security. Retrieved from: http://www.ensec.org/index.php?option=com_content&view=article&id=197:chinas-oil-supply-dependence&catid=96:content&Itemid=34526 Ibid.27 Mandiant. (2013, February 18). APT1: Exposing one of China’s cyber espionage units. Retrieved from http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
20
bilandotherforeigncompanies,Chinesestatebanksandinvestorsdidn’tblink.OverthepastfiveyearstheyhaveloanedVenezuelamorethan$35billion.”TheyhavesimilarlyprovidedaidtocountrieslikeEcuador,anothercountrywithinthetop20ofprovenoilreserves.InsomecasesitappearsthattheChinesearemakingloansthatthecountrieswilllikelybeincapableofrepaying,placingthemsquarelywithinChina’scontrol.Manyofthedealsincluded“repaymentinoilandnaturalgas”andbillionsofdollarshavebeenloaneddirectlytoenergycompaniesinRussiaandTurkmenistan,bothofwhichhavebeentargetedincyberespionagecampaignsandareinthetop5forprovennaturalgasreserves.
AlthoughtheIEAhaspredictedthatAmericaismovingtowardsenergyindependenceandispoisedtobecomethenumberoneoilexporterby2017,theloansarebreedingclosenesswithandrelianceonChinabycountriesincloseproximitytotheUS.ThiscouldallowfortheChinesetoweakenAmericaninfluenceintheregionandcreateagitationagainsttheUSorbetweenothercountrieswithintheregioninordertodistracttheUSfromitsgoalsinotherareasstra-tegictotheChinese.ThesedealsalsoplaceChinainthesupplychainforborrowers’projectswhereChinahasinsistedonChinesecompaniesbeinginvolvedasastipulationoftheloan.Theseloanshavenotrequiredanyeconomicreformstoaccompanythem,meaningthatcountrieswhichcouldnotsecurealoanfromtheIMFduetopoorfinancialdecisionsmaycontinuetoflounderinspiteofaid,perhapsevenmoresobecauseofit.Intheworstcasescenario,thesecountriesbecomeunstable.WhilethismaycauseissuestotheChineseinsomelogisticalcapacities,itwouldalsoservetodivertsomeofAmerica’sattention,makingthesituationapalatableoutcomeforChina.
Other actorsAnanalysisoftheseeventswouldberemisswithoutexploringanyotherpossibleattribution.Thoughunlikely,
itispossiblethattherewereotheractorsinvolved.AspointedoutbyEugeneKasperskyinhiscriticismoftheShadyRATreport,someofthetoolsandtechniquesaregenericenoughtonotlendthemselvestoattributiontoaparticularentity.EventheonesthatareofChineseorigindonotofthemselvesimplicatetheChinesegovernment,onlyanactorfamiliarwithhowthetoolworksorminimallytrainedinMandarin.Alargeportionofthesetoolswerefreelyavailableonunder-groundChinesehackingsites.Chinesehackingcollectivesorcorporationsmayhavebeenindependentlyinvolved.How-ever,duetothesuspicionsvoicedintheleakeddiplomaticcablessuggestingPLAinvolvement28andMandiant’sresearchonthetopicindicatingthesame29,itishighlyunlikelythattheChinesegovernmentwasnotinvolvedwhatsoever.Thesesources,andthetimeframeinwhichtheattacksoccurred--betweenroughly9amand5pmconsistentlyoveraprotract-edperiodoftime3031--isindicativeofaformalizationoftheactivity.ThisisfurtherevidencedbytheresourcesrequiredtocarryouttheattackandtheChinesegovernment’sgraspsoncensorshipoftheircitizensthroughtechnicalcontrols.Terabytesofdatainfiltratingthecountryisunlikelytohavebeenmissed,particularlyoverthecourseofadecadeofactivity.
IfChinahadbeeninvolvedinanycapacityincyberespionageattacksandthishadbeendiscoveredbyanotherentity,saidentitymighthaveleveragedthisknowledgetocolludewiththemeitherthroughcoercion,cooperation,orclandestinelywithouttheChinesegovernmentknowing.Thoughthismayseemfarfetched,areportreleasedbyaLuxemburgsecurityfirmdetailshow,inthewakeofMandiant’sAPT1report,theydecidedtoengageinanintelligencegatheringoperationontheAPTgroupsoperatingoutofChina.ByscanningChineseIPrangesforC2serversknowntobeusedintheAPT1attacksandexploitingweaknessesintheattackers’C2infrastructure,theywereabletoaccess,monitor,andcontroltheAPTinfrastructurewithouttheadversary’sknowledge.BloombergalsohintedatthepossibilityofAmeri-cansecurityfirmsactinginasimilarwaywhenthey“exploit[ed]aholeinthehackers’security…loggingtheintruders’everymoveastheycreptintonetworks...”KnowingthattheChinesewereactivelyengagedinsuchoperationsandlikelyturningablindeyetoanyinfiltrationofdata,anotheractoroperatingthroughChinaandattemptingtoincriminateChinacouldhaveengagedincyberespionageaswell.Thisistrulyastretchoftheimagination,andthereisnoevidencewhat-soevertosupportthistheory.ThemostlikelycaseforanyattributioninvolvestheChinesegovernmentinsomecapacity.
28 Glanz, J. & Markoff, J. (Dec 4 2010). Vast Hacking by a China Fearful of the Web. Retrieved from http://www.nytimes.com/2010/12/05/world/asia/05wikileaks-china.html?pagewanted=all&_r=029 Mandiant. (Feb, 2013). APT1: Exposing One of China’s Cyber Espionage Units. Retrieved from http://www.mandiant.com/APT130 Ibid.31 McAfee® Foundstone® Professional Services and McAfee Labs™. (Feb 10, 2011). Global Energy Cyberat-tacks: “Night Dragon”. Retrieved from http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
21
Significance Going Forward
ThemostimportanttakeawayfromtheseincidentsisthesignificancetheyholdtothefutureoftheOil&Gasindustry.Inexorably,OilandGasisintertwinedwiththeCyberdomain,andwillonlycontinuetobecomemoresoasthetimeprogresses.Theincreasedrelianceontechnologymeansthatmoreandmoredataandcontrolwillbeaccessibletotheattackersinthefuture.Alargecontingentoftheattacksreliedonsocialengineeringandspearphishingasapointofentry,thoughthereisashifttoward“wateringhole”attacks.Thisissignificantbecauseevenastechnicalcontrolsgetbetter,unwittingemployeesandtheirbehaviorwillcontinuetobeafocalpointintargetedattacks.
AutomationviaSCADA/ICShasbeenanintegralpartoftheOilindustry’spastandwillbeevenmoresointhefu-ture.AttacksliketheTelventattackheraldaninsidiousturnofeventsforSCADAwithinOil&Gas.TheattackersseemedintentonstealingSCADAsoftware,butitisconceivablethattheycouldhavetakensuchanopportunitytoembedtheirowncodewithinit,providingacapabilitytomanipulatelargeswathsofNorthAmericanpipelineatwill.Thisisnotmeanttobealarmist,butratherconsidersthenextevolutionofattack.LeveragingmaliciousSCADAsoftwaretoachieveakineticoutcomeisnotthebaselinegoingforward,butitiswellwithintherealmofpossibility.Thenatureofacapabil-itylikethismeansthatitcanonlybeleveragedtocatastrophiceffectonce,sothepossibilityofanentityusingitoutsideofsustainedorardentconflictislow.Howeverusingthisonamicro-scale,anddegradingserviceorqualityofservicethroughmanipulationofmalicioussoftwareonthePLCsorHMIscouldbemoreviableinapeacetimesetting,andlessnoticeable.Thistypeofactivitycouldbeusedattheheightofnegotiationsordisputestoputanadversaryinacompro-misingposition,orsimplydistractthem.
