It’s strange this article effectively pins the attack on Iran, but doesn’t mention Stuxnet/Olympic Games, a malware attack on Iran that destroyed nearly 1,000 of their centrifuges[1].
The article didn't just talk about the Saudi attack. It gave an overview of the history of similar attacks. Stuxnet was arguably the most significant of those, and it's especially relevant since they're blaming Iran for this attack.
Personally, I don't want Iran to develop its nuclear progam; however, there are legitimate concerns that such cyber attacks set precedent, or even could expose security flaws, that might instigate retaliatory attacks towards the US and its allies.
I came to the comments to see if anyone else was bothered by this glaring omission. The lede is that this cyber attack didn't just delete files, it caused real world physical damage.
> The attack was a dangerous escalation in international cyberwarfare, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage.
Can you reasonably call this an "escalation" after Stuxnet? Maybe? But not even mentioning Stuxnet? At best, that seems like poor reporting.
I think there is an important distinction here. See:
> It was meant to sabotage the firm’s operations and trigger an explosion.
This seems quite different than Stuxnet, which was very carefully created for a specific purpose of damaging centrifuges at an Iranian nuclear enrichment facility in a very quiet manner, not causing explosions.
It's strange because one is seen as a retaliation and the other as preemptive aggression.
Retaliation is more tolerable than preemptive aggression to many people.
It's very important in this context, because the article goes out of its way to try to point the finger to Iran, but it fails to establish the context. That it was not only attacked on its Nuclear facilities, but also had cyberattack on its oil facilities via the "Flame" malware [0]
Which if this was an Iranian attack makes it a retaliation.
saudi is a longtime ally to the us, each offering material support to ther other in conflicts that have involved iran, it's allies or it's interests.
it also seems unlikely to me that saudi intelligence and other forms of support were not utilized in the planning, development and deployment of stuxnet (among other things).
What about UK? NZ? Kurds? US has many allies, but that doesn’t mean they’re involved in stuxnet. In fact, operationally you’re more likely to fail or leak the more hands you have in the pie. Saudis aren’t known for their technological prowess as much as Israel, so none of this makes sense to me.
there's more than the context of merely being an ally, it's being a "close" ally in the region; one with a history of direct and indirect conflict.
nobody knows if saudi was involved, and i'm not saying they definitely were, but it seems rather unlikely that there was no assistance at least with regard to intelligence and other ancillary-ish things.
even so, the notion of "retaliation" in the scope of clandestine conflict and power struggle is very nebulous, as geopolitics has many layers. if nothing else, saudi is almost certainly a much more ideal target of opportunity than the US due to it's being a nearby direct competitor for regional influence. and even if saudi really had zero involvement with stuxnet (seems unlikely to me), they've definitely had allied involvement with other activities that worked against iran or it's interests.
So that’s a lot of hypothesizing going on with no evidence. But all of this begs the question, why is it strange that stuxnet wasn’t mentioned in the article? Still seems to me you haven’t answered that. If you want to extend into hypothetical land, then all kinds of attacks on industrial controls and breakins should be mentioned. But they’re not, because the article is more focused on the individual event.
The article was already long enough as-is (I think it ran in the print edition, too). The fact that we know Israel did something similar to Iran's centrifuges is a bit far afield, since they have no apparent beef with Saudi chemical refineries.
With several countries probably able and willing to kill people with cyber-attacks, it's probably not long before an attack succeeds, blurring the distinction between cyber and "real" war.
> The article was already long enough as-is (I think it ran in the print edition, too). The fact that we know Israel did something similar to Iran's centrifuges is a bit far afield, since they have no apparent beef with Saudi chemical refineries.
From the Iranian perspective, it might be easy for them to group the USA with Israel and Saudi Arabia as quasi-enemies and not have a cared-for distinction. Especially since policies and actions by all 3 countries have been, at best, not aligned with Iranian interests and - at worst - belligerent to Iran. I really would disagree that the Stuxnet incident is irrelevant if Iran is indeed responsible.
