Tuesday, April 24, 2012

Iranian oil industry under cyber-attack

From YNet:
The Iranian Oil Ministry has formed a crisis center to deal with the recent cyber attack on the country's oil export facilities, Ynet learned Tuesday.

Hamdollah Mohammad Nejad, head of the Oil Ministry's Passive Defense Office, said that the ministry's IT experts were working on the problem.

According to Iranian media, over 50 of Tehran's top technical experts have been ordered to report to the ministry and assist in the "cyber battle."

The cyber attack, which has been ongoing throughout April, peaked on Sunday, when it took down several key computer systems in the Oil Ministry and corrupted the data stored on them in its entirety.

A virus was first detected inside the control systems of Kharg Island, which handles the vast majority of Iran's crude oil exports.

An Oil Ministry official said that it was still unclear whether the origin of the attack was external or internal.

Some Iranian media outlets ventured that the ministry may choose to shut down all non-vital systems for the near future to protect the Islamic Republic's crude exports while the problem was being resolved.

Tehran's ISNA news agency identified the virus as "Viper," but stressed that it "Hasn't impacted oil exports," as it did not impact the main servers in the ministry.

A ministry official told ISNA that "All of the information is secure – everything is backed up."
Dark Reading, a computer security news site, adds:
Security experts say it's too soon to draw any connections to this attack and Stuxnet or Duqu, for instance.

"Based on information currently available, it would be very premature to suggest that this was targeted against either Iran or systems utilized in oil pipeline/transportation operations -- and indeed make any kind of comparison to Stuxnet," says Tom Parker, chief technology officer at FusionX.

Initial reports indicate that it was the website of the oil ministry that was affected, and not control systems. "So [there is] no indication that it was targeted against oil production systems," Parker says.
I think that Parker's interview was based on the initial reports that only a web server was attacked. It is now sounding like it is a much larger issue. Malware would not jump from one website to another without a lot more things going on, either on the back-end or by a concerted attack from the outside. But so far it does not sound like it is state-sponsored; more likely either an activist hacker or group, or a zero-day virus that got behind the firewalls of the oil companies and spread from there.

A state wouldn't attack web servers, because they are not strategically important.