TheCyber-warfaredoctrineoflargenation-stateslikeChinaandRussiathathaveahugestakeintheOil&GasIndustriesisoneofperpetualconflict.TimothyThomasdiscussesthisinhisbooksRecastingtheRedStarandTheDragon’sQuantumLeap.Theideaofan“activedefense”andkeepingpotentialcompetitors“offbalance”istheposturegoingforward.Theconceptofpeacebeingatimewithoutconflictisrapidlydisappearing.Asglobalizationhasbecomethestatusquoandglobaleconomiesbecomeevermoreentangled,threatofalarge-scalekineticconfrontationbetweentoptiereconomicpowerhousesisnearlystrategicallyunviable.Instead,bothstateandnon-stateactorswilluseconstantconflictintheCyberrealmasamethodforaccruingresourcesandexercisingcontrol.WhilecyberconflictoftenbringstomindtheideaofSCADAinitiatedpipelineexplosions,thetheftofintellectualpropertyandbusinesscommunicationsisfarmorelikelytocontinue.Thistypeoflowintensityconflictiscost-effectiveandpoliticallysustainableinanenviron-mentwheredirectattributionisattimesdifficult.Theideaofaconstantorlongterm“ally”or“strategicpartner”isnolongervalid–coordinationwillbelargelyissuespecific,andonlytotheextentrequiredtoachieveanend.Whilecoor-dinatingononetopicnationswillbeinconflictonanother.Thisisnotinanywayarevolutionaryornewidea;howeveritisbecomingmoreandmorerelevanttosalientindustriesoperatingwithintheirownnationstateandabroadastheybecomefarmoreaccessibleandtargetableinthistypeofconflict.
Non-stateactorswillplayahugeroleinfuturecyberconflictwithintheoilandgasindustry.TheNorwayattackwhichcoincidedwithameetingbyastate-backedOil&Gascompanymaysuggestthattheyalreadyareplayingarole.CertainlyAntivirus&IncidentResponsecompaniesareplayingaroleasnon-stateactorsbyreleasingthesereports.ButasidefromcooperationwithSateactors,non-stateactorsmayoperateindependentlyagainstothernon-stateactorsinpursuitofcompetitiveadvantageorsabotage.Hackercollectiveslikeanonymouscouldhaveanout-sizedimpactifmorehighlyorganized,andtheattackstheyhavealreadycarriedoutcouldbecomemoresevere–insteadofsimplyreleasingemailaddresses,theycouldreleasebiddata,orattemptsomethingmoredestructiveakintoaShamoontypeattack.
ThereleaseofreportsonAPTisinawayitsownformofcyberconflict;therhetoricofthesereportsisaninfor-mationinfluenceoperation,bothtargetedatpotentialcustomersandatadversaries.Thesereportsalsoallowadversar-iestoseehowtheyweredetectedandcorrectmistakesgoingforward.Itislikelythatfutureattackswilllackthetypesofunprofessionalmistakesmadeduringthesecampaigns.Theembeddingofpersonalsignatures(alaUglyGorilla)ortheuseofpasswordslike“zw.china”willdiminishsignificantly.Ifanattackerwishedtobemoreanonymous,itwouldstarttotransitiontoopen-sourceandgenerictoolsexclusively–toolswhicharecommonenoughthattheydonotprovidesignificantattribution.ToolsliketheMetasploitframeworkprovideahighdegreeofextensibilitywithoutofferinga
22
significantamountinthewayofattributionbytoolchoice.Ifnotatransitionlikethis,thenusingtoolsstolenfromotherattackersorwritteninotherlanguageswouldcomplicateattribution.ThemovewithintheInformationTechnologyworldtowardmoreforensicallyresistanttechnologiessuchasSSDsandCloudServiceinfrastructureswhichmakeattributionandlegaljurisdictionmuchmoreconvolutedwillcontinuetobeacatalystforfutureattacksalongsideservicesalreadyinuselikeDynamicDNS.
ThesecyberespionageattacksarelikelythenewlyestablishedbaselineforfuturecyberconflictwithintheOil&GasIndustry.Attacksofthisnatureandmagnitudewillcontinuetooriginatefromplaceswhichdonothavelawsagainstitorarecomplicit,includingChinawhichhasaneedtosecureoildominanceinthefuture.However,increasinginterna-tionalpressurewillnecessitatemorecovertaction,withattackersdispersingtheiroperatorsorproxiesthroughoutlargegeographicareas.Non-stateactorswilllikelypresentAPTthreatsinthefuture,includingState-backedandindependentcompetitors.
23
SabotageMiddle East, 2012 Anotherseriesofeventsmaybeconnectedaswell,andwhiletheybearnoimmediatelyapparentrelationship,closerinspectionissuggestiveofthepossibilityofanotherunderlyingandongoingconflict.Tounderstandthecontextoftheexchange,anon-oil-relatedcybereventmustbebrieflydiscussed.Arelativelyunprecedentedcyber-attackcametolightin2010whentheStuxnetvirushittheuraniumenrichmentcentrifugesinIran.Iranbelievestheattackwascon-ductedbyIsraelortheUnitedStates.Thisattackhadtargetedtheinformationnetworksofoffshoreplatforms;howevertheyreportedthattheywereabletodefendagainsttheattack.32IranmayhavethoughtitwasIsraelbecausetheyhadthreatenedtotakemilitaryactionifthesanctionsonTehran’sbankingandoilsectorsdidnotstopIranfromcontinu-ingtheirnuclearprogram.TheattackstargetedIran’sinfrastructureandcommunicationscompanies,whichslowedtheInternetinIran.IsraelandtheUnitedStateshavedeniedbeingapartofthisattack.
ThenInAprilof2012,Iranwasagainthetargetofacyber-attack.TheIslamicrepublicreportedthatacomputerviruswasdetectedinsidethecontrolsystemsofKhargIsland,whichcontrolsIran’scrudeoilexports.33ThisvirusbegantoattackseveralofthemainPersianGulfoilterminalsinIran,whichforcedtheIranianofficialstodisconnectthemfromtheInternettoavoidspreadingthevirus.34Thisvirus,knownasWiper,successfullyerasedinformationfromharddisksattheOilMinistry’sheadquartersinTehran.35Theheadquartershadapparentlybeentheinitialtargetofthevirus.OilMinistryofficialsreportedthattheinternationalsellingdivisionhadnotbeeninfected,butitmanysecurityvulnerabilitieswereexposed.Iranisoneoftheworld’slargestoilproducersandanattackcouldaffectthemarket,andraiseoilpricesglobal-ly.36
AswiththeStuxnetworm,IranblamedIsraelandtheUnitedStatesforthespreadofWiper.Iranianofficialsbe-lievetheyweretargetedbecauseoftheirgrowingnuclearprogram.37OtheraffectedorganizationsincludetheNationalIranianOilProcessingandDistributionCompany,NationalIranianGasCompany,IranianOffshoreOilCompany,ParsOilandGas,andothercompaniescontrolledbytheNationalIranianOilCompany.38Thedestructionofthisdatadoesn’tprovidemuchinthewayofdirectmonetarygainforanycriminalelements.TherealadvantagegainedbyunleashingWiperistoputpressureonIranbycausingeconomiclossandremindingthemthattheyarevulnerable.ThepresidentoftheTehranWorldTradeCenter,MohammadRezaSabzalipour,believesthecyber-attackwasindeedadirectmessage.TheaimwastoincreasepressuresothatIranwillcompromiseintheupcomingnucleartalksonMay23,2012.Helaterstates,“Weareinabloodlesswar.Ifthetalksfail,Irancanexpectmuchmoreofthis39”.
32 Erdbrink, T., (2012, April 23). Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet. The New York Times. Retrieved from http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amid-cyberattack.html?_r=033 Reuters.,(2012,October08).CyberattackerstargetIranianoilplatforms:official.Reuters.Retrievedfromhttp://www.reuters.com/article/2012/10/08/us-iran-cyber-idUSBRE8970B82012100834 Ibid35 Erdbrink, T., (2012, April 23). Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet. The New York Times. Retrieved from http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amid-cyberattack.html?_r=036 Ibid37 Ibid38 Ibid39 Ibid
24
AnoilembargoinconcertwithothereconomicsanctionsbytheUnitedStatesandEUwasannouncedinlate2011inanefforttodiscourageanyfurtherIraniannuclearactivity.InMarchof2012,theObamaadministrationan-nouncedthatthemarketcouldwithstandtheembargoofIranianoil,andraisedUS-Irantensionsovertheissue40.SaudiArabiahadalsoindicatedthatitwouldboostoilexportstotheUSandabroadtocompensateforthevoidthatwouldbeleftbythesanctionsonIran41.Asthefifthlargestoilproducerintheworld,theIranianoilindustryaccountsforabout20percentofIran’sGDP42.BoththeembargoandthevirusrepresentseriousanddirectconcernsfortheIraniangovern-ment.
