
Saudi Arabia cyber attack goal was chemical plant explosion; experts fear retry - mfrw
https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html
======
tomdale
It’s strange this article effectively pins the attack on Iran, but doesn’t
mention Stuxnet/Olympic Games, a malware attack on Iran that destroyed nearly
1,000 of their centrifuges[1].

1: [https://www.washingtonpost.com/world/national-
security/stuxn...](https://www.washingtonpost.com/world/national-
security/stuxnet-was-work-of-us-and-israeli-experts-officials-
say/2012/06/01/gJQAlnEy6U_story.html?utm_term=.517d10e8bc25)

~~~
achileas
I don't think an article about one thing not talking about another thing is
really that strange.

~~~
DennisP
The article didn't just talk about the Saudi attack. It gave an overview of
the history of similar attacks. Stuxnet was arguably the most significant of
those, and it's especially relevant since they're blaming Iran for this
attack.

~~~
orbat
They're not reporting on it, because it was done by the Good People™. They try
to paint this activity as something that only Bad People™ do.

------
LifeLiverTransp
I wonder how often such "mistakes" are actual some state-bound to secrecy
hacker doing the ethical thing.

So here is to the nameless, rotting in some oubliette, making mistakes, so
others can return to theire familys at night, a secret brotherhood of servants
to ruthless masters.

Cheers.

~~~
archgoon
For clarity, the mistake LifeLiverTransp is referring to is:

> The only thing that prevented an explosion was a mistake in the attackers’
> computer code, the investigators said.

~~~
larkeith
Slightly more detailed:

> The only thing that prevented significant damage was a bug in the attackers’
> computer code that inadvertently shut down the plant’s production systems.

------
rsync
Chemical plants (and other such facilities) should not be Internet connected.
The equipment and tools should not even have a network stack.

Workers in such a facility should not have their general purpose phones and
computers with them.

This is not a panacea - there are conceivable attack vectors for non networked
equipment - but it raises the bar significantly and should be _the bare
minimum_ of acceptability for designing and running these plants.

~~~
liotier
> Chemical plants (and other such facilities) should not be Internet connected

Ok.

> The equipment and tools should not even have a network stack

How do you imagine sensors and actuators will be operated instead ? People
running about everywhere with handheld radios, reading gauges and turning
valves ?

I know a guy who develops simulators for refinery operation. He explained to
me how each refinery is a unique setup, cold-starting one takes a couple of
days of non-stop valve twiddling with eyes on gauges and has plenty of ways to
end in a fiery inferno if you do it wrong. Computerized control systems are
not optional.

~~~
raverbashing
You don't need tcp/ip for that

~~~
liotier
Sure, you can do it with a couple of analog electrical wires running from each
valve and gauge to a central computer... You still have a computer and
software (and a thick cable routing mess) and you only took some network
protocol out of the attack surface (and you still need one to connect the
workstations...)

~~~
raverbashing
You don't need to control everything centrally, you can compartmentalize your
control (and also enforce limits)

Don't bring a thermal overrun detection to the central computer and have it
shutdown a burner. Do this locally

~~~
liotier
I found the name for that concept:
[https://en.wikipedia.org/wiki/Subsumption_architecture](https://en.wikipedia.org/wiki/Subsumption_architecture)
\- subsumption architecture puts some of the intelligence in the lower level
systems. While the higher level controls can tell the lower level systems what
it wants, it can't do things that the lower system determines is dangerous.

------
sharpercoder
In Zero Days [0], people exert concern that US cyber attacks in Iran causes
counter attacks, while the US infrastructure is not yet ready to defend these
attacks. Furthermore, it is concluded that the Iranian cyber army is greatly
expanded and funded since Stuxnet; the government wanted the ability to defend
against similar attack in the future.

[0]:
[http://www.imdb.com/title/tt5446858/](http://www.imdb.com/title/tt5446858/)

------
berdon
Likely a strange coincidence but there were just explosions at a DFW Chemical
Plant.

[https://www.nbcdfw.com/news/local/Large-Fire-at-
Fertilizer-F...](https://www.nbcdfw.com/news/local/Large-Fire-at-Fertilizer-
Facility-in-Cresson-476963713.html)

------
allthenews
Why isn't it SOP to isolate safety critical components from the web?

Is this just incompetence/cost savings, or is there some other legitimate
reason for building this vulnerability into so much of our global
infrastructure?

