In August 2017, a petrochemical company with a plant in Saudi Arabia was hit with a cyberattack aiming not to simply destroy data but to sabotage the firm’s operations and trigger an explosion.
According to the New York Times, investigators have yet to identify the company targeted and have not identified the culprits, but outside experts claim there are indications that the attackers were likely supported by a government. The only thing that prevented an explosion was an error in the attackers’ code.
The attackers seem to have compromised industrial controllers, which regulate voltage, pressure and temperatures.
The Times article adds: “United States government officials, their allies and cybersecurity researchers worry that the culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer systems that were compromised.”
According to former NSA computer scientist and Obsidian Security CTO Ben Johnson: “At the moment there are not many technical details available to understand how the attackers got into the network of the Saudi plant, but we know from other similar attacks that sophisticated actors are focused on gaining access and ensuring that long-term access can be maintained once they’re inside. That means adding user accounts or stealing credentials, but it could also mean covert backdoors and implants.
“The challenge for defenders once the adversary has legitimate account access is that they can quite literally live off the land and blend in – they become an employee. This means the only way to detect them before it is (usually) too late is to have proper systems in place to detect insider threat, with this problem being notoriously difficult to detect. And once the environment is breached, it's hard to have faith in the integrity of any aspect of that system, especially when sophisticated adversaries are involved.”
This is not the only recent cyberattack to hit petrochemical facilities in Saudi Arabia, however. In January 2017, computers went offline at the National Industrialization Company (Tasnee), a privately owned Saudi petrochemical company, and computers crashed 15 miles away at the Sadara Chemical Company. Within minutes, Tasnee hard drives were destroyed and their data wiped clean. Recovery took months.
“In this case, the attack against the Saudi plant did not simply have the objective of stealing data or halting operations – it was to sabotage the firm’s operations and trigger an explosion,” says Johnson. "As these types of attacks escalate and as the consequences of them become more serious, organizations must ensure they’re securing access and monitoring for the continuous probes they’re sure to face from cyber adversaries.”