ARE TWO PLAYING THE COVERT OPS GAME?February 24, 2020
If you're a regular reader here, of even if you're relatively new to this site, I suppose today it would be helpful to reiterate a hypothesis that I've held for some time, and judging by the amount of commentary and emails I've received regarding the corona virus story, I think it is fair to say that many if not most of you share that hypothesis. That hypothesis is that there is some kind of covert warfare - a covert "mafia" war - being waged right before our eyes, but it remains hidden because so much of it appears in the guise of "accidents" or "acts of nature", or, if it is reported, is reported as an isolated incident of "malware" or a computer glitch ex machina. In a world where technology has now capable of manipulating weather or simulating earthquakes, the epistemological problem of analyzing events is compounded; one is left to argue or analyze as best as one might, but is never able to advance from hypothesis to theory; we're all reading tea leaves. Inevitably, one confronts a kind of individual who would rather maintain the simplest theory - usually with invocations of the typically misunderstood name of Ockham lifted wildly out of the theological context in which he formulated his celebrated razor - rather than entertain more complex notions covert warfare and factional infighting and so on.
With that caveat on the record, however, I am going to apply my hypothesis - hopefully with a bit of intriguing parallelism - to a very unusual and seemingly not very significant little story shared by G.B.:
Here's the essence of the story:
Tuesday’s news that a ransomware infection shut down a US pipeline operator for two days has generated no shortage of questions, not to mention a near-endless stream of tweets.
Some observers and arm-chair incident responders consider the event to be extremely serious. That’s because the debilitating malware spread from the unnamed company’s IT network—where email, accounting, and other business is conducted—to the company’s operational technology, or OT, network, which automatically monitors and controls critical operations carried out by physical equipment that can create catastrophic accidents when things go wrong.
Others said the reaction to the incident was overblown. They noted that, per the advisory issued on Tuesday, the threat actor never obtained the ability to control or manipulate operations, that the plant never lost control of its operations, and that facility engineers deliberately shut down operations in a controlled manner. This latter group also cited evidence that the infection of the plant’s industrial control systems, or ICS, network appeared to be unintentional on the part of the attackers.
Details are frustratingly scarce. According to an advisory published by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, the ransomware infected an unnamed natural gas compression facility. The attack started with a malicious link in a phishing email that allowed attackers to obtain initial access to the organization’s information technology (IT) network and later pivot to the company’s OT network. Eventually, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”
The infection of the OT network caused engineers to lose access to several automated resources that read and aggregate real-time operational data from equipment inside the facility’s compression operations. These resources included human machine interfaces, or HMIs, data historians, and polling servers. The loss of these resources resulted in a partial “loss of view” for engineers.
Facility personnel responded by implementing a “deliberate and controlled shutdown to operations” that lasted about two days. Compression facilities in other geographic locations that were connected to the hacked facility were also shut down, causing the entire pipeline to be nonoperational for two days. Normal operations resumed after that.
In other words: remain calm, all is under control, nothing to see here, move along.
But I suspect there's another story here, beyond that even implied by the article itself that the malware infection caused a shut down of natural gas compression plants for a couple of days. If one applies my "covert operations" template to interpretation of that outage, then at the minimum we're looking at a possible form of economic "dislocation warfare". There is I suspect a deeper possible story.
In my book Hidden Finance, Rogue Networks, and Secret Sorcery, I reviewed a little-known spy case called the "Farewell" case. "Farewell" was the code name for a mole inside the technical branch of the KGB that was being run by French intelligence during the height of the confrontation between the Reagan Administration and the revolving door of "entities" in the Kremlin in the early 1980s - Chernenko, Andropov, and finally Gorbachev. The "Farewell" case was the mostly highly placed mole inside the Soviet Union that any western power had ever run; so highly placed was "Farewell" that he managed to supply the French security and intelligence services with the KGB's technology "shopping list" of things it wanted to buy or steal from the West. Then-French President Francois Mitterrand personally informed President Reagan of the existence of this mole, and shared the KGB shopping list, with Reagan shortly after Mitterrand's election.
The Reagan administration then used this list to "give the Soviets" what they wanted, allowing them to steal software that contained a backdoor. A few months later, this software was allegedly used to cause a massive explosion in - you guessed it - a Soviet natural gas pipeline, an explosion so massive that it was visible from space. At that same time, of course, the PROMIS software scandal was just getting under way, and a number of books, including a novel, Softwar, appeared, outlining how cyber warfare could be conducted against an enemy by using compromised software.
The reaction, inevitably, was that Russia - just a few years ago - decided that for secure internal communications, typewriters (!) were the way to go; meanwhile, both Russia and China established their own cyber-warfare and security departments.
In other words, two can play the covert cyber-warfare operations.
And perhaps, just perhaps, that's what we're looking at here. Consider only that this event was being watched by the Department of Homeland security...
See you on the flip side...