Jordan Robertson & Michael Riley: Mysterious '08 Turkey pipeline blast opened new cyberwar era

The sabotage of the Baku-Tbilisi-Ceyhan pipeline marked a new chapter in the belligerent energy politics of Eurasia

The pipeline was outfitted with sensors and cameras to monitor every step of its 1,099 miles from the Caspian Sea to the Mediterranean. The blast that blew it out of commission didn't trigger a single distress signal.

That was bewildering, as was the cameras' failure to capture the combustion in eastern Turkey. But investigators shared their findings within a tight circle. The Turkish government publicly blamed a malfunction, Kurdish separatists claimed credit and BP had the line running again in three weeks. The explosion that lit up the night sky over Refahiye, a town known for its honey farms, seemed to be forgotten.

It wasn't. For western intelligence agencies, the blowout was a watershed event. Hackers had shut down alarms, cut off communications and super-pressurised the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential. The main weapon at valve station 30 on August 5, 2008, was a keyboard.

The revelation "rewrites the history of cyberwar," said Derek Reveron, a professor of national security affairs at the US Naval War College in Newport, Rhode Island.

Countries have been laying the groundwork for cyberwar operations for years, and companies have been hit recently with digital broadsides bearing hallmarks of government sponsorship. Sony's network was raided by hackers believed to be aligned with North Korea, and sources have said JPMorgan Chase & Co blamed an August assault on Russian cyberspies. Security researchers just uncovered what they said was a campaign by Iranian hackers that targeted commercial airlines, looking for vulnerabilities that could be used in physical attacks.

Energy politics
The Refahiye explosion occurred two years before Stuxnet, the computer worm that in 2010 crippled Iran's nuclear-enrichment programme, widely believed to have been deployed by Israel and the US. It turns out the Baku-Tbilisi-Ceyhan pipeline hackers were ahead of them. The chief suspect, according to US intelligence officials, is Russia.

The sabotage of the BTC line - which follows a route through the former Soviet Union that the US mapped out over Russian objections - marked another chapter in the belligerent energy politics of Eurasia. Days after the explosion, Russian fighter jets dropped bombs near the line in neighbouring Georgia. Alexander Dugin, an influential advocate of Russian expansionism and at the time an adviser to the Russian parliament, was quoted in a Turkish newspaper declaring the BTC was "dead."

Kinetic effects
The obituary was premature, but the attack proved to US officials that they were right to be concerned about the vulnerability of pipelines that snake for hundreds of thousands of miles across Europe and North America. National Security Agency experts had been warning the lines could be blown up from a distance, without the bother of conventional weapons. The attack was evidence other nations had the technology to wage a new kind of war, three current and former US officials said.

"The timing really is the significance," said Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Center, which works with utilities and pipeline companies. "Stuxnet was discovered in 2010 and this was obviously deployed before that. This is another point on the timeline" in the young history of cyberwar.

US intelligence agencies believe the Russian government was behind the Refahiye explosion, according to two of the people briefed on the investigation. The evidence is circumstantial, they said, based on the possible motive and the level of sophistication. The attackers also left behind a tantalising clue.

As investigators followed the trail of the failed alarm system, they found the hackers' point of entry was an unexpected one: the surveillance cameras themselves.

The cameras' communication software had vulnerabilities the hackers used to gain entry and move deep into the internal network, according to the people briefed on the matter.

Once inside, the attackers found a computer running on a Windows operating system that was in charge of the alarm-management network, and placed a malicious programme on it. That gave them the ability to sneak back in whenever they wanted.

Extensive reconnaissance
The central element of the attack was gaining access to the operational controls to increase the pressure without setting off alarms. Because of the line's design, the hackers could manipulate the pressure by cracking into small industrial computers at a few valve stations without having to hack the main control room.

The presence of the attackers at the site could mean the sabotage was a blended attack, using a combination of physical and digital techniques. The super-high pressure may have been enough on its own to create the explosion, according to two of the people familiar with the incident. No evidence of a physical bomb was found.

Having performed extensive reconnaissance on the computer network, the infiltrators tampered with the units used to send alerts about malfunctions and leaks back to the control room. The back-up satellite signals failed, which suggested to the investigators that the attackers used sophisticated jamming equipment, according to the people familiar with the probe.

Investigators compared the time-stamp on the infrared image of the two people with laptops to data logs that showed the computer system had been probed by an outsider. It was an exact match, according to the people familiar with the investigation.

Three days after the BTC blast, Russia went to war with Georgia, and Georgian Prime Minister Nika Gilauri accused Russia of sending the jets to bomb the BTC near the city of Rustavi. The bombs missed their presumed target, some by only a few feet, and the pipeline remained undamaged. The keyboard was the better weapon.

© Bloomberg