I wonder how often such "mistakes" are actual some state-bound to secrecy hacker doing the ethical thing.
So here is to the nameless, rotting in some oubliette, making mistakes, so others can return to theire familys at night, a secret brotherhood of servants to ruthless masters.
> The only thing that prevented significant damage was a bug in the attackers’ computer code that inadvertently shut down the plant’s production systems.
Worthy thought, Germany suffered a lot of this in WWII, with Russians finding dud bombs disabled at the factory that included notes like: "Cheers comrades! This dud is a gift from now-disbanded Mechanics Union 456 of Stuttgardt!"
That's great. Do you have a source where I can read more on this? Googling has only turned up information on sabotage by forced (Polish, Jewish, etc.) labor at munitions factories, which is interesting in its own right, but not from begrudged ex-union workers from Germany.
A biography of a WWII Russian fighter pilot, was the source for the cited instance, as I recall.
Red Star Airacobra: Memoirs of a Soviet Fighter Ace 1941-45: v. 2 Evgeniy Mariinskiy
Kindle book.
Of course, there are many more: the brief resistance on D-Day from many non-German troops counts, the betrayal to the British embassy of Germany's rocket program, the Garbo mission (main agent betrayed program), Canaris maybe betraying Hitler from the start, Heisenberg's "miscalculation" and slowness that killed the Germany Atomic Bomb program (along with his offer of mutual sabotage to Bohr), etc.
Probably not many. The most recent SO developer survey said only 20% of respondents thought responsibility for unethical code fell on developers, compared to 80% thinking designers/managers should be responsible.
That's globally. I imagine the sense of responsibility decreases in ethically-gray areas like nation-state warfare against adversaries, and among developers working in strongly hierarchical, military(-esque) environments, for autocratic regimes focused on destroying national/ethnic/religious enemies (as this appears to have been done by).
I had the same thought; but then I read about $500 million in charitable relief to Haiti disappearing, or Harvard faculty lying to the public about the health and safety of lead or sugar because they received some bribe, and I don't know what to think.
Yea. But sometimes it just seems so shocking that some people who could act with such humanitarian goals share this world with others who just don't care.
Chemical plants (and other such facilities) should not be Internet connected. The equipment and tools should not even have a network stack.
Workers in such a facility should not have their general purpose phones and computers with them.
This is not a panacea - there are conceivable attack vectors for non networked equipment - but it raises the bar significantly and should be the bare minimum of acceptability for designing and running these plants.
> Chemical plants (and other such facilities) should not be Internet connected
Ok.
> The equipment and tools should not even have a network stack
How do you imagine sensors and actuators will be operated instead ? People running about everywhere with handheld radios, reading gauges and turning valves ?
I know a guy who develops simulators for refinery operation. He explained to me how each refinery is a unique setup, cold-starting one takes a couple of days of non-stop valve twiddling with eyes on gauges and has plenty of ways to end in a fiery inferno if you do it wrong. Computerized control systems are not optional.
Sure, you can do it with a couple of analog electrical wires running from each valve and gauge to a central computer... You still have a computer and software (and a thick cable routing mess) and you only took some network protocol out of the attack surface (and you still need one to connect the workstations...)
I found the name for that concept: https://en.wikipedia.org/wiki/Subsumption_architecture - subsumption architecture puts some of the intelligence in the lower level systems. While the higher level controls can tell the lower level systems what it wants, it can't do things that the lower system determines is dangerous.
A computer reading a bunch of serial lines can be a lot safer than one communicating with a bunch of nodes via TCP/IP. For starters, you're talking about a massive reduction in the amount of code needed.
I don't believe so: if that computer is reading a bunch of serial lines forgets to check the bounds of it's own buffer - then Houston's got a problem. That's all it takes.
At least we've got a set of verified, battle-tested, multi-platform TCP/IP stacks. More importantly, they have been built with generalisation in mind, meaning that a single implementation would encapsulate all of the use-cases.
But instead we've got those half-baked implementations of "oh my god, it takes me only a few hours to establish a radio link" protocols just increasing the attack surface.