TheninAugustof2012,onlyfourmonthsaftertheembargo,avirusnamedShamoonstruckSaudiArabianoilgiantAramco.43TheviruswastriggeredonaMuslimholidaywhenmostofthecompany’semployeeswereabsentfromwork.ShamoonwasdesignedtoreplacedataonharddriveswithapictureofaburningAmericanflagandreportthead-dressofthecomputerbacktoaseparatecomputerinsidethecompanynetwork.44ThisispotentiallysignificantbecauseAramcoistheworld’slargestproducerofoil,andwasoriginallyajointeffortwiththeUnitedStates(ArabianAmericanOilCompany).45,46Additionally,Shamooncontainedafunctioncalled“Wiper”whichwasresponsibleforthedeletingoffiles.Thename“Wiper”andthesharedfunctionalityofthetwoaresomewhatsuggestive.Interestingly,apreviouslyunheardof“hacktivist”groupidentifyingthemselvesas“TheCuttingSwordofJustice”tookcreditfortheattackandnotanationstate.TheyclaimthevirushasgiventhemaccesstodocumentsonAramco’scomputers,butnonehavebeenpublishedyet.47Theattackwasbelievedtohavebeenassistedbyaninsideratthecompany.Anothernoteofsignifi-canceaboutShamoonisthatthetext“ArabianGulf”wasfoundinthecodewhichispertinentbecauseIranhaszealouslyguardedthetitleoftheregionasthe“PersianGulf.48”
AlthoughWiperandShamoonshareafewcommoncharacteristics,theyaresignificantlydifferent.BothviruseshavebeenanalyzedbyKasperskyLabswhohasconcludedthatalthoughShamooncontainsawiperfunctionthatisdesignedtooverwritedata,itisnotaswell-designedasWiperandnotnearasefficient.49ThecarethatwastakenbywhoevermadeWipertoinsureitdidasmuchdamageaspossibleintheshortestamountoftimeiswhatdifferentiatesitfromShamoon’swipingfeature.Sincewipingadiskwithhundredsofgigabytesofstoragecantakeanextremelylongtime,Wiperwasdesignedtotargetfileswithcertainextensionsorincertainfolderstodoasmuchirreparabledamageasfastaspossible.KasperskyclaimsthatShamoonwasmerelyacopycatvirusthatwas“theworkofscriptkiddiesinspiredbythestory.”50TheyalsoclaimthatShamoonwasprobablytheworkofanon-stategroupandthatWiperwasmostlikely40 Mathews, C., (2012 Mar. 30). Obama moves forward with Iran sanctions despite oil price spike. Re-trieved from http://blogs.wsj.com/corruption-currents/2012/03/30/obama-moves-forward-with-iran-sanctions-despite-oil-price-spike/41 Flintoff, C., (2012). Sanctions may squeeze Iran…and raise oil prices. NPR. Retrieved from http://www.npr.org/2012/06/30/155993909/sanctions-may-squeeze-iran-and-raise-oil-prices42 Katzman,K.,(2012Mar.28).Iransanctions.Congressional Research Service Report for Congress. Re-trieved from http://fpc.state.gov/documents/organization/187388.pdf43 Perlroth, N., (2012, Oct. 23). In cyberattack on Saudi firm, U.S. sees Iran firing back. The New York Times. Retrieved from http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all44 Ibid45 Forbes (2012). The world’s biggest oil companies. Retrieved from http://www.forbes.com/pictures/mef45ggld/1-saudi-aramco-12-5-million-barrels-per-day/46 Encylopedia Britannica, (2013). Aramco. Encyclopedia Britannica. Retrieved from http://www.britan-nica.com/EBchecked/topic/31594/Aramco47 Reuters, (2012, Dec. 9). Aramco says cyberattack was aimed at production. The New York Times. Re-trieved from http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html48 Perlroth, N., (2012, Oct. 23). In cyberattack on Saudi firm, U.S. sees Iran firing back. The New York Times. Retrieved from http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all49 GReAT-Kaspersky Labs., (2012, Aug. 16). Shamoon the Wiper – Copycats at Work. Securelist. Retrieved from https://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work50 Ibid
25
theproductofanation-state.51EventhoughShamoonwasnotonthesamelevelasWiper,itisstillanimpressivepieceofmalwarethatwasabletododamagetoimportantsystems.Whetheritwastheunimpressiveworkofanation-stateortheworkofaskilledgroupofnon-stateactors,itmadeanimpactandhadaneffectonSaudiAramco.
Theseinsightsraisethequestionofwhetherornotthiswasanisolatedattackbyanon-stateactor,orwhetheritwasoneinanongoingseriesofsalvosbetweentheIranandUScybercommunities.Irancertainlypossessedthemotive–retributionforsanctionsleviedagainstit,andthecooperationbySaudiArabia,aSunniMuslimnationwhichhasbeenatoddswithShiiteIranbefore.Typically,however,inanactofretributiontheattackerinvitesattributionwhichIrandidnot.Also,despitecausingdestructiveactiontothedataonthecomputers,thevirusdidnotattacktheactualcontrolsystemsandasaresultdidnotmanagetodamageoilproduction.Therelativecrudenessofthecodeanduseoftheterm“Ara-bianGulf”inconcertwiththeinsiderknowledgeofthehacktivistgroup“TheCuttingSwordofJustice”andtheuseofanAramcoinsidertofacilitatetheattackcouldsuggestthatitwassimplyasingularattackbyanon-stateactor.
Iran’sdoctrineisoneofasymmetricandproxywarfare.IthasbeensuggestedthatIranusedunofficialhackergroupssuchasthe“IranianCyberArmy”tobothdefendagainstandengageinattacks52.Itispossiblethat“ArabianGulf”wasaredherringintendedtofurtherobscuretheoriginofShamoon.53UsingaproxytolaunchanattackalignswithIran’sstrategicculturebuttheexactauthorisnotknown.ItispossiblethatIrandidnotwishtoengageindirectconflict,butintendedtomakethesanctionslessviablebyensuringAramcowouldbeunabletosupplythenecessaryvolumeofoil.IfthiswerethecasethentheattackwouldshowasevereflawinIran’sunderstandingoftheoilproductionsystemsbynotattackingthecontrolsystems,instead,whichshouldbeunlikelyduetoIran’sownexpertiseinoilproduction;oritmayhavebeenintendedtosendamessageadvertisingthecapabilitywhilenotcrossingadirectlinebyinflictingsignificantinfrastructuredamage.This,however,ispurespeculationandnotempiricallyderivedanalysis.IfIrandidinfactorches-tratetheShamoonattack,itwouldsuggestthattheseriesofattacksonIraniancriticalinfrastructurewerefollowedbyretaliationontheAmericanoilsupplychain.Thiswouldindicateanongoingandescalatingconflictthatshouldbecauseforconcern.
