Saudi oil refinery cyber-attack intended to trigger explosion, claims report

August attack targeted safety systems used in nuclear power stations

A cyber attack on an oil refinery in Saudi Arabia in August was intended to cause sabotage, possibly even an explosion, according to investigators.

And the only thing that prevented it was an error in the attack code.

That's according to a report in the New York Times newspaper, which claims that it was the culmination of a string of attacks on economic targets in the country that occurred throughout 2017.

But it is the cyber attack on a petrochemical plant in August, which targetted the Triconex safety controllers operating at the plant, made by Schneider Electric, that has raised alarm. These devices are used in around 18,000 different plants around the world, including nuclear power stations, water treatment works, refineries and chemical plants.

The controllers were believed to be only configurable with physical access, but investigators found a file that looked like it was a legitimate part of the Schneider controllers that they believe enabled the attackers to access them remotely.

"The only thing that prevented significant damage was a bug in the attackers' computer code that inadvertently shut down the plant's production systems," reported the New York Times. It is being investigated by Mandiant.

The report added: "Investigators believe that the hackers have probably fixed their mistake by now, and that it is only a matter of time before they deploy the same technique against another industrial control system."

The attacks on Saudi infrastructure are believed to have started in November 2016 and include an attack on one of the few privately owned petrochemical companies, the National Industrialization Company, also known as Tasnee. That attack coincided with one on the Sadara Chemical Company, a joint venture between nationalised Saudi Aramco and US giant Dow Chemical.

"Within minutes of the attack at Tasnee, the hard drives inside the company's computers were destroyed and their data wiped clean, replaced with an image of Alan Kurdi, the small Syrian child who drowned off the coast of Turkey during his family's attempt to flee that country's civil war," claimed the newspaper.

The attack on Tasnee was investigated by Symantec. It claims the intention was to cause lasting damage to the company - and to send a political message. The recovery took months, the newspaper reports.

It's unclear whether the attackers were internally focused; that is to say, opposed to the economic plans of new Crown Prince Mohammed bin Salman to reduce dependence on the state and to encourage more foreign and private investment to better diversify the country's oil-dependent economy.

More likely, though, is a geopolitical link related to activity in Syria and the wider region, as well as its ongoing war in Yemen and its diplomatic tussle for regional leadership with Iran. The government of Iran, which has been linked with nation-state attacks in the past, has denied responsibility.