A major cybersecurity firm identified a government-run technical research institute in Moscow as the culprit, but left unanswered why Russians would target the plant.
 |
| © Christophe Viseux for The New York Times The cyberattack on a Saudi petrochemical plant was the first known attempt to to manipulate an emergency-shutdown system, which is designed to avoid disaster and protect human lives. |
By DAVID E. SANGER, The New York Times
A new study of the malicious computer code used in a botched attack on a Saudi petrochemical plant concludes that much of the effort was coordinated from inside a state-owned Russian scientific institute, one of the most direct links between official Russian hackers and a hostile intrusion on a major piece of infrastructure.
The report, issued by FireEye, a major cybersecurity company, identifies the Central Scientific Research Institute of Chemistry and Mechanics, a technical research institute in Moscow with ties to Russian governments reaching back before the 1917 Bolshevik revolution. But it leaves unanswered the question of why Moscow would target a Middle Eastern plant, even given Russia’s rivalry with Saudi Arabia in the petroleum marketplace.
FireEye did not identify the plant that was attacked, because of restrictions placed on it by the customer who sought the company’s help in recovering from the attack.
But The New York Times identified the facility in March as a Saudi plant, at a time that there was wide consensus that the attack must have been initiated by Iran, Saudi Arabia’s great rival for regional influence.
It still may have been that Iran was behind the attack — but the new research suggests that, if it was, Iran had a lot of Russian help, and that when the malware needed to be fine-tuned, the Russian institute provided the expertise.
The attack marked one of the scariest moments so far in cyberattacks on critical infrastructure. It was the first known attempt to to manipulate an emergency-shutdown system, which is designed to avoid disaster and protect human lives.
But something went wrong with the attack, and it actually triggered a full shutdown of the plant, which appeared to be accidental as the malware was loaded into the plant’s computers. No industrial accident occurred.
Nonetheless, the incident has captivated the attention of experts, who concluded that had things gone according to plan, the next stage of the attack was likely intended to trigger an industrial accident. If that had happened, the shutdown system would have been disabled.
“We don’t know why this facility was targeted,” said John Hultquist, who oversaw the study at FireEye. “They may have just been testing things out, just experimenting.”
It was unclear why the Russians would have targeted a Saudi plant, other than the obvious fact that the two countries compete as oil and petrochemical producers.
“Sometimes it makes no geopolitical sense,” Mr. Hultquist said, noting that Russian and other hackers “operate all over the globe.”
The report did not assert that the Russians initiated the attack on the petrochemical facility, nor did it conclude who initiated the action. But it traced much of the code, and activity to maintain and rewrite elements of the malware, to the Russian institute in Moscow. The institute had not been seen before as a major player in the development of cyberweapons.
At a moment when there is acute attention to whether the Russian government is seeking to influence the 2018 midterm elections, the report is a reminder that the bulk of Russia’s cyberactivity has been in more traditional arenas: placing malware in facilities that are critical to keeping a nation’s infrastructure running. In March, the Trump administration accused the Russians of placing malware in American nuclear and conventional power plants, as well as water systems.
In the probing of the utility sector in the United States, the Russians were placing “implants,” or malware that could be activated at a later date. That is essentially what FireEye concluded was happening in the Saudi case, where the Russian institute was helping to update and improve the malware.
The Russian government has consistently denied that it is placing malware in foreign systems, and has often called for treaties or norms of behavior to govern cyberspace. But the United States has viewed Russia’s calls as a cynical way to attempt to limit American cyberactivity, while sending out surrogates to conduct operations on Russia’s behalf.
COMMENTS