As #OpPetrol looms, cyber-sec specialists stay calm
Campaign unlikely to extend beyond DDoS, website defacements, say experts
AnonGhost, a Middle East Anonymous affiliate, has pledged all-out cyber war against the global oil and gas industry on Friday 20 June in a now-annual campaign dubbed #OpPetrol.
AnonGhost declared on Pastebin its renewed determination to hit back at the petrochemical sector for what it considers unfair use of the dollar as a trading currency.
"Why isn't petrol sold [using] the currency of the country which exports it?" the group asked in its Pastebin post.
ITP.net noted yesterday that last year's #OpPetrol did result in some downed websites, but little in the way of disrupted production from targeted organisations. Regional cyber security specialists agreed that the impact of the campaign was unlikely to spread to critical infrastructure.
"Last year a number of websites were defaced (meaning content replaced on the website) and then a whole bunch of non-government and non-oil company-based websites were targets of OpPetrol," said Ravi Patil, technical director, MMEA, Trend Micro.
"Some data was leaked to Pastebin from some of the big oil companies, but it is still difficult to see exactly how much or the quality of the data that was leaked... #OpPetrol was not that successful in achieving what they wanted - generating electronic havoc for the oil economy. They did successfully receive a lot of attention [but]... Anonymous is not necessarily scary when it comes to sophistication of attacks, but simply [because of its] sheer scale."
"OpPetrol is indeed a recurring campaign from Anonymous," said Nicolai Solling, director, Technology Services, Help AG. "Last year there was a lot of focus on the same, however specifically in the UAE there was no major impact seen.
"Anonymous' mode of operation still centres around DDoS attacks, and customers need to focus on general robustness against these type of attacks. Another area that is also targeted is defacement of websites of the targeted organisations. So general vulnerabilities such as configuration of the server, patching software and assessing if the organisation has unknown vulnerabilities in its content management platforms would be wise. We also recommend looking at which information is revealed from the traffic coming from the customer's technical environment, thus avoiding revealing information on potential vulnerable software."
Continues on next page>>
Apart from the success of the Stuxnet worm, examples of malware doing physical harm to industrial equipment is unheard of. Even in the case of Saudi Aramco's experience with the Shamoon virus, while the company later admitted that the attackers had intended halting oil production, the only result, dramatic though it might have been, was to take to down 30,000 back-office workstations.
But while SCADA (supervisory control and data acquisition) system infiltrations are not unheard of, the vast majority do not result in real-world disruption.
But many regional commentators from the cyber security industry have warned that such scenarios are approaching and given Gulf economies' dependence on petrochemical revenues the consequences of a C&C breach could be dire.
"Failure or security breaches of critical C&C or SCADA systems could result in wide-reaching adverse impacts, not only for the organisation, but for the community and economy at large that depends on their goods or services," said Patil. "For example, wide-scale blackouts due to a failure of the electricity grid or an environmental disaster such as an oil or sewage pipeline releasing its contents, plus any collateral impact. The financial impact on the oil market due to security breaches depends on the volume of the targeted companies and their capacity to feed the international oil market."
"Of course the control systems are the heart blood of any oil and gas company and a breach of those or manipulating the data in these networks can be devastating," said Solling. "Looking specifically at #OpPetrol, the control systems would not likely be in any danger as Anonymous focuses on Internet-based services. Needless to say, oil and gas companies need to understand the risk to their business when focusing on control networks and apply the correct mitigation actions."
Continues on next page>>
Since Saudi Aramco and RasGas fell victim to cyber breaches, the regional tone in discussing cyber security has risen by several octaves. Anonymous, as a global movement, may be splintered and diminished since the halcyon days of HB Gary, Mastercard and PayPal, but the longing for the limelight can still be seen. When it comes to hacktivism, the will to hurt may drive a few modestly talented pranksters to seek new skillsets, or more skilled members.
To take but one example, Saudi Aramco supplies around one tenth of the world's oil. In the kingdom as a whole, oil accounts for more than 40% of GDP and 80% to 90% of total Saudi revenue. If digital graffiti artists find a way to evolve into real-world saboteurs, what defences can regional orgs bring to bear?
"All major companies in the oil sector have been more cautious and investing more on implementing best practices for IT security," Patil said. "Imposing strict data protection rules and protecting perimeters with state-of-the-art technologies have been seen on the rise. Creating IT security awareness among employees is also being [made a] priority by companies as security breaches that occur internally pose a much bigger threat than external targeted attacks."
"A lot has been done and one of the most important aspects is that IT security is now on the agenda of the CEO's of the company," said Solling. "That means more budget is linked to IT security... specifically around malware detection and mitigation."