You're speaking of a semi-technical solution to a problem that is directly caused by the race to the bottom in the manufacturing industry (they probably have installed that equipment a few decades ago, just before they fired the last of the employees).
> I don't believe so: if that computer is reading a bunch of serial lines forgets to check the bounds of it's own buffer - then Houston's got a problem. That's all it takes.
That's not even an argument. You can put a buffer overflow in anything. The key thing is this: the larger your code is, the more likely you are to have one. Using serial lines isn't going to make your code larger if you're just taking sensor readings or something. Far from it.
> At least we've got a set of verified, battle-tested, multi-platform TCP/IP stacks.
Think about this in terms of Linux or any other Unix or bigger RTOS, if that's most straightforward: in the kernel, there's much, much less code needed to make a UART appear as a device node than there is to make an entire TCP/IP stack and network PHY work. In the kernel it's all "battle-tested" code, none of it more so than the UART drivers. In terms of software quality, relying on the serial port and not using the TCP/IP stack means you're exposed to fewer potential errors simply because there's much, much less code being used.
(edit: the same basic idea applies if you're talking about something more sophisticated than a UART, like a CAN bus, which is still way less code than a TCP/IP stack)
> But instead we've got those half-baked implementations of "oh my god, it takes me only a few hours to establish a radio link" protocols just increasing the attack surface.
In terms of system engineering, you're exposed to fewer potential attack vectors if someone needs to plug into your system via a serial line versus accessing the system from anywhere you're connected to using the highly fragile resource of TCP/IP routing, but even connecting via a short-range radio link need not be much more complicated than that. Use a radio modem that connects via serial if you're using a real computer. Similarly, if it's a tiny embedded thing the radio is probably exposed via a serial interface.
Adding TCP/IP just adds code and attack vectors. That's fine if you truly need it...
> Chemical plants (and other such facilities) should not be Internet connected
That merely hardens the target, but does not protect it. Stuxnet was delivered via USB to an Iran nuclear facility and had the exact same intent of triggering physical damage, which it apparently did successfully.
A decade ago, disconnecting from the Internet would have been considered security, but things have progresses and security needs to as well.
"Stuxnet was delivered via USB to an Iran nuclear facility and had the exact same intent of triggering physical damage, which it apparently did successfully."
In my admonition against networked, general purpose computers, I purposely neglected to also mention that the plant engineers should not shoot themselves in the face, with an actual gun, upon starting their work shift.
I neglected to mention this in the same way that I neglected to mention that you should not have a PC running Windows anywhere near your critical infrastructure.
The failures that allowed stuxnet to occur were NOT "casualties on the battlefield of modern cyber warfare" - they were the clownish actions of idiots who got owned by autorun.inf[1] (among other things).
The only way true isolation will emerge, is by regulatory mandate of a purpose defined hardware implementation, with a separate protocol, different datagrams (instead of TCP/IP/UDP packets) and independent land line plants, undersea cables, satellites and more.
Otherwise, you'll always have some goon plugging in a wi-fi router, rigging it to a sat phone with a modem, all just to play quake with their friends, while they idle on some crane barge, or wherever their stuck, bored on some hurry-up-and-wait project plan.
Even then, you'll still have wonder about silicon bugs, or tempest and row-hammer style attacks, for anything software ever touches, when a given industry fails to identify such threats themselves.
>purpose defined hardware implementation, with a separate protocol, different datagrams (instead of TCP/IP/UDP packets) and independent land line plants, undersea cables, satellites and more.
If you come up with a different network, then the attackers will just switch to that network.
Remember, the internet used to be lots of different networks. I'm old enough to remember bang paths, BITNET, and e-mail taking a week or more to make it across the Atlantic. Even back then, there were vulnerabilities, and even cross-network vulnerabilities.
And a private satellite is a terrible idea for "security." In a previous life I used to have to operate a satellite uplink, and I can tell you that replacing a transponder's intended content with your rogue content is really quite easy if you just put your mind to it. (It's happened before.)