51 Ibid52 Rezvaniyeh, F., (2010, Feb. 26) Pulling the strings of the net: Iran’s Cyber Army. PBS. Retrieved from http://www.pbs.org/wgbh/pages/frontline/tehranbureau/2010/02/pulling-the-strings-of-the-net-irans-cyber-army.html53 Perlroth, N., (2012, Oct. 23). In cyberattack on Saudi firm, U.S. sees Iran firing back. The New York Times. Retrieved from http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all
26
An Incident of NoteOneincidentwhichappearsonthelistissingularinthatunliketheothernotedeventsitdoesnotappeartobe
theresultofadirectcyber-attack:theDeepwaterHorizonoilspill.OnApril20th,theculminationofsevereneglectofsafetyprotocolsandaslewofdesignandimplementationflawsincurredtheworstenvironmentaldisasterinUShis-tory.54WhiledrillingtheMacondowellintheGulfofMexico,theDeepwaterHorizonoilrighada“blowout”inwhichanuncontrolledmixtureofmudandgaswasreleasedafterfailureofpressurecontrolsystems.Thegasspreadacrosstherigandisbelievedtohavefirstignitedintheengineroom,initiatingseveralexplosionsandcausingtherigtoeventuallybeengulfedinflamesandsink.55Thereasonthe“DeepwaterHorizon”eventappearsonalistof“cyber-relatedoilindustryevents”isbecause,regardlessofthecause,theincidenthadseveralfailuresinnetworkedcontrolandsafetysystemswhichcouldhavepreventedthecatastrophefromoccurringaftertheblowout.
Theformerchiefelectronicstechnicianontherig,MichaelWilliams,notedduringtestimonybeforeagovern-mentpanelthatthealarmswhichwouldnotifythecrewofagassituationwasplacedinan“inhibited”modeforoverayearbecause“theydidnotwantpeoplewokeupat3o’clockinthemorningduetofalsealarms[sic].”56Additionally,othermonitoringandcontrolsystemsintermittentlyfroze,andafireandalarmsystemwassetto“overrideactive.”De-spiteaseriesoffourtestsconductedinthehoursbeforetheincidenttoascertainthattheintegrityofthewell,noalarmsweresoundedorreporteddirectlybeforetheincident.Thesecontrolissuessolidifytheideathattherewasacyber-componenttothecatastrophe.Whentakenintothecontextofothereventswhichoccurinandaroundthesametimeperiod,itbecomesclearthatthoughthereisnodirectevidencepointingtoamalignthreatactor’sinvolvement,suchanattackistechnicallyviable.
Itisincrediblyunlikelythatanystateornon-stateactorwasinvolvedinanattackontheDeepwaterHorizon;howeverthecircumstancesprecludetheexclusionofthispossibility,remotethoughitmaybe.TheBlowoutPreventer(BOP)wasrecoveredandforensicallyexamined,butmostotherevidencecannotbeexamined–ithaseitherceasedtoexistorisinaccessible.Thedestructivenatureoftheaccidentandtheapparentcorporateneglectmakescollectinganycyber-forensicevidencelinkingtheincidenttoanactorinfeasible.Mostevidenceisdestroyed,unusable,orlargelyinac-cessibleatthebottomoftheocean.ItislikelythatanycontrolsystemauditreportsorlogscapableofprovidinginsighteitherwouldnothaveattributedanomalousactivitytoanunidentifiedAPT,orwouldnotbecomprehensiveenoughtoprovideevidencethatcouldretroactivelysuggestanAPT.TheauditlogsthemselvesaredubiousduetoallegationsthatTransoceanandBPwerehastilyrushingproceduresbecauseoflargeschedulingoverruns.57FurtherallegationshavesurfacedagainstBPemployeesandcontractorsaccusingthemofdestroyingevidenceinthewakeofthedisaster.58Bear-inginmindthatthereisnodirectorforensicallysoundevidenceandthatonlycircumstantialevidenceisavailable,thevignettewhichwillnowbeexploredistheusecaseoftheDeepwaterHorizonincidentasacyber-attack.
SeveraleventsthathaveoccurredbothbeforeandsincetheBPoilspillsuggestthatanattackwouldbetechni-callyfeasible.AccordingtoanarticleattributedtoDorothyE.Denning,aprofessorofcomputerscienceatGeorgetownUniversity,in1992adisgruntledformeremployeeofChevronintentionallydisabledalarmsystemsatChevron’soilrefin-eriesfor10hoursby“hackingintocomputersinNewYorkandSanJosé,California.”59Whilethisonlyaffectedon-shorerefineriesandisdatedenoughthattechnicalcontrolsmayhaveimprovedsincethen,anotherattackin2009showedthatcontrolsystemsonoff-shorerigsmaybealsodisabledremotely.MarioAzar,adisgruntledcontractorformerlyworkingforPacificEnergyResources,sabotagedanoffshoreoilrig“computersystemthatPERusedtocommunicatebetweenits
54 (DavidBarstow,2010)55 (HowtheRigCrewRespondedtotheBlowout,2010)56 (InvestigationofDeepwarerHorizonExplosion,MikeWilliams,2010)57 (Drilling,2011)58 (Affairs,2012)59 (Denning,2000)
27
officesanditsoilplatforms.Thecomputersystemalsoserveda‘leakdetection’functionforPER.”60ThesystemsweredisabledfromMay8thuntilJune29thbeforeitwasnoticed.61AndasrecentlyasFebruary23rd2013anarticleintheHustonChroniclestatedthat“Malicioussoftwareunintentionallydownloadedbyoffshoreoilworkershasincapacitatedcomputernetworksonsomerigsandplatforms,exposinggapsinsecuritythatcouldposeseriousriskstopeopleandtheenvironment.”62
Thesearticleswouldseemtostatethatacyber-attackonanoff-shorerigisnotonlypossible,butareality.ComplicatedcontrolsystemattackssuchasStuxnethavealreadyproventhateveninconditionswherenetworkaccessisunavailable,intelligentvirusescanstillperformapredeterminedfunctionatadesignatedtime.Byextensionoftheseoccurances,itmaybeconcludedthatacapableattackercouldmanipulatesafetycontrolsystemsofanoilrigfromshore,anddosothroughasophisticatedcontrolsystemviruswhichcanoperateevenwhennotincontactwithaC2server.
IfitisassumedthatDeepwaterHorizonwasanattack,itgivesrisetothequestionofattribution.Inordertoattributeanattackforwhichthereisnodirectorforensicevidence,onemustinsteadturntopoliticalattribution.Thisincludesconsideringwhichactorshadthemotive,means,andtheopportunitytoperformtheattack.Motivescaninpartbedivinedthroughobservationofthedirectandindirectoutcomesoftheeventanditsbeneficiaries.Afternarrow-ingthescopeofactors,onemaythenexaminethepolicies,strategicculture,operations,andtacticsofrelevantactorsagainstdifferentdimensionsoftheeventtorevealalignmentorcorrelation.
ImmediateanddirectimpactsoftheDeepwaterHorizonoilspillwereasfollows:
AmoratoriumonanydrillingintheGulfofMexicofortheensuing6months
TheMacondowellbecomingunusable,atleastintheimmediate
EcologicaldisasterintheUnitedStatesandotherGoMadjacentcountries
Heavypoliticaldamage,fines,andchargesleviedagainstbothBPandcontractorssuchasTransocean,Ltd.
BPhasbeenbyfarthebiggestfigureattachedtotheincident.AsofMarch2013BPhasbeenforcedtospendorprovision$40BillionasaresultofDeepwaterHorizon.63Toputthisinperspective,BP’scombinedprofitsfortheyearsof2010-2012amounttoabout$34.6billion.64
Theseimpactsinandofthemselvesarenotable,buttheyalsocreatedarippleeffectofindirectconsequencesaswell.Theseindirectoutcomesincludethepossiblefluctuationinoilandgaspricesandpotentialforgeopoliticalfalloutfromtheecologicaldisaster.Additionallythough,andperhapsmostsignificantly,in2011BPannounceda$38billionassetdivestmentprograminordertocoverthecostsoftheenormousfinesincurredbytheDeepwaterHorizonspill.65 So whatdidBPdivest,andtowhom?
