Silent War: Is Stuxnet Attacking Russia?

Oil and gas facilities partnering with the Russian state are blowing up at a rate that seems more than coincidence; something Biden warned Putin about.

On July 2nd, a fresh wave of Russian ransomware from the Revil APT attacked American internet provider Kaseya. It was a Saturday, the first day of the July 4th weekend. At a face to face summit the previous month, President Biden warned Vladimir Putin that if he did not control his criminal hackers, there would be consequences:

“For example, when I talked about the pipeline that cyber hit for $5 million — that ransomware hit in the United States, I looked at him and I said, ‘Well, how would you feel if ransomware took on the pipelines from your oil fields?’ He said it would matter

- President Biden describes his conversation with Putin

I believe that a massive wave of Russia-linked oil and gas pipeline explosions, that appear precisely targeted against Russia’s strategic interests make it extremely likely that United States Cyber Command is making good on the President’s word.

Why would the United States simply not declare if it were using its cyber-nuke against Russia following the ransomware attacks? I explain in this piece on the British SAS linking with MI6 to punish Russia why Britain’s “avowal of covert action” represented a serious escalation in hostilities, so I won’t repeat it now. But, you might ask, if the United States does not wish to admit that Stuxnet is being deployed against the enemy - after all, proving Joe Biden doesn’t muck around - why are you out here reporting on it? A fair question, but the answer to that is simple, too. Justice must be done and be seen to be done. Attribution, even as a matter of probabilities, is not the role of our cyber warriors. It is the role of a free press.

It has been frustrating watching infosec journalists ignore what looks like an obvious case of Stuxnet deployment. On reflection, perhaps I understand the issue. I cannot, in fact, actively attribute these attacks to Stuxnet, because I do not have a malware sample, such as Russian intelligence leaked in 2010. Rather, what follows is based on the nature of the targeting, frequency / timing of explosions, and the strategic consequences for Putin. If nobody else cares to note these “coincidences” I am happy to do so.

A series of fires and explosions and other disasters at the Natanz plant strongly suggest reports of Stuxnet’s death in 2010 were greatly exaggerated.

Number of Explosions Linked to Russia Looks Artificial

The oil and gas explosions linked to Russia started on July 4th weekend, but they did not stop there. The following list shows which Russian oil and gas company partnered at each facility:

This list is not meant to be exhaustive. I have no doubt that I have probably missed some similar fuel explosions directly linked to Russia in this time period. For example, I cannot immediately tell if this reported ‘gas pipeline explosion’ in Chelyabinsk, Russia, was actually the gas explosion reported of Gazprom’s pipeline in Perm, Russia, on the same day, July 26th:

…and in fact, I could find no further reference to a gas pipeline explosion in Chelyabinsk, so I left it off the list. (Google maps assures me that Perm and Chelyabinsk are quite some distance apart.)

Stuxnet is Capable of Causing All These Explosions

While this short blog is not the place for rehashing the capabilities of Stuxnet, for which I thoroughly recommend following Kim Zetter on Twitter and buying her book “Countdown to Zero Day”, a brief reprise may be in order: among the virus’s many capabilities is to take over PLCs, or programmable logic controllers. These devices are used across industry to do things like regulate pressure. Specifically, the coders of Stuxnet penetrated Siemens, which has a lock on the worldwide PLC market. When initially researching this piece, which has taken me several weeks, I took a long dive into the first four explosions, thinking, initially, that the Iranian Gazprom pipeline in Cheshmesh-Kosh constituted the last target. I found that Siemens was being used at all four sites hit with spectacular explosions over the July 4th weekend. I have no doubt that Stuxnet is fully capable of, and has, introduced itself to other PLC manufacturers, such as ABB and Schneider, but all the initial sites worked with Siemens. Furthermore, all the blasts could have been caused by altering the pressure in the gas and oil regulators, which could have happened via hacking the PLCs that control all of these facilities.

We Can Postulate US ‘Message Discipline’ In the Targeting

Just as the July 2nd reporting of the trolling delivered by Vladimir Putin, through REVIL, to Joe Biden - calling Biden a pedophile, putting racial division messages in your code files - showed that the Kremlin was intent on deliberately adding insult to injury in their targeting, I submit that the United States’ choice of targets, similiarly, sent a message, and just as Russia did, more than one message. There is more to say about the messages I believe were sent by US Cyber Command here than will fit in a single piece, so I will limit myself to the headlines:

  1. The first three attacks hit Lukoil partners. Lukoil was involved in targeting the 2016 election as it partnered with Cambridge Analytica; it was responsible for funding trolling, such as REVIL hit Biden with on July 2nd

  2. The first three attacks all happened on Russian-partner oil and gas pipelines, exactly as Joe Biden promised Putin, and were on the July 4th weekend and designed for high visibility

  3. The first explosion literally created an “all-seeing-eye” in the sea; it was intended to be seen and as a warning; the second singled out a Romanian oil well that partnered with Lukoil but which was also specifically notorious for its ties to organized crime, REVIL being, clearly, sanctioned by Putin but also organized crime;

  4. The subsequent barrage of explosions, after July 4th weekend, appear all to have been aimed with high strategic value in geopolitical terms. For example, the Gazprom-partnered pipeline at Cheshmesh-Khosh was explicity developed by the state of Iran with Russia to avoid US sanctions.