Yes, that's the idea. Force specialization in the attack sphere, reduce the attacker population with prerequisite knowledge as an entry barrier, simultaneously shrinking the targetable hosts.
Yes, I get that electronic signaling is electronic signaling, and none of it is actually different, at the transmission layer. It's just more DSP and more fast fourier transforms under the hood.
Yes, technical barriers can be eroded with adapters and facades, but it's an added cost to attack, and reduces detective work in that you have to know someone to jump the learning curve and enter the attack envelope. That means detective work can happen within a smaller social graph, and that alone becomes a deterent from sharing information, because everything becomes need-to-know, and insider awareness is a give away for inside jobs.
It's also easier to stamp out, and ostracize insiders, if they have loose lips or have a tendency to lend and give away the car keys.
Not everything needs to be as cheesy as Encryption DRM for optical movie disks and video games. For critical infrastructure safety is important enough to warrant independent military-grade safe guards.
Do military protocols fail? Yes, we have the enigma machines sitting in enough museums to prove it.
This in not an XKCD "too many standards can be solved with one more standard" concept. Isolation and specialization can be effective defense concepts.
"Isolation and specialization can be effective defense concepts."
Thank you - appreciated.
Many people (unwittingly ?) argue against defense-in-depth because they look at individual layers of the defense and declare them inadequate. They are always correct.
What they are missing is that nobody ever proposed only using (port knocking, or stack obfuscation, or fake login banners, or whatever). They are always additive layers of security on top of the existing set of best practices.
In books, probably. But this was before the web, so I don't know if there are any authoritative web sites about it. You might check the old late 1970's and early 1980's computer magazines on archive.org.
A large part of the delay is that messages were transmitted in a store-and-forward scheme (often via uucp). And most machines didn't send messages more than once a day because connectivity was expensive and measured in dollars per minute. And when they did connect to the next machine, it was usually not a very long hop. Sometimes one part of a campus to another. Or to a computer in the next town.
I really don't know exactly how the messages crossed oceans. Satellite transmission would have been unthinkable. My guess is that eventually they hit some big east coast computing center like MIT or BBN and went via undersea cable, but that's speculation.
I ran a node of one of the pre-intenet networks. Like most of the other nodes, it was connected via 150 or 300 baud dialup modem. Later there were a few 1200's, but they were rare.
My node was important because it was oddly located so that it could span two states and two area codes without incurring toll charges. That made it very busy, so the early morning (2am) message transfer sometimes took a couple of hours.
I tried to write a couple of articles about the old American dialup networks on Wikipedia once, but someone in another country deleted them saying they didn't exist because he'd never heard of it and if there was no web site to link to as reference it didn't happen. I stopped contributing to Wikipedia after that.
UUCP links over 1200 baud modems, connecting only at night
for cheap rates, but stymied by busy signals, down hosts,
deep queues of other data, stalled daemons, out-of-date
routing tables. Trans-oceanic links had high costs and
limited available bandwidth, and priority queueing could
impose quite a delay.
In Zero Days [0], people exert concern that US cyber attacks in Iran causes counter attacks, while the US infrastructure is not yet ready to defend these attacks. Furthermore, it is concluded that the Iranian cyber army is greatly expanded and funded since Stuxnet; the government wanted the ability to defend against similar attack in the future.
Why isn't it SOP to isolate safety critical components from the web?
Is this just incompetence/cost savings, or is there some other legitimate reason for building this vulnerability into so much of our global infrastructure?
I sometimes think the lads at the three letter agencies were under the impression that only people with exactly their skin color would ever be able to code competently. Their long, insistent drive to make certain computers are unsafe when manufactured (always vulnerable) suggests this.
“If attackers developed a technique against Schneider equipment in Saudi Arabia, they could very well deploy the same technique here in the United States,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank.
Yet the NY Times forgets to cite their own article that shows Unite Arab Emirates, who is politically tied to Saudi Arabia was one of the largest donors to Center for Strategic and International Studies [0] as well as CSIS own listing [1]
All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people
Times does not list which investigators they have spoken to directly.
and again, which intelligence analysts?
