Cyber Attack: N=2?

By Jon Lindsay

There are a number of interesting things in this report of a (probably Russian) cyber attack on an oil pipeline in Turkey in 2008, more than two years before Stuxnet became public:

The use of surveillance cameras as a point of entry to attack the very system they were supposed to be defending is particularly rich. The attackers also suppressed alarms of malfunction in the pipeline from reaching the control room, a trick also employed by Stuxnet among others ( The same information technology which is supposed to improve visibility of a system also makes the overall system more complex: this both creates vulnerabilities attackers can exploit AND creates intel and planning challenges for an attacker. Notably, this does not look like a trivial or amateurish operation. (Although, men skulking about with laptops in military uniforms? Surely a better disguise was possible?).

Whether this is the first cyber attack or not is a matter of definition. Some people cite Thomas Reed’s story of a 1982 sabotage of a pipeline in Russia—a CIA CI op against the KGB Line X industrial espionage program—but there are reasons to be skeptical about this event (no corroborating witness of this supposedly monumental explosion). I have described Stuxnet as the only publicly-known instance of cyber attack used to cause physical damage across international borders. I was hedging against the possibility of one or more unknown attacks, like this one. Surely there must be others. (You could also quibble that attacks that have bricked or locked up machines count as physical damage even before Stuxnet). Other news reports cite US military sources as having used cyber attack on the battlefield on a small scale, but there are no further details.

I haven’t been through it in depth, but this case appears to reinforce conclusions that I and others have drawn from the Stuxnet case:

–          Essentially, cyber attack is a form of covert action. It depends on deception and subversion which is scary and hard to detect and may go undetected for years, but by the same token is self-limiting. If compromise is fatal to an operation then operators have to show restraint in their objectives and take extra precautions in their planning. Deception abounds in this case but it seems to have had little meaningful political effect because the targets could just blame the usual nuisance factors like the PKK or malfunction. If a cyberwar happens in the forest but nobody hears…

–          Sophisticated attack is a nation-state game. It takes planning, pre-attack surveillance, and supporting operational infrastructure. This attack had a lot of moving parts, and the attackers knew a lot about POL control systems and the security systems protecting them.

–          Critically, adjunct support often involves human operations. Stuxnet probably needed the Mossad’s HUMINT networks to deliver the virus, or at least an unwitting contractor mule. This attack also seems to have required SOF to inject code into local controllers.

–          Stories like this dramatize the exotic art of the possible—which drives the cyber threat debate—but they also highlight how tenuous the theory of influence is in cyber attack. A lot of that tenuousness is a function of the reliance on deception, not so great for credible signaling (but maybe great for the reassurance of an ally in on the deception, which may have been as or more important in the Stuxnet case than slowing down the Iranians).

–          To the extent cyber is useful, it is usually in conjunction with something else: diplomacy and covert action and threats of air strikes with Stuxnet, and maybe with the 2008 Georgian invasion here, although the linkage is unclear, to put it lightly.

The other question this raises is why are we only finding out about this now? Sounds like US intel and various international “investigators” have known some details for a while. I suppose that it’s nice to be reminded that Russia has been playing with Little Green Men for a while and that US intel agencies are doing more than just torturing some folks.

Leave a Reply