60 (Mrozek,2009)61 (UnitedStatesofAmericav.MarioAzar,2009)62 (Shauk,2013)63 (Williams,2013)64 (BP,2012,p.34)65 (BP,FinancialandOperatingInformation2007-2011,2011,p.3)
28
ThisdatawouldsuggestthatoneofthemainbeneficiariesoftheoilspillisRosneft,astate-ownedoilcompanybelongingtoastateactorwhichpossessesbothacyber-capabilityandvestedinterestintheoilindustry.Itistheonlyoneofthetopfiveoilproducingcountriesyettobementioned:theRussianFederation.InJulyof2012ForbesreleasedanarticleontheWorld’slargestoilcompanies.Whatwasnotableaboutthearticlewasthisquote:“ButwhensortingthroughtherankingsoftheWorld’s25BiggestOilCompaniesandlookingatwhocontrolsandinfluencesthebiggestofbigoilonethingbecomesclear:noindustryleaderhasmoresway,hastwistedmorearmsormademoredealsthanRus-sianPresidentVladimirPutin.”ThearticlegoesontopointouttheRussianPresident’spastuseofGazprom—thestate-runoilgiantandsecondlargestproducerintheworld—asapoliticaltoolandhisvastinfluenceoverothernon-Russianoilcompanies.Russia,anacknowledgedforceincyberandthesecondlargestexporterofoilintheworld,ismarkedlyabsentinthelastdecadefromthemastertimelineeitherasanaggressororasatarget,barringofafewleakedemailsbytheAnonymoushackinggroup.Thisappearsaberrant,evendespitethepossiblelanguagebarriermentionedatthebeginningofthisreportorRussia’stightlycontrolleddisseminationofinformation.
WhileclearlytheRussianFederationwasthelargestbeneficiaryofBP’spost-spilldivestmentsandalsobenefitedfromahaltinGulfofMexicooilproduction,thequestionthatremainsiswhetherornotthepossibleacquisitionofTNK-BP(whichwouldbedifficulttopredict)ismotivationenoughtoengageinariskyenterprisesuchasacyber-attackthatresultsinakineticoutcome—particularlywhenweighedagainstthepossibilityofdirectattributionthatcouldhavefarreachingimplicationstorelationswithboththeUKandtheUS.Ifthesebenefitsalonearenotenough,thenwhatothermotivatorsexistedwhich,inconcert,wouldhavebeencauseforRussiatolaunchacyber-attackonaUKcompanyoper-atingintheGulfofMexico?Inordertoproperlyanswerthesequestionsmanyfactorsneedtobeexamined,including:
theextentofBP-RussianrelationsleadinguptoandbeyondtheDeepwaterHorizonincident
Geopoliticalconsiderationsofthetime
Anycompetitioninmarket-sharebetweenBPandRussianstate-controlledoilcompanies
Russia’soverallrelationtoanddependenceontheoilindustry
Russia’sstrategicgoalsatthetime
Ahigh-levelunderstandingoftheRussianapproachtocyberwarfare
2010 2011 2012 2013
Deepwater Horizon Spill
BPAsset
DivestmentProgram*
2010-2013
Anadarko Petroleum CorpSOCAR
TAQA
Plains Exploration & ProductionRosneft
Apache CorpEcopetrol & TalismanMarubeni GroupUnited Energy Group
Tesoro Corp
Sold To
Upstream Assets
Downstream Assets
Countries with BP presence as of 2012
Key
29
AninterestingrelationshipbetweenRussiaandBPhasunfoldedoverthepastdecade,revealingaseriesofexchangesthathighlightatenuousco-existence.Thefigurebelowdisplaysthisindetail,alignedwithgeopoliticalevents.Theexchangebeginsin2006whentheRussianstate-rungascompanyRosneftwentpublicontheLondonstockex-changeandBPpurchased1billioninshares.Thisisaseeminglystraightforwardstrategicpartnering;howevertherewasspeculationthatBPwas“pressuredintoinvestinginordertosecurefutureoilexplorationrightsforitsownRus-sianjoint TNK-BP.”66RobertAmsterdam,alayerfortheformerheadofYukos(anoilcompanyabsorbedbyRosneft),wasquotedassayingthatBP“hasagunheldtoitshead.”67TheninJune2007,TheRussiangovernmentpressuresBPtoselloneoftheworld’slargestnaturalgasfieldstostate-runGazpromorlosethelicensetodevelopit.682008pre-sentedperhapstheheightoftensionswhenarmedpoliceraidedBP-TNK’sMoscowoffices69inwhatappearedtobeanefforttointimidateshareholders.ThiscameontheheelsofspeculationthatRussiawishedto“buyoutthesharehold-ersofTNK-BPaspartofitscampaigntotightencontrolofthecountry’senergyassets.”70Inarelatedvein,theBP-TNKCEOwasforcedtoleavethecountryafterRussianauthoritiesrefusedtorenewhisvisa.71Alsoin2008,animportantBPincidentwhichdidnotappeartodirectlyinvolveRussiaoccurred.OffthecoastofAzerbaijanattheCentralAzeriplatformintheCaspianSea,oneofBP’soff-shorerigssufferedablowoutnearlyidenticaltothatoftheDeepwaterHorizon.Thegasdidnotignite,andnoonewaskilled,howeveritdidcostaround$50MillionadayinlossesfortheAzerigovernment.BPpurposefullykeptalldetailsoftheincidentunderclosewrapsvergingonacover-up.ThentheDeepwaterHorizoneventoccursin2010,followedbythesaleofTNK-BPtoRussianstate-runRosneftin2012aspartoftheassetdivestmentprograminitiatedtopayforthespill.Inthatdeal,BPalsopurchasedsharesinRosneft,uppingtheirstakefrom1.25%to20%andreceivingtwoseatsontheboardofdirectors,includingonewhichwasawardedtoBP’scurrentCEORobertDudley—thesamegentlemanwhowasforcedtofleein2008overanun-renewedvisa.How-ever,accordingtoaReuter’sarticlepublishedonMarch4thofthisyear“…asastateappointee,Dudleywouldhavetovotebygovernmentdirectiveonmajorissues,suchaslargedealsandkeyappointments.”72Thisremarkisincontrasttoanotherindividualwhohad“beennominatedasanindependentandassuchcandecideforhimselfhowtovote.”73
66 (Kennedy,2006)67 Ibid.68 (Kramer,2007)69 (Hodgson,2008)70 Ibid.71 (Webb,2008)72 http://uk.reuters.com/article/2013/03/04/uk-bp-rosneft-idUKBRE92310W20130304?feedType%3DRSS%26feedName%3DbusinessNews73 Ibid.
30
TheseRussia-BPrelationscoincidewithanamalgamofgeopoliticaleventsnotdirectlyrelatedtoBP,butofferingsupportingcontextforeventualconclusionsdrawnabouttheDeepwaterHorizonoilspill.FollowingthecollapseoftheSovietUnionin1991,manyofthestateownedoilandgasassetsweresoldatsignificantlydiscountedvaluestoprivateindividualscreatinganeconomicvoidforafragilenewcountryalreadyplaguedbymonetaryissuesinothersectors.Russiafalteredeconomicallyformostofthe1990’suntilVladimirPutinwaselectedPresidentin2000underabannerofplannedeconomicprosperity.Putinisaninterestingfigure,andhasplayedprominentlyinRussia’sreturntotheworldstage.AformerKGBmember,PutinhassoughttheconsolidationandreclaimofcriticalsectorsoftheRussianeconomy,mostnotablytheenergysector.Usingstrong-armtacticsandpoliticalpressure,hehassetthetoneforRussia’sfuturepolicy.In2006,RussiatemporarilyturnedoffthegasitwassupplyingtotheUkraine,incitingconflictandunrestwithotherEuropeancountries.ThemovewascastasanovertattempttoregulatenaturalresourcepricesforamarketinwhichRussiacontrolsproductionandreapsprofitsfromacustomerbasewithlimitedalternatesupply.Russiausedthetacticagainin2009,shuttingoffgassuppliesfortwoweekstoUkrainianNaftogazostensiblybecauseofadisputeovercontracttermswhichhadbeennegotiatedin2002regardingtheappropriationofgasbyNaftogas.TheordealwasonlyresolvedafterUkraine’sPrimeMinistersatdownwithVladimirPutinandrenegotiatedanewcontractforRussiangas,forwhichshelaterreceiveda7yearsentenceonchargesofabuseofpower.