  5. The other Gazprom explosions have caused the Russian state epic reputational and economic damage, and all appear targeted very precisely at Nordstream 2. Joe Biden, of course, lifted sanctions on Nordstream 2, and gave Putin a face to face meeting, which Russia hawks i(including me) disapproved of. However, following Putin’s continued ransomware attacks, it is certainly plausible that Joe Biden is delivering exactly what he told Putin he would deliver. There is no need to sanction Nordstream II when you can simply blow it up. The succession of explosions affecting Nordstream II actually caused Russia to repatriate gas it had already sold to Austria. Yes, you read that correctly; Putin quite literally started to siphon natural gas already sold to the Austrian market back to Russia:

It is almost impossible to overstate the economic and reputational damage done to Gazprom and Russia, which is entirely dependent on its oil and gas exports, in forcing Gazprom to literally siphon back sold gas to Russia. There is one and only one reason to do this; that Putin fears that he will not have enough natural gas in the Russian state to see Russians through the winter.

Russia is now seen as an unreliable partner for the supply of natural gas; Angela Merkel and others who sought to end-run the United States look like idiots.

Alternate Explanations for Pipeline Explosions Either Stretch Credulity, Don’t Exist, Or Admit Pressure Issues

  • Lukoil partner PEMEX rather desperately suggested that a “lightning strike” on the sea had caused the fire after gas rose to the surface; the company offered literally zero explanation why the gas leaked

  • Romania fire mentioned pressure in initial reports, subsequently just says it will investigate

  • No official explanation of Azerbijan explosion; Twitter experts suggested a ‘mud volcano’ caused, rather than was caused by, the explosion, but the govt has not confirmed this - it should be noted that those same Twitter experts falsely stated that natural gas pipelines did not exist in this area, they do

  • Cheshmesh-Khosh pipeline is still investigating a cause, early reports blamed experienced maintenance workers

  • The Algerian explosions also referenced pressure and an unknown cause:

    a gas pipeline linking the province of Relizane to the province of Tlemcen, caught fire at approximately 8:45 am on Tuesday, after it exploded for reasons that have not yet been determined.

    Elements of Civil Protection Unit in the municipality of Zahana intervened to put out the fire after the agents of the Sonatrach group closed the pipe valves…the pipe that exploded at the level of its section, located in the village of Ben Awali in the municipality of Zahana, has a diameter of 20 inches and a pressure of 20 bar.

MOSCOW. Aug 6 (Interfax) - Gazprom is analysing the impact that the fire at a gas preparation plant in Urengoy will have on gas supplies to Russia and Europe.

Asked about the impact of the incident on supplies to Europe and fulfilment of contractual obligations, and how long recovery will take, the Russian gas giant said that an "analysis of the reasons and consequence of the accident is underway."

Conclusion:

We cannot attribute for certain, without the malware samples supplied back in 2010, the pressure-related explosions across oil and gas facilities, that occurred across the world right after Vladimir Putin authorized a trolling leverage of ransomware against America on July 4th.

Share

What we can say, however, is that all these facilities are directly linked to the Russian state; that all these explosions could easily have been caused by a Stuxnet attack on the PLCs that control pressure and other crucial systems; and that all these explosions, sticking to the letter of the retaliation promised to Putin by President Biden, start with messaging and end with serious damage to Russia’s economy. We do not know and cannot know, open source, if what looks like a “shock and awe” campaign by Fort Meade was that or if it was all a mere coincidence. But we can say that if targeted message discipline is important, each and every one of these targets serves a key and indeed obvious purpose for the United States, and that the timing of the strikes, if not intentional, was incredibly serependitious. Ian Fleming, himself a spy, had Goldfinger say to James Bond:

Mr Bond, they have a saying in Chicago: 'Once is happenstance. Twice is coincidence. The third time it's enemy action.

UPDATE: Even as I write this post I see Lukoil partner Pemex, who kicked it all off with the “Eye of Sauron”, suffered another fire in a refinery on August 7th. I literally cannot keep up with the volume of strikes on Russian oil and gas partners - or, you know, ‘coincidental explosions’ that simply are not stopping. Russia has continued, weakly, to push at Biden with malware in hospitals, and thus, I would suggest, US cyber operators continue to place their boot on Russia’s economic throat. If it is a game of ‘chicken’, Russia’s spies had best inform their boss that the United States is not going to blink first.

Let me know your thoughts in the comments!

PS: if you are involved in offensive cybersecurity on behalf of the United States, thank you for your service.

Leave a comment