What worries investigators and intelligence analysts
Two weeks later, the same attackers hit other Saudi targets with the same computer virus. On Jan. 23, 2017, they struck again
How did they establish it was the same attackers?
The article then talks about the Shamoon attack attributed to Iran with links and attribution to an earlier article by one of the writers and then in it says,
The attack in August was not a Shamoon attack. It was much more dangerous.
If it was not a Shamoon attack, then why mention that. Or why not just say, past attacks were attributed to Iran.
Once again, Investigators believe a nation-state was responsible because there was no obvious profit motive Times does not indicate which "investigators" believes that.
Also, it seems like more and more "journalism" is relying on "believe" rather than evidence and facts.
Then once again, Cybersecurity experts said Iran, China, Russia the United States and Israel had the technical sophistication to launch such attacks
No quote or attribution to which expert or their level of experience.
The article ends horribly with,
Tasnee said in an email that it had hired experts from Symantec and IBM to study the attack against it
"Study the attack", Which means the experts have not had a chance to review the evidence nor Times had spoken directly to these hired experts to get their answers. But they wrote a whole article with their own conclusions.
"Times does not list which investigators they have spoken to directly."
"Times does not indicate which "investigators" believes that."
Not disclosing your sources is journalism 101. You will have to choose to trust or mistrust the professional integrity of NYT journalists and editors. Integrity is the NYT's main selling point, so make of that what you will.
Looks like they are in good hands then. The guys behind Norton Anti-virus and those excellent SSL certificates are definitely going to get to the bottom of this.
How is the original headline, "A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try", clickbait?
According to the article, investigators believe the explosion would have killed people, and notes that fatalities are a common outcome of chemical plant explosions.
Most cyber attacks just inconvenience people, or cost a little bit of money. If they can kill, it is a tertiary or more remote effect.
That this one was trying to do something that had it succeeded would have very directly and immediately led to deaths is what makes it interesting to a wider audience.
When you talk about deaths because of a cyber attack I think people also wonder what would the retaliation be from the nation state that was attacked? Would a cyber attack start a new real world war? Would more people die?
There is a reason the headline is written in this way. This is big news.
Is there a way to massage this into the HN submission guidelines? Basically any headline from NY Times, Washington Post, Business Insider, Forbes, The Atlantic, or its offshoot QZ is styled in this way.
>>> Within minutes of the attack at Tasnee, the hard drives inside the company’s computers were destroyed and their data wiped clean, replaced with an image of Alan Kurdi, the small Syrian child who drowned off the coast of Turkey during his family’s attempt to flee that country’s civil war.
Attacks meant to do physical harm or shutdown systems do not resort to 1990s trickery like copying an image billions of times. This is industrial vandalism and, even if a danger exists, should not be described as an attempt to murder people. Such damage, such unwanted activity within an information system, can happen without any ill intent by anyone. Therefore those designing large systems need to incorporate such failures into their plans. The failure of multiple drives due to some runaway process should never be capable of causing an explosion.
It sounds like you are confusing the multiple attacks described in the article. The most recent attack in August 2017, the primary focus of the article, was indeed intended to manipulate controls and cause an explosion. The January 2017 attack, part of a string of them, is what you are describing. That one was not suspected of intending physical destruction but, "to inflict lasting damage on the petrochemical companies and send a political message."
The article is the one muddling the various attacks. It gives the impression of campaign of multiple attempts at murder, when in fact we have a plurality of attack intents, evidence imho of very different attackers.
The image proves it's not industrial espionage only if you're playing a very shallow game. I expect that anything that muddies the waters helps the attackers. Attackers are quite familiar with forensic and analysis techniques, and you'd have to be a pretty naive attacker not to include red herrings and intentional pointers to shift the focus to someone else.
The family was already living in Turkey, so they were not fleeing "that country's civil war". The family were economic migrants seeking to enter Europe.
1: https://www.washingtonpost.com/world/national-security/stuxn...