Cyberwars and Real World Consequences: Bhopal Gas Tragedy meets Shamoon
In the early morning hours of December 3, 1984, residents in the town of Bhopal, India were awoken by commotion, blaring sirens, and a litany of respiratory problems. They would not find out the cause until much later that the neighboring pesticide plant had been leaking highly toxic methyl isocyanate (MIC) gas for several hours. Over 16,000 people died and over 500,000 were injured as a result of the leak and is still considered by many experts to be the worst industrial disaster to date.
On August 15, 2012, the offices of Saudi Aramco were mostly empty due to the Muslim holiday of Ramadan. In the previous weeks, over 30,000 Windows machines on Aramco's network were silently infected with the Shamoon malware, also known as W32.DisTrack. A logic bomb in Shamoon not only erased the contents of the hard drives on the 30,000 infected machines, it also caused enough physical damage to the drive that it became irreparable. The damage and cost to a halt in operations for Aramco was so high, the company enlisted its fleet of private jets to fly around the world with the mission to procure every working hard drive they could get their hands on in order to get operations back up and running. Attribution was primarily placed on neighboring Iran who had a longstanding feud with the Kingdom of Saudi Arabia. In recent years, Saudi Arabia has been influencing OPEC to keep oil supply high and prices low in order to attract international investment and prepare state-owned petroleum company Saudi Aramco for a public offering.
In January 2018, a piece of malware called Triton caused an industrial control system (ICS) to show down an unnamed organization in the Middle East. Triton exploits a zero-day vulnerability in Schneider Electric's Safety Instrumentation controllers. Schneider Electric claims that even when the vulnerability is exploited, the systems perform as expected and safely shut down the system the controllers are connected to.
What do an industrial disaster, a grudge against the Kingdom of Saudi Arabia, and a zero-day vulnerability in ICS infrastructure have in common? An attack that was disclosed in March 2018 indicates that Iran launched a cyberattack against a Saudi chemical plant with the intention of causing real world harm. In a recently published article in the New York Times, security researchers discovered attack code in a Saudi chemical plant meant to sabotage its operations to trigger an explosion. This attack represents an escalation in international cyberwarfare since a successful attack would have caused deaths to plant personnel and residents in the surrounding areas. The malware crew that wrote the attack made several mistakes in their attack code so it did not execute properly and authorities caught the attack before any damage was done. Instead of continuing to run a series of routines, the malware inadvertently shut down the plant's systems preventing any further damage. The attack was extremely sophisticated with a significant amount of resources available to the attack crew and a successful attack would have little profit motive. These clues likely lead to the conclusion that the attack had to be state sponsored. Details are still scarce since there is an active investigation and investigators do not want to give potential attackers any clues. Of all countries with the technical sophistication to support such an operation, Iran is the only one that would gain from a successful attack against Saudi Arabia.
The pessimist sees that while the attackers were unsuccessful this time, they will learn from their mistakes and improve their tools and tactics for the next attack. Worse yet, over 18,000 critical infrastructure facilities around the world use similar Industrial Control Systems as the plant in Saudi Arabia so a weaponized ICS malware could cause a great deal of real wold damage if the technology were to fall into the wrong hands. The optimist sees that security researchers also learn from such attacks and implement proper controls to prevent these types of attacks from succeeding. Security is a never ending job and a escalating arms race against malware authors often with state sponsors backing them.