TheseeventsservetohighlighttheimportanceRussiaplacesontheenergysectorasbothavitalportionofitseconomyandapotentpoliticaltool.TheRussianeconomyisheavilydependentontheoil&gasindustries,with62.7%ofitseconomybeingservicebasedindustriesin2010.74ManyeconomistshavepointedtooilandgaspricesastheAchil-lesheeloftheRussianeconomy.757677Thiswasmadeevidentin2008whenoilpricesplummeted(asseeninthefigurebelow),sendingtheRussianeconomyspiralingintoarecession.Priceshitalowin2009,oneyearbeforeDeepwaterHorizonandatatimewhenreportswerealsostatingthattheoveralloutputofRussianoilfor2010wasprojectedtodecline.78ThisstagnationintheeconomycombinedwithfutureprojectionsofslowedoilproductionpresentedahugethreattoRussia,anditislikelythatthissentimentresonatedwithRussianauthorities.AspointedoutbyaForbescolum-nist,asustaineddropinoilpriceslikethatin2008wouldmeanpossiblecivilunrestandpoliticalinstability–oilandgashavethatmagnitudeofeffect.79
ThisresonancemayperhapsbeseenintheRussianNationalSecurityStrategyto2020publishedinMayof2009.ThedocumentoutlinesapathforRussiatocontinuetoregainprominentglobalpower,andwithinitthereareseveralpointswhichlendcredencetoastrategicviewofoilandgasresources.Thedocumentstatesthat“thelonger-termfocusofinternationalpoliticswillconcentrateonthepossessionofenergyresources,notablyintheMiddleEast,ontheBarentsSeashelfandotherareasoftheArctic,intheCaspianSeaBasin,andinCentralAsia.“80Thesamepublication
74 CIA Factbook 201275 http://www.forbes.com/sites/kenrapoza/2012/04/03/oil-a-problem-for-russian-economy-official-says/76 http://www.ssb.no/a/publikasjoner/pdf/DP/dp617.pdf77 http://oilprice.com/Energy/Crude-Oil/Putin-Plays-Down-Russias-Deadly-Dependence-on-Oil-Gas-Revenues.html78 http://www.reuters.com/article/2009/10/14/russia-oil-production-idUSLE7018632009101479 http://www.forbes.com/sites/markadomanis/2012/12/01/russia-and-oil-a-recipe-for-preservation-of-the-status-quo/80 Thomas, T. (2011). Recasting the Red Star. Fort Leavenworth: Foreign Military Studies Office. ,p.87.
31
alsostatesthat“thecompetitivesearchforresourcesdoesnotexcludetheuseofforce.”81Forceinthiscasedoesnotnecessarilyindicateamilitarykineticaction,butexertionofbothsoftandhardpoweracrossalldomains,includingcyber.
Whatfollowsisapurelyspeculativenarrativeofonepossibleattackscenario,intendedtohighlightelementsofRussiandoctrinewhichalignwithaspectsoftheBPoilspill.Itwillalsoincludetechniquesandtoolswhichprovidefunc-tionalitythatmakessuchanattackfeasible.
Soitispossiblethataftertheoilpricecrashin2008,Russianofficialssawthedangertosocialandpoliticalstabil-ityinthecountry.ForecastsforRussianoiloutputaround2009alsosuggestedthatnotonlywerepricesdropping,butoverallproductionwouldaswell,envisagingthespecteroffutureunrestandhardship.Realizingthestrategicimportanceofoilandthesuccesstheyhadgarneredwithpreviousmarkethalts,theyneededawaytoeitherartificiallyinflateoilprices,increasedemandforRussianoil,orincreaseoiloutput.Itisworthnotingthatpriceofnaturalgas(anotherhugecomponentoftheRussianeconomy)isinextricablylinkedtooilpricesinmostofEuropeduringthisperiodbecausegasisprice-indexedagainstoil.UnlikethenaturalgasincidentswhereRussiawasabletousestate-controlledGazpromtohaltgasleavingthecountry,asizeableportionoftheoilleavingthecountrywasfromprivatizedcompanies.Itwouldbedifficulttoovertlypreventthemfromexportingwithoutsignificantbacklashfrominternationalcommunities(suchastheWorldTradeOrganizationwheretheyhadbeenseekingentryforsometime),soactionwouldneedtobemorecovert.OneofthelargestoftheseprivateoilfirmswasTNK-BP,whichRussianauthoritieshadalreadyattemptedtostrong-armintogovernmentcontrolastheyhaddonewithothersmalleroilcompanieslikeYukos.TheothermainexporterofoiltoWesternEuropeatthistimewasBPplc,the50%ownerofTNK-BP.Therefore,controlofTNK-BPwouldbothincreaseoilrevenuesandstate-output,andsimultaneouslydecreaseaprimecompetitor’soveralloutput.Itwouldalsogivethemalargerpoliticalweaponthatcouldbeusedasabargainingchiportomeettheaforementionedgoalofpricecontrol.How-ever,BPhadprovenrecalcitrantanddefiantaboutrelinquishingTNK-BPinspiteofthepressureswhichhadalreadybeenapplied.ApastrockyrelationshipwithBPcombinedwiththeirrecentsafetyfailuresandcover-upintheCaspianSeaalsomadethemaviabletarget.
Iftheycouldnotbemotivatedbyconventionalmeans,thenRussiawouldhavetoreverttoforceaspointedoutearlierintheirNationalSecurityStrategyto2020(“thecompetitivesearchforresourcesdoesnotexcludetheuseofforce”).Sabotagecouldbeaviableoption,howeveritwouldhavetobeonalargeenoughscalethatBPwouldbeputintoapositionwheretheywouldfoldtoRussianinterestsundertheadditionalpressure.Whileanon-shoreexplosionwouldcausesomedelaysinproductionandpotentiallossoflifeleadingtolitigation,off-shoredestructionwouldhavethepotentialtobesignificantlymoredamagingpublicly,couldalsoincludelossoflife,andwouldincursignificantenvi-ronmentalfinesinadditiontosafetyfines.
Thequestionwouldthenbewheretostrike–BPholdingsintheCaspianSeawouldbetoodangerousasanyfail-urescouldeasilyimplicateRussiaandanysuccesscouldcausecollateraldamagetoRussianoilassetsandcoastalregions.TheNorthSeawouldbeapotentiallyviablecandidatewithmultiplecountriesbeingaffectedresultinginmoreeconomicimpactonBP,howeverthecurrentsaresuchthatcollateraldamagecouldoccurtootherareasthatRussiaidentifiedasvitalfieldsofcompetition,namelytheBarentsSea.BP’sothermajordevelopmentswereinrelativelynewfieldsintheGulfofMexico(GoM)whereBPplannedtoinvestheavily.Russiahaslongseen(andcontinuestosee)Americanpowerasadangerouscountertoitsown,markingtheUSasitstopglobalcompetitor.TheGoMthenwouldproveveryattrac-tiveasitofferedatwo-foldbonus.Acash-strappedUnitedStates,riddledbyitsownrecession,wouldbearthebruntofthecollateraldamageresultinginheavyfinestoBP,perhapsmadeheavierbecauseofthestateoftheAmericanecono-my.Secondly,BPwouldpossiblyloseitsasset(s)andrighttodrilloffshoreintheGoM,aregionBPconsideredstrategic.ItwouldallowforaninformationinfluenceoperationontheAmericanpublic–poisoningthemarketagainstBP,butalsopotentiallyagainsttheAmericangovernmentiftheyrepeatedanymistakesintheirhandlingofanincidentlikethe2005HurricaneKatrinarescueandreliefeffort.
Americain2008and2009wasalreadyfacinginternalcontentionoverdeepwaterdrillingpractices,meaningthatasignificanteventintheregioncouldperhapshaltproductionbygovernmentaldirective.Evenwiththecontention,BPhadalreadymadehistoryintheGulf;inmid-2009theDeepwaterHorizonrigfinisheddrillingthedeepestoilwellinhistoryintheTiberOilFieldoffthecoastofTexas.ThismeantthatoneofthetopcompetitorsforRussianoilexportswasmakingheadwayinthisregion.Americaisalsothelargestimporterofoil,soeventhoughoilpricesareacomplicatedaf-fairthattakesintoaccountaspectsliketheeconomicstabilityofdifferentregionsandfutureprojectionsofdemand,anydamagingeffectsonAmericanproductionorsupplycouldpotentiallyincreaseoilprices.
