Russian hackers now thought to have caused 2008 Turkish oil pipeline explosion
21 December 2014
The August 2008 Baku-Tbilisi-Ceyhan (BTC) oil pipeline explosion at Refahiye in eastern Turkey was said at the time to have been caused by a technical failure, although anti-Turkish PKK militants also claimed responsibility. This too was considered plausible, because of the PKK’s history of bombing pipelines and other Turkish infrastructure assets over the years.
Now, a report from Bloomberg concludes the incident was the result of a cyberattack, most likely by Russian state or criminal hacker networks, and that Western intelligence agencies think events such as this will become more common in the future.
According to people familiar with an investigation of the incident, hackers had infiltrated the pipeline’s surveillance systems and valve stations, and super-pressurised the crude oil in the pipeline, causing the explosion.
This was two years before what was considered up until now the world’s first major cyberattack against a foreign power, the 2010 Stuxnet malware which crippled uranium-enrichment centrifuges in Iran’s nuclear weapons programme, thought to be the work of US and Israeli intelligence agencies.
The Sydney Morning Herald said that investigators working with the Turkish, British, Azerbaijani, and other governments on the BTC incident have been examining why the security control systems designed to detect oil leaks or fires failed to work moments before the explosion. Investigators eventually discovered that hackers infiltrated the system via the surveillance cameras, the communications software of which was used by the hackers to gain entry into the system’s internal network. Once inside, the hackers could have manipulated the pipeline pressure by hacking into small industrial computers at the valve stations, thus circumventing the central control room.
Some sixty hours of pipeline surveillance footage were erased by the hackers, but one infrared camera operating on an independent network captured images of two men with laptops near the pipeline days before the explosion. The men wore black military-style uniforms without insignias, similar to those worn by troops considered to have been working on behalf of Russia in Crimea during Russia’s invasion of Ukraine earlier this year.
Motivation for Russia’s involvement in the sabotage could have been the fact that the BTC pipeline, which links Baku in Azerbaijan to Ceyhan on the Mediterranean coast of Turkey, gives additional energy independence to oil-rich states on its southern border at a time when Russia is seeking to reassert its control over former Soviet states.
The BTC also transits through Georgia, which Russia invaded shortly after the cyberattack on the pipeline.
This reassessment of the Turkish pipeline incident was followed in late December 2014 by an announcement by the German Federal Office for Information Security (BSI) that a cyberattack on one of the country’s steelworks had caused “massive damage”.
The BSI report explained that the attackers combined social engineering with a phishing campaign to gain access to the steel factory’s office network. Once the hackers infiltrated the network, they were able to tamper with the controls of a blast furnace.
After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant's blast furnaces could not be shut down in a controlled manner, which resulted in massive damage to the plant, the BSI said, describing the technical skills of the attackers as “very advanced”.
The BSI did not apportion blame to any country or group of hackers.
In October, the US Department of Homeland Security issued several alerts about digital attacks on power and water utility computer systems. Investigators have not detected attempts to modify or damage systems at utilities, suggesting that infiltrators were trying to gain control for later action.
Bloomberg said that in the last few weeks, utilities across the US and Canada have been searching extensively for signs of malware. The National Electric Sector Cybersecurity Organization, an industry group for power companies and government regulators, has not identified the country behind the hacking, but cybersecurity firms connected them to Russia.
In a recent address to the US House Intelligence Committee, National Security Agency director Michael Rogers said it was only a matter of when, not if, something dramatic happened to vulnerable critical infrastructure is in the US.
With direct evidence that state actors and cybercriminals are prepared to take over and destroy plant when it suits their interests, the stakes have been raised considerably.