Oil & Cyber Terror

Title: Norway Hit By Major Cyber Attack On Oil, Defence Industries
 November 18, 2011
International Business Times 

Abstract: Data from Norway's oil, gas and defence systems have been stolen in what is feared to be one of the most extensive data espionage in the country's history.

Industry secrets and information about contract negotiations were stolen and "sent out digitally across the country," according to a statement released by Norway's National Security Agency (NSM).

At least 10 different firms, perhaps more, had been targeted in the biggest wave of cyber-attacks seen by the country.

None of the industries, mostly the oil, gas, energy and defence, have been named and it is feared that the number of attacked firms is higher as some may not realise they have been hacked.

Cybercrime: Prevention, Protection, Punishment Against Cyber Attacks (Conference)

"The attacks vary slightly from each other and are tailor-made so they are not discovered by anti-virus solutions. Companies that are targeted are therefore not aware of the attacks until after they have taken place," the NSA said in a statement.

"This means it is probable that industrial secrets from various companies have been stolen and sent digitally out of the country."

It is thought that the attacks may have been carried out by more than one person over the past year.

The methods used were varied, but it is thought that in some individual cases emails armed with viruses which did not trigger anti-malware detection systems were used to steal passwords, documents and other confidential material from hard-drives.

"This is the first time Norway has revealed extensive and wide computer espionage attacks," said NSM spokesperson Kjetil Berg Veire in a statement.

The attacks have occurred more often" when companies were negotiating large contracts," he said.

The NSM said that this type of internet espionage was an extremely cost-effective type of data-theft as that "espionage over the internet is cheap, provides good results and is low-risk."

Norway's oil and gas industry is ranked the third largest in the world, with 2.8 million barrels being produced each day (International Business Times, 2011).

Title: Cyber Attacks Bombard Energy Sector, Threatening World Oil Supply
Date: December 8, 2011
Huffington Post

Abstract: Hackers are bombarding the world's computer controlled energy sector, conducting industrial espionage and threatening potential global havoc through oil supply disruption.

Oil company executives warned that attacks were becoming more frequent and more carefully planned.

"If anybody gets into the area where you can control opening and closing of valves, or release valves, you can imagine what happens," said Ludolf Luehmann, an IT manager at Shell Europe's biggest company .

"It will cost lives and it will cost production, it will cost money, cause fires and cause loss of containment, environmental damage - huge, huge damage," he told the World Petroleum Congress in Doha.

Computers control nearly all the world's energy production and distribution in systems that are increasingly vulnerable to cyber attacks that could put cutting-edge fuel production technology in rival company hands.

"We see an increasing number of attacks on our IT systems and information and there are various motivations behind it - criminal and commercial," said Luehmann. "We see an increasing number of attacks with clear commercial interests, focusing on research and development, to gain the competitive advantage."

He said the Stuxnet computer worm discovered in 2010, the first found that was specifically designed to subvert industrial systems, changed the world of international oil companies because it was the first visible attack to have a significant impact on process control.

But the determination and stamina shown by hackers when they attack industrial systems and companies has now stepped up a gear, and there has been a surge in multi-pronged attacks to break into specific operation systems within producers, he said.

"Cyber crime is a huge issue. It's not restricted to one company or another it's really broad and it is ongoing," said Dennis Painchaud, director of International Government Relations at Canada's Nexen Inc. "It is a very significant risk to our business."

"It's something that we have to stay on top of every day. It is a risk that is only going to grow and is probably one of the preeminent risks that we face today and will continue to face for some time."

Luehmann said hackers were increasingly staging attack over long periods, silently collecting information over weeks or months before attacking specific targets within company operations with the information they have collected over a long period.

"It's a new dimension of attacks that we see in Shell," he said.

Not In Control
In October, security software maker Symantec Corp said it had found a mysterious virus that contained code similar to Stuxnet, called Duqu, which experts say appears designed to gather data to make it easier to launch future cyber attacks.

Other businesses can shut down their information technology (IT) systems to regularly install rapidly breached software security patches and update vulnerable operating systems.

