Iran says it is investigating a suspected cyberattack on its main oil-export terminal and on the Oil Ministry itself. As of April 24, no signs of lasting damage had been discovered, but what do we know about the attack and its potential effect on Iran’s oil industry?
RFE/RL correspondent Antoine Blua discussed these issues with Boldizsar Bencsath, assistant professor at the Laboratory of Cryptography and Systems Security (CrySyS) in Budapest.
RFE/RL: Iran has set up a crisis committee to counter what officials described as a “cyberattack.” Officials said a data-deleting virus hit the Internet and communications systems of the Iranian Oil Ministry and national oil company late on April 22, forcing Iran to temporarily disconnect the control systems of a number of oil facilities to curb the virus. What do we know for certain about this attack?
Boldizsar Bencsath: Actually, we don’t know too much except the statements from Iran. We don’t have any sample or any other information to decide what it actually was. Many suspect that this was a targeted attack done by some kind of malware. But actually we don’t have any proof or detailed information on that.
RFE/RL: If it’s not a virus, could it be a technical failure inside the Oil Ministry’s own communications systems?
Bencsath: Yes it can be, but most of the time Iran does not [acknowledge] glitches of the technical stuff. So whenever they accept or acknowledge any type of problem, it has a serious background most of the time.
RFE/RL: What makes a cyberattack seem likely?
Bencsath: We suspect a virus or malware activity because we’ve already seen some of these types of attacks against Iran.
The first was Stuxnet — that was a targeted attack done by a self-reproducing malware that spread across the network [in 2009-10] and it was directly targeting Iranian uranium-enrichment facilities.
The second was the Duqu malware that we identified in a network in Europe. This was again a targeted attack, but [it was] not spreading all over the network — just sent to specific computers.
For these reasons, most likely it is possible to have another virus or just a modification of Duqu [targeting] the oil industry.
But there is no evidence that it is connected.
There was a third virus called Stars that was [reported] by Iran nearly one year ago. Official statements or news were spread on April 25, 2011.
That seems very suspicious that we have just [arrived at] the first anniversary for the Stars virus or malware. And for this Stars malware we don’t know too much as well. Iran did not share samples with the [antivirus] industry. So no one knows what Stars was actually.
RFE/RL: Iranian officials have accused the United States and Israel of these cyberattacks. Why would a country put a virus inside the network of Iran’s oil industry?
Bencsath: There can be a lot of different targets for malware. Speaking about Duqu, it can be used first of all to steal data by grabbing the keyboard input, grabbing the screen, and saving all this information, as well as downloading files, modifying files, [or] deleting files.
But it is also possible to do nearly everything — to go to from one computer to the other if the authentication system accepts it or using exploits.
And finally, if your systems are connected to servers or industrial control systems, then you can also modify different things on them.
RFE/RL: Iran says it has suffered no lasting damage from the latest cyberattack, and it hopes to have all systems back up and running within days. Iran has also given assurances that little damage was caused by the previous attacks. Are these claims credible?
Bencsath: Let’s take some scenarios. First of all the attackers infected an office computer and from this office computer they could reach a server and they gathered administrative rights and finally they deleted [data from this server].
Then most likely you have a backup — maybe a hot backup or a cold backup system. They switch on this machine and everything is back to normal.
The other way is that you have tape backups or different drives that contain the data that the server used to have. If you start this recovery process, it just takes hours or days to recover the server and go back to work.
RFE/RL: Couldn’t it take more time in some more dramatic cases?
Bencsath: Of course it is even possible that [the attackers] used this virus for a long time and they corrupted backups. For example, they put false information during the backups on the tapes or whatever.
In this case it is much harder work to get the system back to normal. But it also depends on what types of data you have on the server. If it contains just normal programs, then it is not a problem to install them again.
If they contain important information like parameters for control systems or whatever then it takes much more time to rebuild your system or recover your status.
So, without details on how problematic this case is, we cannot judge if oil production will be interrupted for hours or for weeks or if it didn’t affect any of these activities — [but] just office networks.”
Radio Free Europe / Radio Liberty