InMarchof2009,drillingofanewwell,Macondo,wasapprovedandscheduledtobeginlaterthatyear,creating
81 Ibid., p.87.
32
anidealtarget.Realistically,inaclandestineprojectofsuchimportanceitislikelythatRussiawouldhaveidentifiedsev-eralGoMtargets,perhapsalongsideBPNorthSeaassetsaswell.HavingtheGulfofMexicoinmind,Russianowneededamethodfordelivery.Analyzingthe2008incidentintheCaspianSeawhichwasstillfreshatthistime,itmayhavebeennotedthatoneoftherootcausesoftheblowoutwasaflawintheconcrete—concretepossiblyprovidedbythesameUScontractorwhoworkedforBPintheGoM:Halliburton.TheymayhavealsosurmisedthatifthealarmsandsafetysystemshadnotactivatedintheCaspianSeaincident,thecrewmaynothavebeencapableofreactingquicklyenoughtopreventanexplosion,thuscreatingaterribleecologicaldisasterandcausinglossoflife.
So,aworkableoptionappearedtobeacovertcyber-attackonrigsoperatinginthegulfwhichdisabledsafetymeasuresorcreatedasituationwhereablowoutwouldoccur.Ifdonecorrectly,theycouldeasilyhideanyattributionbehindChina(whohadbeenactivelystealingsecretsfromoilcompaniesatthistime),anon-statehackinggroup,aspo-radicvirus,ormerelyaglitch/accident.BecauseofthehighstakesinvolvedinanyattributiontoRussia,thebestoptionwouldbemakingitpurelyappeartobeanaccidentorneglectbyBPanditscontractors.Thiscouldbeachievedbyplay-ingonknownpatternsandbehaviorsbyBPthatwererisky.ThetypeofintelligenceRussiawouldhavebeenintimatelyfamiliarwiththroughtheirowndealingswithBPandanalysisofotherBPsafetyincidentintherecentpast.ThisblendsseamlesslywiththeRussianconceptof“ReflexiveControl.”
TimothyThomaspointsoutinhisbookentitled“RecastingtheRedStar”theconceptofreflexivecontrol—asTimothyputsit:“Reflexivecontrolisdefinedasameansofconveyingtoapartneroranopponentspeciallypreparedinformationtoinclinehimtovoluntarilymakethepredetermineddecisiondesiredbytheinitiatoroftheaction.”82 Purposefullysettingfalsealarmsoffintheearlyhoursofthemorningsothatsomeonewilldisablethemwouldbeagoodexampleofthis.RussianhackerssuchastheGLEGgrouphavedemonstratedproficiencyinfindingexploitsinICSsoftwarebyreleasingtheAgoraSCADA+exploitkitwhichhadaplethoraofzero-dayexploitsinit.83Thisdemonstrativeproficiency,combinedwiththepreviouslynoted2009MarioAzarincidentwouldsuggestthatthetechnicalcapabilitytosetthisinmotionwasreadilyavailable.AfteridentifyingseveraltargetsintheGoM,Russianoperatorscouldeasilyhaveexploitedamultitudeofattackvectors.Employee’spersonalsystems(whichcouldhaveVPNaccesstoonshorecontrolstationsortherigdirectly),mobiledeviceslikesmart-phones,portablestoragedevicessuchasusbdrives,engineerlaptops,oranonshorecontrolcenterwithaccesstotherigscouldhavebeenleveragedtogainaccess.Suchattackscouldbetriviallydoneevenwithopen-sourceorfreetoolssuchastheiconicMetasploitFramework.Metasploit’scustompay-load,Meterpreter,forexampleiscapableofresidingpurelyinvolatilememory,oftenleavingfewresidualtracesonper-sistentstorage,ifany.Afteridentifyinganentrypointsuchassocialengineering(perhapstoohighprofile)ormorelikelyexploitation,Russianoperativescouldfindaseriesofserversattheonshorecontrolcenterwithalongup-timeorthatwerenotregularlyupdated(andthereforenotregularlyrestarted).Theattackerscouldhaveleveragedthesetocreateredundantavenuesofaccesswhichrunentirelyinvolatilememory,thusleavingminimaltonopermanenttraces.Morelikelyandstablehoweverwouldbetheuseofsuchexploitationtoinstallapersistentbackdoor.FromheretheycouldhavestolencredentialsorotherwiseescalatedprivilegestogainaccesstothesafetysystemsontheDeepwaterHorizonandotherrigsoperatinginthearea.Itislikelythatthesameattackvectorwouldnothavebeenusedineveryinstancetoobscureanypatternanalysisanddiversifyopportunitiesforsuccess.Atthispointsettingoffalarmsintheearlyhourstoencourageemployeestodisablethem,impairingothersafetysystemsandcausinggeneralinstabilitywouldhavebeenenoughtosubtlymagnifytheeffectsbeyondamanageablelevelresultingincatastrophe.
Afterhavingdiscussedinsomedetailthepossibilityofastateactor’sinvolvement,itmustequallybeconsideredthatthereisalsoplentyofevidencesuggestingthatthiswasnothingmorethanatragicincident.Itmayalsobestatedthatthereisevidencecontrarytotheposedscenario.TheDeepwaterhorizonincidentandthe2008CaspianSeaincidentbeforeitweremerelytwoincidentsinanindustryfraughtwithothers.Additionally,twoincidents—regardlessofsimi-larity—arenotconclusiveenoughtorepresentapattern.Shouldtheybeapartofalargerpattern,itisfarmorelikelythattheseparticularincidentspointedtoapatternofcorporateneglectthananythingelse.Theinherentlydangerousnatureofoilrefineryworkwouldimplythataccidentsandlossoflifeareanunfortunaterealityoftheindustry.Accord-ingtotheCentersforDiseaseControlandPrevention,“ThefatalityrateforoilandgasworkersintheU.S.between2002and2007wasmorethan29deathsper100,000workers,oraboutseventimestheaverageforalloccupations.”84BPisnostrangertosuchhazards.DeepwaterHorizon,thoughperhapstheirworsttodate,wasnottheirfirstprolificdisaster.BPwasrequiredtopay1.6billiondollarsinvictimcompensationfortheTexasCityrefineryexplosionfromMarch23,2005.Theywerealsorequiredtopay50.6milliondollarsinfinesforfailingtofixthesafetyviolationsthatwerebrought
82 Recasting the Red Star83 https://ics-cert.us-cert.gov/pdf/ICSA-11-096-01.pdf84 Centers for Disease Control. (2013, March, 3). Retrieved from http://www.cdc.gov/niosh/programs/oil-gas/risks.html
33
tothembyOSHAbeforetheexplosion.85ThesesamecorporatefailingswerepresentintheDeepwaterHorizonincidentandwerebroughtupduringthesenatehearings.Thisinpartservestohighlightthefactthateveniftheincidentweretobeastate-sponsoredattack,theimpactofthelossofasinglerigorsmallwellisrelativelyinconsequentialtotheoveralloilproductionofthevictim.ThetimelineoftheDeepwaterHorizonincidentalsospeaksvolumes–theincidenttookplaceoverthecourseofatleastayearandwastheproductofmanybudget-savingdecisionsthatwereacknowledgedtobedangerousbytheengineerswhowereworkingontheMacondowelldrillingeffort.ThesemeasuresandacultureofriskarelikelywhatultimatelysealedthefateoftheDeepwaterHorizon.Theseoccurrencesaretoointricatewhilstspreadoversuchanextendedperiodoftimeforanyoneentitytohavereasonablycontrolledthemall.