But energy companies cannot keep taking down plants to patch up security holes.

"Oil needs to keep on flowing," said Riemer Brouwer, head of IT security at Abu Dhabi Company for Onshore Oil Operations (ADCO).

"We have a very strategic position in the global oil and gas market," he added. "If they could bring down one of the big players in the oil and gas market you can imagine what this will do for the oil price - it would blow the market."

Hackers could finance their operations by using options markets to bet on the price movements caused by disruptions, Brouwer said.

"So far we haven't had any major incidents," he said. "But are we really in control? The answer has to be 'no'."

Oil prices usually rise whenever tensions escalate over Iran's disputed nuclear program - itself thought to be the principal target of the Stuxnet worm and which has already identified Duqu infections - due to concern that oil production or exports from the Middle East could be affected by any conflict.

But the threat of a coordinated attack on energy installations across the world is also real, experts say, and unlike a blockade of the Gulf can be launched from anywhere, with no U.S. military might in sight and little chance of finding the perpetrator.

"We know that the Straits of Hormuz are of strategic importance to the world," said Stephan Klein of business application software developer SAP.

"What about the approximately 80 million barrels that are processed through IT systems?," said Klein, SAP vice president of oil and gas operations in the Middle East and North Africa.

Attacks like Stuxnet are so complex that very few organizations in the world are able to set them up, said Gordon Muehl, chief security officer at Germany's SAP said, but it was still too simple to attack industries over the internet.

Only a few years ago hacking was confined to skilled computer programmers, but thanks to online video tutorials, breaking into corporate operating systems is now a free for all.

"Everyone can hack today," Shell's Luehmann said. "The number of potential hackers is not a few very skilled people -- it's everyone" (Huffington Post, 2011).

Title: Saudi Oil Producer’s Computers Restored After Virus Attack
August 26, 2012
New York Times

Saudi Aramco, the world’s biggest oil producer, has resumed operating its main internal computer networks after a virus infected about 30,000 of its workstations earlier this month, the company said Sunday.

Immediately after the Aug. 15 attack, the company announced it had cut off its electronic systems from outside access to prevent further attacks.

On Sunday, Saudi Aramco said the workstations had been cleansed of the virus and restored to service. Oil exploration and production were not affected because they operate on isolated systems, it said.

“We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever,” Saudi Aramco’s chief executive, Khalid al-Falih, said in a statement.

However, one of Saudi Aramco’s Web sites taken offline after the attack — www.aramco.com — remained down on Sunday. E-mails sent by Reuters to people within the company continued to bounce back.

The company said that the virus “originated from external sources,” and that an investigation into the causes of the incident and those responsible was continuing. It did not elaborate.

Information technology experts have warned that computer attacks on countries’ energy infrastructure, whether conducted by hostile governments, militant groups or private “hacktivists” to make political points, could disrupt energy supplies.

Iran, the focus of international economic sanctions focused on its oil industry over its disputed nuclear program, has been hit by several computer attacks in the last few years.

In April, a virus infected the Iranian oil ministry and national oil company networks, forcing Iran to disconnect the control systems of oil facilities including Kharg Island, which handles most of its crude exports.

Iran has attributed some of the attacks to the United States, Israel and Britain.

Current and former American officials have said that the United States built the complex Stuxnet computer worm to try to prevent Tehran from completing suspected nuclear weapons work.

An English-language posting on an online bulletin board on Aug. 15, signed by a group called the “Cutting Sword of Justice,” claimed the group was responsible for the attack and wanted to destroy the 30,000 computers at Saudi Aramco.

It said the company was the main source of income for the Saudi government, which it blamed for “crimes and atrocities” in several countries, including Syria and Bahrain. Saudi Arabia sent troops into Bahrain last year to back the gulf state’s Sunni Muslim rulers against Shiite-led protesters. Riyadh is also supporting Sunni rebels against the Syrian government of President Bashar al-Assad.

The Cutting Sword of Justice was not widely known before this attack, and information security experts contacted by Reuters had no information on the group.

