Four Unnamed Sources

Or: If a pipeline explodes in the desert and there is no one there to hear it was it really a cyberwar attack?

No one questions the importance of keeping abreast of current trends and developments with regards to information security. Whether it is new malware techniques, attack vectors or just the motivation of some attackers. That means looking into the details of the Target and Sony breaches, checking out the specifics of Heartbleed and Poodle, and keeping abreast of the latest patches from Microsoft and other vendors. It also means trying to separate the facts from the fear, uncertainty, and doubt used to generate page views.

One recent story has me questioning if a pipeline explosion in Turkey was actually in fact an early example of cyberwar. The article claims that a large explosion along the Baku-Tbilisi-Ceyhan (BTC) pipeline, near the Eastern Turkish city of Erzincan on Aug. 7, 2008 was in fact a cyber attack. The article attempts to downplay claims of the Turkish government who said the explosion was caused by a malfunction, as well as discounting the claims of the Kurdistan Worker’s Party who claimed credit for the explosion despite the groups history of blowing up pipelines. Of course there was also a statement by the Botas International Ltd. company which operates the pipeline which said that the pipeline’s computers systems had not been tampered with.

The explosion occurred two years before Stuxnet and while I doubt Stuxnet was the first operation of its kind the evidence to support a similar type of attack on this pipeline is mostly circumstantial at best. Even if this was a cyber attack it would not “rewrite the history of cyberwar,” as one expert quoted in the article claimed. It would just add one more data point to an already interesting history. Unfortunately the article does not give any proof that this was in fact a cyber attack.

Certainly the article lists plenty of circumstantial evidence to support the theory of a cyber attack to blow up the pipeline but the actual proof comes down to “four people familiar with the incident who asked not to be identified.” Obviously in some cases journalists must rely on unidentifiable sources however usually when they must do so the information provided is corroborated by other authoritative and named sources. That is not the case here. All of the named quotes in the article are speaking in general terms, adding background if you will, and are not speaking directly to this event.

Pipeline and cyber attacks have a long history in and of themselves that goes back at least as far as 1982 when the CIA convinced a Canadian company to deliberately put flaws into pipeline control software that was then sold to the Soviet Union. This reportedly led to a massive explosion along the pipeline in June of that year. This story also has its detractors, some saying the explosion was caused by poor construction and others saying it was flawed turbines and not flawed software that caused the Siberian explosion.

There was also a confidential report released by DHS in early 2013 claiming that key personnel in 23 different gas pipeline companies had been targeted by Chinese hackers with spear phishing attacks. And lets not forget the plot of the movie DieHard 4 where the evil hacker bad guy is able to redirect all the natural gas in the pipelines to converge on a power station causing a massive Die Hardesque explosion.

One really has to ask themselves why would anyone go to such great lengths to disrupt a pipeline when a simple misplaced cigarette butt can cause a massive explosion like what happened in Kenya in 2011 killing over 100 people. Stuxnet is thought to have required numerous teams of coders working for several months to create the software to disable the centrifuges at Natanz, a task that arguably could be accomplished in no other way. There are a lot more efficient ways to blow up a pipeline than to expend months of effort and untold dollars to accomplish what a small team and some explosives could do just as well if not even more efficiently.

So was the explosion along the Baku-Tbilisi-Ceyhan (BTC) pipeline an early act of cyberwar potentially setting back the clock on the earliest known cyber operation of this size? Sure, its possible, but without additional facts from someone other than an ‘unnamed source familiar with the incident who asked not to be identified” I will have my doubts. Until those facts are presented I’ll go back to reading my Microsoft Patch Tuesday reports.

UPDATE 2015.02.16
I was just sent this link
https://cablegatesearch.wikileaks.org/cable.php?id=08BAKU790
which indicates that physical security of the pipeline would be difficult if not impossible and it further supports that PKK was the primary suspect for the explosion via conventional means. The cable makes no mention of a cyber attack of any kind.

UPDATE 2015.06.19
An internal report now states that “A cyber attack would not have been possible in the described way”, The report goes on to say that the valve stations which were allegedly tampered with, were not connected to a network that could be remotely accessed anyway. Here is the original turkish article.

Additional Reading
Looks like I wasn’t the only one with a problem with this article.
Cyberwar revisionism: 2008 BTC pipeline explosion

This entry was posted in Commentary, Current Events, Media Hype by Space Rogue. Bookmark the permalink.

About Space Rogue

Space Rogue is widely sought after by journalists and industry analysts for his unique views and perceptions of the information security industry. He has been called to testify before the Senate Committee on Governmental Affairs and has been quoted in numerous magazine and newspaper articles as well as appeared on such TV shows as News Hour with Jim Lehrer, CNN Nightly News, ABC News Online with Sam Donaldson, and others. A recognized name within the industry, Space Rogue has written articles that are often quoted or refered to by other major media outlets. He has spoken before numerous audiances including the Digital Messageing Association, Defcon, Pumpcon, HOPE, H2K, and others. As a former member of L0pht Heavy Industries, Space Rogue ran the widely popular Hacker News Network which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and the most popular Macintosh security site on the net. Currently Space Rogue does consulting for various companies.