The New York Times has an interesting story about a cyber attack against a petrochemical plant in Saudi Arabia seemingly meant to sabotage its operations and potentially trigger an explosion:

A team at Schneider Electric, which made the industrial systems that were targeted, called Triconex safety controllers, is also looking into the attack, the people who spoke to The Times said. So are the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon’s Defense Advanced Research Projects Agency, which has been supporting research into forensic tools designed to assist hacking investigations.

All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people. In the last few years, explosions at petrochemical plants in China and Mexico — though not triggered by hackers — have killed several employees, injured hundreds and forced evacuations of surrounding communities.

What worries investigators and intelligence analysts the most is that the attackers compromised Schneider’s Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants.

“If attackers developed a technique against Schneider equipment in Saudi Arabia, they could very well deploy the same technique here in the United States,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank.

Schneider Electric has apparently designed their Triconex safety controllers to only be modified with physical contact, not via network-based interfaces. So if this is in fact the true design, then why would there be any worry of a potential physical explosion? No malware should be able to send a command to modify the Triconex system unless there is a missing link.

It is possible the attackers have studied Triconex so well, they were able to locate a bug Schneider Electric is unaware of, which could force other components to receive commands which would affect the safety controllers. If this is the case, then the culprit is likely an extremely sophisticated actor backed by deep resources. There are only a limited number of nation states with these advanced capabilities and the funding to purchase expensive equipment like this for the sole purpose of bug hunting.

Security experts said Iran, China, Russia the United States and Israel had the technical sophistication to launch such attacks. But most of those countries had no motivation to do so. China and Russia are increasingly making energy deals with Saudi Arabia, and Israel and the United States have moved to cooperate with the kingdom against Iran.

That leaves Iran, which experts said had a growing military hacking program, although the Iranian government has denied any involvement in such attacks.

Tensions between Iran and Saudi Arabia have steadily escalated in recent years, and the conflict has drifted online.

Iran is likely the nation state with arguably the strongest reason to want to physically attack Saudi Arabia. Leveraging this type of cyber attack to perform such damage would make attribution exceedingly difficult, and therefore with no conclusive evidence to support any claims, chances are no public pronouncements of responsibility would ever be made.

So how did the hackers get in? Investigators found an odd digital file in a computer at an engineering workstation that looked like a legitimate part of the Schneider controllers but was designed to sabotage the system. Investigators will not say how it got there, but they do not believe it was an inside job. This was the first time these systems were sabotaged remotely.

The only thing that prevented significant damage was a bug in the attackers’ computer code that inadvertently shut down the plant’s production systems.

You can bet the attackers will not make the same mistake twice, assuming their actual intent was to cause physical disruption.

Fox News claims Iran and Saudi Arabia are on the brink of cyber war as they vie for greater regional political influence:

In 2014, Iranian hackers launched Operation Cleaver, targeting 16 countries, including the U.S., according to U.S. cybersecurity firm Cylance. The hackers targeted several government organizations and private companies involved in the transportation, energy, and medical sectors.

“It’s been this low-key cyber volleying back and forth at each other – It looks like somebody got tired of this and said ‘look I’m going to yank up this game’ to a different level,” said Ahlberg. “When we look at this and take apart this Yemen Cyber Army and really try to understand who they are … they look a lot like other Iranian actors.”

He added, “what we have seen here is the cyber activity turn into an information operation … it’s well-orchestrated to a degree where you’re saying this is not [just] a guy in the basement – this is something more.”

As the U.S. and other world powers negotiate with Iran over its nuclear program, Griffin points out that any sanction relief could have an impact on their cyber activities. “If we are rewarding them not just for this bad behavior, but really the worse behavior, the green light to escalate that is something I would be very concerned by.”

The whole use of cyber war is getting out of hand. The term war has a very specific, destructive sounding definition. However, cyber war does not afford the attackers the same level of physical destruction capabilities as, say, a 20-ton bomb.

The term cyber operations makes more sense, but it is nowhere near as sensationalist as the media enjoys so I fear we are stuck with hyperbole.

Buzzfeed, of all places, has an interesting article introducing a mysterious new hacker army freaking out the Middle East:

But the campaign continued to build. Twitter accounts were created calling for hackers to attack Saudi targets rallying around the hashtag #OpSaudi. On May 20, the Saudi foreign ministry was hacked. The next day, a story appeared on Iran’s state-run FARS news agency, the first media mention of the group (followed quickly by a second press mentionon Russia Today). The FARS story credited the Yemen Cyber Army with carrying out the hack of the Saudi foreign ministry and said it would soon be releasing personal information about Saudi federal employees as well as diplomatic correspondence. In the week that followed, documents surfaced in Pastebin accounts with passport information that appeared to come from the Saudi foreign ministry.

Fast forward to one month later, when Wikileaks announced it would make public roughly one million diplomatic cables from Saudi Arabia’s foreign ministry. Wikileaks’ press release mentions that “a group calling itself the Yemen Cyber Army was responsible for breaching the Saudi Foreign Ministry,” but stops short of naming the group as the source of the documents being uploaded to Wikileaks. The documents range from cables outlining Saudi Arabia’s funding of Islamist groups in the region, to a request from Osama bin Laden’s son for his father’s death certificate. It was the first news-making event for Wikileaks since November 2013.

Who is the shadowy group that appears to have launched a full-scale digital campaign to expose, or at least embarrass, Saudi Arabia?

I am surprised to see such an interesting, and well written, cyber security story on Buzzfeed.

According to a report by Blue Coat Systems, the Israeli military networks have been breached by what appears to be Arabic-speaking malicious actors:

Waylon Grange, a researcher with the Blue Coat [PRJCBB.UL who discovered the campaign, said the vast majority of the hackers’ software was cobbled together from widely available tools, such as the remote-access Trojan called Poison Ivy.

The hackers were likely working on a budget and had no need to spend much on tailored code, Grange said, adding that most of their work appeared to have gone into so-called social engineering, or human trickery.

The hackers sent emails to various military addresses that purported to show breaking military news, or, in some cases, a clip featuring “Girls of the Israel Defense Forces.” Some of the emails included attachments that established “back doors” for future access by the hackers and modules that could download and run additional programs, according to Blue Coat.