Rob Rachwald, director of security strategy for United States-based data security firm Imperva, said in a blog posting last week that if the Saudi Aramco attack had been carried out by hacktivists, it could be a milestone in computer hacking.

“A group of hobbyists and hacktivists with several very strong-minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish,” Mr. Rachwald wrote.

Symantec, one of the world’s largest Internet security companies, said on the day after the Saudi Aramco attack that it had discovered a new virus directed against at least one organization in the global energy sector, although it did not name that organization.

“It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable,” Symantec said in a blog posting about the virus, which it called W32.Disttrack. “Threats with such destructive payloads are unusual and are not typical of targeted attacks.”

Mr. al-Falih, the oil company’s chief executive, said in his statement on Sunday: “Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyberattack” (New York Times, 2012).

Title: Qatar Group Falls Victim To Virus Attack
Date: August 30, 2012

Abstract: Qatar’s RasGas, one of the world’s largest producers of natural gas, has become the second major state-owned Middle East energy company to be hit by a severe computer virus in weeks.

The disruption came after Saudi Aramco, the government-backed company that is the world’s largest crude oil producer, was also attacked by a computer virus.

Saudi Aramco said in a statement on Sunday that it has restored its “main internal network services” after the attack on August 15. But oil traders in Houston, Geneva and London on Thursday said they were communicating with Aramco’s counterpart by fax and telex, as the company’s external email services were still down (FT, 2012)

Title: Mole Hack? 30,000 Computers Of World's Biggest Oil Company Hit
Date: September 8, 2012

Abstract: Insiders are thought to have facilitated the cyber-attack on the world’s largest oil company, says a probe. The group behind the hack on state-run Saudi Aramco claim the attack is revenge for “crimes and atrocities” by the Saudi government.

"It was someone who had inside knowledge and inside privileges within the company," a source familiar with investigation told Reuters.

The Shamoon virus spread through the company’s computer network last month, wiping the data from at least 30,000 computers, in one of the most destructive cyber-attacks on a single business in history.

Reports say to prevent any drastic consequences Aramco prohibited its employees from sending or receiving emails outside of the company and had to switch to paper transactions while it was dealing with the virus.

Hackivist group The Cutting Sword of Justice claimed responsibility for the attack on the company. They issued a statement saying that the attack was politically motivated and revenge for the “crimes and atrocities” committed by the Saudi Arabian government.

The previously unknown hacker organization also said that they had obtained classified documents from the hack and threatened to release them, although thus far nothing has been published.

Saudi Aramco has not made any comments regarding its ongoing investigation into the mass hack, refraining from speculating on what it called

“Rumors and Conjecture.”
“This was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack,” said the company’s chief executive Mr. al-Falih. He went on to say “not a single drop of oil was lost and no critical systems were harmed.

Meanwhile, Qatari gas producer RasGas announced that it had been affected by a similar virus at the end of August.

Uncommonly ‘Destructive’
The virus in question, known as Shamoon, is not a sophisticated cyber weapon designed for high-level insurgency. It is used to attack ordinary business computers.

“Based on initial reporting and analysis of the malware, no evidence exists that Shamoon specifically targets industrial control systems components or US government agencies,” the Department of Homeland Security’s United States Computer Emergency Readiness Team said in an August 29 advisory.

Once the Shamoon virus has infiltrated a computer network it attempts to infect every computer. The virus is capable of stealing information and erasing all data on the devices, experts say.

“We don’t normally see threats that are so destructive, it’s probably been 10 years since we saw something so destructive,” said Liam O Murchu from computer security firm Symantec.

Repression and marginalization

Saudi Arabia saw a number of protests across the country recently with the country’s Shia Muslim minority protesting against discrimination from the ruling Sunni monarchs. 

The Shia protests were triggered last year in March when the Saudi government sent troops to neighboring Bahrain to crackdown on Shia protesters. Bahrain is also ruled by a Sunni Muslim monarchy (RT, 2012).

Title: Report: Iran Blocks Cyberattack On Its Oil Drilling Platforms
Date: October 8, 2012
Fox News

Abstract: An Iranian oil official says the country has successfully blocked a cyberattack on the computer network of its offshore drilling platforms.