Itiswithinhumannaturetolookforapatternordesignforaneventevenwhenthereisn’tany–thiscanbeaug-mentedbytimeasmorepossible“clues”becomeapparent.Forthisreasonsuchattributionwhichseeksoutaconclu-sionisaslipperyslopeandmustbeapproachedwithcaution—ithasatendencytoenticeanalyststofindfactstofitthehypothesisasopposedtoahypothesiswhichfitsthefacts.It’simportanttorememberthatcorrelationdoesnotequalcausation;infactcorrelationmaybecoincidentalortheresultofanotherunanticipatedfactor.Likewisethecircumstan-tialevidencealoneisnotconclusive.Between1969and2005therehavebeenover30separateincidentsonoilrigsrangingfromfiresandexplosions,tostructuralfailures,someofwhichwereblowoutsnotunliketheonethatoccurredonDeepwaterHorizon.Itislikelythatcircumstantialinformationaboutoneormoreofthesecouldbestrungtogethertoprovideareasonablyconvincingpolitical‘attribution.’
Regardlessoftheattributionorrefutationofanattack,thetakeawayfromtheDeepwaterHorizonanalysisisthattheoilindustryisundeniablytiedtothecyberdomainandanattackonthissectorisconceivable;thatbyusingcurrentlyavailablecybermeansakinetic,violent,andinstrumentaloutcomecouldverypossiblybeaffectedonaprivatesectorbyaforeignstateactororotherhuman-basedagenttogainafavorableoutcome.
85 BBC News, BP agrees to pay record 50.6m fine for Texas explosion. (2010, August, 12) http://www.bbc.co.uk/news/business-10960486
34
ConclusionTheobservationofamoderatelysizedcross-sectionofcybereventswithintheoilandgasindustryclearly
indicatesthatthereisongoingcyberconflict.Thisconflictexistsintheformofespionageandsabotage,anditinvolvesbothstateandnon-stateactors.Inthecaseofcyberespionage,theseactorsareadvancedinthesensethattheyhavelaunchedmulti-yearcampaignswhichhavegoneundetectedastheyhaveexflitratedwhatislikelyuntoldbillionsofdol-larsinintellectualproperty.Theretacticsrepresentaformalizationandritualizationoftheconflictwhichwillsuggeststhatithasbeenweaponizedandwillcontinuetoescalateinthefuture.TheChinesegovernmentisabsolutelyinvolvedinsomecapacity,andstandstogainthemostoutifthesetransactions.Chinawillneedtocontinuetomakeaggressivemovestosustainitsneedforoilgoingforwardasitsabilitytomeetgrowingdemandbecomesoverwhelmed.RedOcto-ber,whilelargelytargetedatdiplomaticentities,alsotargetedtheoilandgasindustry.Thesophisticationoftheinfra-structureusedinRedOctober,aswellasthemethods,suggestarevolutioninthetypeofcyberconflictthatwillbeseenintheoilandgasindustry.AmajorityofthesegroupsarestillactiveasofApril2013,evenafterbeingoutedinreportsreleasedbyantivirusandincidentresponsecompaniesoverthelastfewyears.Thesereportsthemselvesrepresentoneaspectinwhichnon-stateactorswillbecomeevermoreimportantincyberconflict,particularlywithinimportantindus-triessuchasoilandgas.Americancompaniesareparticularlyvulnerabletargetstostate-backedorstate-ownedforeigncompetitorswhomayinthefutureleveragetheircountries’cyberforcestogaincompetitiveadvantage,orpossibledeveloptheirown.
ThistypeofcompetitivenessmayleadtothetypesofsabotageexchangesseenintheMiddleEast.Theseattacksmayeitherhavebeentheworkofnation-statesbattlingoutpolicyinthecyberrealm,orunconnectedeventswiththeShamoonattacksmerelybeingadisaffectedhacktivistgroupexpressingdissent.Regardlessoforigin,theseexchangesareclearexamplesofcyberconflictofadestructivenature.Goingforward,thesophisticationofthevirusesusedintheseattackswilllikelyonlyincrease.AttacksliketheflameandStuxnetvirusesmaybeseenbyAmericancompanieswithintheindustry.Thelinebetweenespionageandsabotageattackscanbesomewhatblurredwithvirusesbeingmodularandhavingthecapabilitytoperformboth;gatheringintelwhilewaitingundetectedtounleashamoresinistercapability.Theveryuseofthesetypesofmalwarebreedsandintimacyandfamiliaritywiththemthatallowsfortheirfurtherprolifera-tionbythepartieswhowerepreviouslyattacked.Eveniftheycannotreverseengineerthem,theymayunderstandthebehaviorswellenoughtocrudelymimicthem.
Asdiscussedatthebeginningofthepaper,cyberconflictisattractive.Itisattractivetocriminalelements,corpo-rateelements,individuals,hacktivists,stateactors,andothersundrynon-stateactorsalike.Becauseofitslowbarriertoentry,availability,andoutsizedimpact,theoilindustrymustprepareforsustainedfutureconflictinthisrealm.
35
Appendix A - DefinitionsAdvanced Persistent Threat:Anadvancedpersistentthreat(APT)usesmultiplephasestobreakintoanetwork,avoiddetection,andharvestvaluableinformationoverthelongterm.ThesephasesareIncursion,Discovery,Capture,andExfiltrationaccordingtoSymantec.86
Anonymous:Adecentralizedgroupofindividualswholabelthemselvesas“hactivists.”Theindividualsareanon-statesponsoredgroup.Thegroupfrequentlypickstheirtargetsbasedoncurrenteventsordecisionsofcompaniesthatcon-flictwithaneverchangingmantraofthegroup.TheattacksperpetratedbyAnonymousarefrequentlynotcomplexinnatureandoftenaredesignedjusttorestrictaccesstopublicwebsitesthroughadenialofserviceattack.
C2: Command and Control
Cyber Warfare:“Actionsbyanation-statetopenetrateanothernation’scomputersornetworksforthepurposesofcaus-ingdamageordisruption.“87
Dropper virus:AtypeofTrojanthatservestotransportandextractaviralpayloadontothedestinationsystem.Thedropperisfrequentlymadetomasqueradeasaninnocuousexecutablethatonceexecutedtheviralpayloadhasbeendeployed.Thedropperserviceatthispointnolongerneedstoberunning.88
Exfiltration:Theoppositeofinfiltrate.Theactofsecretlystealinginformationfromtheenemy’scontrol.Itisaformofespionage.
Malware:Agenerictermusedtodescribesoftwaredesignedtocausemaliciousactionsonacomputersystem.Trojans,Viruses,andWormsareexamplesoftypesofMalware.
Reflexive control:“Ameansofconveyingtoapartneroranopponentspeciallypreparedinformationtoinclinehimtovoluntarilymakethepredetermineddecisiondesiredbytheinitiatoroftheaction.”89
SCADA:Supervisorycontrolanddataacquisitionareatypeofindustrialcontrolsystemusuallydeployedtomonitorsystemsoverlongdistances.
Spear phishing:Theprocessofattempting,oftenthroughemail,toacquiresomeoneelse’suserinformation.Thisisachievedthroughsocialengineeringandofteninvolvessendingemailsthatappeartobefromaknownandtrustedindi-vidual.
Trojan:Atypeofcomputermalwarethatdoesnotreplicate,ratheritsprimaryfunctionistoallowunauthorizedaccesstothecomputersystems,stealinformation,orcauseharmtotheinfectedsystem.ATrojanoftenpresentsitselfasaninnocuousfilethustrickingtheuserintoexecuting.
Virus:Atypeofcomputermalwarethatisabletoself-replicateandinfectmultiplesystems.Thereplicationisusuallytiedtoahumaninteraction.
86 http://www.symantec.com/theme.jsp?themeid=apt-infographic-187 Clarke,RAandKnake,RK(2010).CyberWar, the next threat to national security and what to do about it.NewYork:Ecco/HarperCollins.88 Symantec. (2012, April 26). Trojan.Dropper. Retrieved March 9, 2013, from Symantec: http://www.sy-mantec.com/security_response/writeup.jsp?docid=2002-082718-3007-9989 Thomas, T. (2011). Recasting the Red Star. Fort Leavenworth: Foreign Military Studies Office.