Turkish Pipeline Attack – The Hour is Later Than You Think

The alleged attack on the Baku-Tbilisi-Ceyhan (BTC) pipeline has it all: geopolitical and ethnic conflict, potential nation state or terrorist involvement, environmental and economic disaster potential. Is is said to be comparable in destructive effect to Shamoon (which wrecked thousands of PCs on Saudi Aramco’s network) or Stuxnet (which struck hundreds of centrifuges in Iran) and like them, thankfully, caused no casualties. The odd thing about the BTC pipeline attack is that it occurred in 2008 but we’re only hearing about it now.


Source: Thomas Bloomberg, Wikimedia Commons

The BTC pipeline – almost all of which is buried underground and heavily protected due to simmering security issues all over the region its in – exploded near Refahiye causing a 30,000 barrel oil spill,  millions in cleanup costs for British Petroleum and partners, and over $1 Billion in revenue loss for the Government of Azerbaijan. 

Although Turkey’s Kurdish insurgent group – the PKK – claimed responsibility for the attack, security experts cited by a Bloomberg article (below) discount its involvement on the basis of the group’s minimal known cyber skills and other precedents at the time. Instead, the investigators point the finger north: At Russia.

Here’s how investigators from Turkey, the U.K., Azerbaijan and other countries say the attack went down:

  • Point of entry: Exploited surveillance cameras’ vulnerabilities to gain entry to the operational network.
  • Beachhead:  Compromised a Windows computer controlling the alarm-management network and planted malware. Also compromised industrial controllers at valve stations connected to the network.
  • Sabotage:  Manipulated oil pressure at valve stations, causing a spectacular explosion visible from a half mile away. At the time Turkish authorities reported a “fire” but investigations of the real cause began immediately.
  • Concealment: The attackers suppressed alarms and surveillance data from all connected cameras; however, two men with laptops were observed by a separate, non-network connected camera.

The Bloomberg article also states that: “The presence of the attackers at the site could mean the sabotage was a blended attack, using a combination of physical and digital techniques. The super-high pressure may have been enough on its own to create the explosion…Having performed extensive reconnaissance on the computer network, the infiltrators tampered with the units used to send alerts about malfunctions and leaks back to the control room. The back-up satellite signals failed, which suggested to the investigators that the attackers [also] used sophisticated jamming equipment.”

By working through distributed nodes on the network, perhaps leveraging physical access, the attackers were able to bypass the central control station where staff were on hand with security protection measures and monitoring capabilities that might have been harder to bypass or suppress. This “weakest distributed link” problem is characteristic of critical infrastructure defense. Until distributed infrastructure components are hardened to protect against attacks that take advantage of physical access and/or surreptitious connection points from within the operational network, it will be hard to ensure that similar attacks can’t succeed over and over again. 

 According to BLoomberg, “Three days after the BTC blast, Russia went to war with Georgia, and Georgian Prime Minister Nika Gilauri accused Russia of sending the jets to bomb the BTC near the city of Rustavi. The bombs missed their presumed target, some by only a few feet, and the pipeline remained undamaged. The keyboard was the better weapon.”

In light of Russia’s Crimean conquest and covert war in the Ukraine  its disturbing to hear rumors of reconnaissance and infiltration of U.S. critical infrastructure facilities cited in the same article that breaks the news of such a damaging and sophisticated attack as far back as 2008. The hour is later than you think. 

Related article: Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar Era


Subscribe to Blog Notifications...  HERE