The Monday report by semiofficial ISNA news agency quotes Mohammad Reza Golshani, IT head of Iran's state offshore oil company, as blaming Israel for the attack.

He said the attack occurred over the past two weeks, was routed through China, and affected only the communications systems of the network. He did not provide further details.

Iran periodically reports attacks on government, nuclear, oil and industrial targets, blaming Israel and the United States. Israel has done little to deflect suspicion that it uses viruses against Iran.

Iran is odds with the West over its nuclear program. The West suspects the program is aimed at developing weapons, a charge Tehran denies (Fox News, 2012).

Title: Iran Says It Blocks Cyberattack On Oil Platforms
Date: October 8, 2012

Abstract: Iran says it has successfully blocked a cyberattack on the computer network of its offshore drilling platforms, a semiofficial news agency reported Monday.

The report by ISNA quoted Mohammad Reza Golshani, IT head of Iran's state offshore oil company, as blaming Israel for having planned the attack.

Iran periodically reports the discovery of viruses and other malicious programs in government, nuclear, oil and industrial networks, blaming Israel and the United States. In May, Iran shut down part of its oil facilities because of another such cyberattack.

Israel has done little to deflect suspicion that it uses viruses against Iran.

In this case, Golshani said, the attack occurred over the past two weeks, was routed through China, and affected only the communications systems of the network. He said the main network was safe since it was isolated from the Internet, and was back to normal operations. Iran announced that it had temporarily disconnected its oil ministry and its main crude export terminal from the Internet after the May attack.

Iran earns up to 80 percent of its foreign revenue from the export of crude.

Iran is odds with the West over its nuclear program. The West suspects the program is aimed at developing weapons. Tehran denies the charge, saying its nuclear program is geared toward peaceful purposes like power generation and cancer treatment.

A computer worm known as Stuxnet briefly brought Iran's uranium enrichment activity to a halt in 2010 (Guardian, 2012).

Title: Israeli Cyber Attacks Targeted Offshore Oil, Gas Platforms – Iran IT Head
Date: October 8, 2012
Source: RT

Abstract: Iran’s offshore oil and gas platforms were the targets of the cyber attacks aimed at crippling the country. All threats were repelled and Israel was behind them, according to head of IT at the Iranian Offshore Oil Company, Mohammad Reza Golshani.

Golshani told Reuters that the attack happened over the past couple of weeks, was routed through China, and affected only the communications systems of the network.

It is almost two weeks since the managing director of the National Iranian Offshore Oil Company Mahmoud Zirakchianzadeh announced his company’s negotiations over deals worth US$14 billion.

Iran is currently under pressure from the international sanctions, mainly in oil exports, imposed by the UN Security council, the US, and the EU.

On Saturday, the EU threatened to ban Iran’s natural gas export to put pressure on the country’s nuclear program. Iran’s now exporting to Turkey and has swap deals with Armenia and Azerbaijan.

The possible ban was described by a spokesman of the oil ministry Alireza Nikzad-Rahbar as a "propaganda campaign" because “right now no EU member imports Iranian gas supply.”

The UN Security Council imposed four rounds of sanctions in efforts to pressure Tehran to give up its nuclear program, which the West fears is aimed at creating a nuclear weapon. Iran insists its nuclear ambitions are peaceful. The sanctions targeted Iran’s oil exports and cut off access to international banking networks.

Tehran is being pressured not only with sanctions: the country has been variously attacked by Flame, Stuxnet and Gauss, three viruses that gathered information on sensitive Iranian equipment and slowed down its nuclear centrifuges. They were tacitly confirmed to have been launched by the US and Israel, as a way of slowing down the country’s atomic program, which the West says is aimed at eventually producing nuclear weapons. A claim Iran emphatically denies.

Iran has reported several computer attacks in recent months and a Revolutionary Guard commander said last month the country would defend itself in case of a "cyber war".

Tehran is seeking to developing a national Internet system, which it says would improve cyber security. But many Iranians say the plan is the latest way to control their access to the Web, which is already highly censored (RT, 2012).