------
adultSwim
Hmm. Maybe Stuxnet wasn't the best precedent to set...

~~~
Nomentatus
I sometimes think the lads at the three letter agencies were under the
impression that only people with exactly their skin color would ever be able
to code competently. Their long, insistent drive to make certain computers are
unsafe when manufactured (always vulnerable) suggests this.

------
salimmadjd
There is some shoddy journalism here:

 _“If attackers developed a technique against Schneider equipment in Saudi
Arabia, they could very well deploy the same technique here in the United
States,” said James A. Lewis, a cybersecurity expert at the Center for
Strategic and International Studies, a Washington think tank._

Yet the NY Times forgets to cite their own article that shows Unite Arab
Emirates, who is politically tied to Saudi Arabia was one of the largest
donors to Center for Strategic and International Studies [0] as well as CSIS
own listing [1]

 _All of the investigators believe the attack was most likely intended to
cause an explosion that would have killed people_

Times does not list which investigators they have spoken to directly.

and again, which intelligence analysts?

 _What worries investigators and intelligence analysts_

 _Two weeks later, the same attackers hit other Saudi targets with the same
computer virus. On Jan. 23, 2017, they struck again_

How did they establish it was the same attackers?

The article then talks about the Shamoon attack attributed to Iran with links
and attribution to an earlier article by one of the writers and then in it
says,

 _The attack in August was not a Shamoon attack. It was much more dangerous._

If it was not a Shamoon attack, then why mention that. Or why not just say,
past attacks were attributed to Iran.

Once again, _Investigators believe a nation-state was responsible because
there was no obvious profit motive_ Times does not indicate which
"investigators" believes that.

Also, it seems like more and more "journalism" is relying on "believe" rather
than evidence and facts.

Then once again, _Cybersecurity experts said Iran, China, Russia the United
States and Israel had the technical sophistication to launch such attacks_

No quote or attribution to which expert or their level of experience.

The article ends horribly with, _Tasnee said in an email that it had hired
experts from Symantec and IBM to study the attack against it_

"Study the attack", Which means the experts have not had a chance to review
the evidence nor Times had spoken directly to these hired experts to get their
answers. But they wrote a whole article with their own conclusions.

[0] [https://mobile.nytimes.com/2014/09/07/us/politics/foreign-
po...](https://mobile.nytimes.com/2014/09/07/us/politics/foreign-powers-buy-
influence-at-think-tanks.html)

[1] [https://www.csis.org/support-csis/our-donors/government-
dono...](https://www.csis.org/support-csis/our-donors/government-donors)

~~~
uhnuhnuhn
"Times does not list which investigators they have spoken to directly."

"Times does not indicate which "investigators" believes that."

Not disclosing your sources is journalism 101. You will have to choose to
trust or mistrust the professional integrity of NYT journalists and editors.
Integrity is the NYT's main selling point, so make of that what you will.

------
crb002
Why Iran and not Israel?

~~~
wolf550e
Because Israel and Saudi Arabia are allies.

~~~
justaman
"allies"

------
dzdt
Non-clickbait headline suggestion: "Saudi Arabia cyber attack goal was
chemical plant explosion; experts fear retry"

(Edit: meet length requirement)

~~~
tzs
How is the original headline, "A Cyberattack in Saudi Arabia Had a Deadly
Goal. Experts Fear Another Try", clickbait?

According to the article, investigators believe the explosion would have
killed people, and notes that fatalities are a common outcome of chemical
plant explosions.

Most cyber attacks just inconvenience people, or cost a little bit of money.
If they can kill, it is a tertiary or more remote effect.

That this one was trying to do something that had it succeeded would have very
directly and immediately led to deaths is what makes it interesting to a wider
audience.

~~~
dzdt
The clickbait aspect is the teaser "had a deadly goal" which is designed to
make you wonder "what was the deadly goal?"

It's the same form as "You won't believe number 9!" in a clickbait top 20
list. It is phrased in a way to make you wonder "what is item 9?"

There is a combination of emotional content and purposeful, unnecessary
ambiguity.

------
sandworm101
>>> Within minutes of the attack at Tasnee, the hard drives inside the
company’s computers were destroyed and their data wiped clean, replaced with
an image of Alan Kurdi, the small Syrian child who drowned off the coast of
Turkey during his family’s attempt to flee that country’s civil war.

Attacks meant to do physical harm or shutdown systems do not resort to 1990s
trickery like copying an image billions of times. This is industrial vandalism
and, even if a danger exists, should not be described as an attempt to murder
people. Such damage, such unwanted activity within an information system, can
happen without any ill intent by anyone. Therefore those designing large
systems need to incorporate such failures into their plans. The failure of
multiple drives due to some runaway process should never be capable of causing
an explosion.

~~~
jack6e
It sounds like you are confusing the multiple attacks described in the
article. The most recent attack in August 2017, the primary focus of the
article, was indeed intended to manipulate controls and cause an explosion.
The January 2017 attack, part of a string of them, is what you are describing.
That one was not suspected of intending physical destruction but, "to inflict
lasting damage on the petrochemical companies and send a political message."

~~~
sandworm101
The article is the one muddling the various attacks. It gives the impression
of campaign of multiple attempts at murder, when in fact we have a plurality
of attack intents, evidence imho of very different attackers.

~~~
konceptz
Or one attacker with (intentionally) multiple intents.

