ARE TWO PLAYING THE COVERT OPS GAME?

ARE TWO PLAYING THE COVERT OPS GAME?

If you're a regular reader here, of even if you're relatively new to this site, I suppose today it would be helpful to reiterate a hypothesis that I've held for some time, and judging by the amount of commentary and emails I've received regarding the corona virus story, I think it is fair to say that many if not most of you share that hypothesis. That hypothesis is that there is some kind of covert warfare - a covert "mafia" war - being waged right before our eyes, but it remains hidden because so much of it appears in the guise of "accidents" or "acts of nature", or, if it is reported, is reported as an isolated incident of "malware" or a computer glitch ex machina. In a world where technology has now capable of manipulating weather or simulating earthquakes, the epistemological problem of analyzing events is compounded; one is left to argue or analyze as best as one might, but is never able to advance from hypothesis to theory; we're all reading tea leaves. Inevitably, one confronts a kind of individual who would rather maintain the simplest theory - usually with invocations of the typically misunderstood name of Ockham lifted wildly out of the theological context in which he formulated his celebrated razor - rather than entertain more complex notions covert warfare and factional infighting and so on.

With that caveat on the record, however, I am going to apply my hypothesis - hopefully with a bit of intriguing parallelism - to a very unusual and seemingly not very significant little story shared by G.B.:

A US gas pipeline operator was infected by malware—your questions answered

Here's the essence of the story:

Tuesday’s news that a ransomware infection shut down a US pipeline operator for two days has generated no shortage of questions, not to mention a near-endless stream of tweets.

Some observers and arm-chair incident responders consider the event to be extremely serious. That’s because the debilitating malware spread from the unnamed company’s IT network—where email, accounting, and other business is conducted—to the company’s operational technology, or OT, network, which automatically monitors and controls critical operations carried out by physical equipment that can create catastrophic accidents when things go wrong.

Others said the reaction to the incident was overblown. They noted that, per the advisory issued on Tuesday, the threat actor never obtained the ability to control or manipulate operations, that the plant never lost control of its operations, and that facility engineers deliberately shut down operations in a controlled manner. This latter group also cited evidence that the infection of the plant’s industrial control systems, or ICS, network appeared to be unintentional on the part of the attackers.

...

Details are frustratingly scarce. According to an advisory published by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, the ransomware infected an unnamed natural gas compression facility. The attack started with a malicious link in a phishing email that allowed attackers to obtain initial access to the organization’s information technology (IT) network and later pivot to the company’s OT network. Eventually, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”

The infection of the OT network caused engineers to lose access to several automated resources that read and aggregate real-time operational data from equipment inside the facility’s compression operations. These resources included human machine interfaces, or HMIs, data historians, and polling servers. The loss of these resources resulted in a partial “loss of view” for engineers.

Facility personnel responded by implementing a “deliberate and controlled shutdown to operations” that lasted about two days. Compression facilities in other geographic locations that were connected to the hacked facility were also shut down, causing the entire pipeline to be nonoperational for two days. Normal operations resumed after that.

In other words: remain calm, all is under control, nothing to see here, move along.

But I suspect there's another story here, beyond that even implied by the article itself that the malware infection caused a shut down of natural gas compression plants for a couple of days. If one applies my "covert operations" template to interpretation of that outage, then at the minimum we're looking at a possible form of economic "dislocation warfare". There is I suspect a deeper possible story.

In my book Hidden Finance, Rogue Networks, and Secret Sorcery, I reviewed a little-known spy case called the "Farewell" case. "Farewell" was the code name for a mole inside the technical branch of the KGB that was being run by French intelligence during the height of the confrontation between the Reagan Administration and the revolving door of "entities" in the Kremlin in the early 1980s - Chernenko, Andropov, and finally Gorbachev. The "Farewell" case was the mostly highly placed mole inside the Soviet Union that any western power had ever run; so highly placed was "Farewell" that he managed to supply the French security and intelligence services with the KGB's technology "shopping list" of things it wanted to buy or steal from the West. Then-French President Francois Mitterrand personally informed President Reagan of the existence of this mole, and shared the KGB shopping list, with Reagan shortly after Mitterrand's election.

The Reagan administration then used this list to "give the Soviets" what they wanted, allowing them to steal software that contained a backdoor. A few months later, this software was allegedly used to cause a massive explosion in - you guessed it - a Soviet natural gas pipeline, an explosion so massive that it was visible from space. At that same time, of course, the PROMIS software scandal was just getting under way, and a number of books, including a novel, Softwar, appeared, outlining how cyber warfare could be conducted against an enemy by using compromised software.

The reaction, inevitably, was that Russia - just a few years ago - decided that for secure internal communications, typewriters (!) were the way to go; meanwhile, both Russia and China established their own cyber-warfare and security departments.

In other words, two can play the covert cyber-warfare operations.

And perhaps, just perhaps, that's what we're looking at here. Consider only that this event was being watched by the Department of Homeland security...

See you on the flip side...

13 thoughts on “ARE TWO PLAYING THE COVERT OPS GAME?”

  1. Not one to add a flashpoint to your [well proposed] “high octane speculations / suspicions,” but there are likely at least three players with a fourth runner up; one next door to the big Dragon and Sovietszky and the other along the Belt and Road, south of the Caspian. Each of the later two with their own army of cyber warriors, too.

    Das Geist von, Nikita Khrushchev, by way of Vlad…..P…., still seeks to “bury” the west.

  2. The sad fact is computer AI can be hacked and is designed to be hacked. Humans can be bribed blackmailed but can in the end chose how to deal with such a situation whereas a computer AI is at the mercy of its programmers.

  3. Fukushima had man-in-the-loop based levers, but Stuxnet gave them the wrong information in the control room. as per the quoted pipeline incident “Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes.”
    a cop of every street corner, am employee physically monitoring every nut and bolt.

    1. From the Fukushima Report by Jim Stone :
      http://82.221.129.208/fukureport1b.pdf
      “Fukushima was impossible. The swamping of the generators by the tsunami was irrelevant, because the real emergency backup systems are driven by steam from the reactors themselves and require no electricity at all to function. No electricity is needed to operate three separate emergency systems at each reactor, each of which will keep a reactor safe even if only one works. Interesting it is then that all 9 non electrical backup systems across the three fueled reactors failed. This is technically impossible outside of willful intent, and was likely the result of a Stuxnet virus attack. Stuxnet was designed specifically to target Siemens SCADA controllers and is most effective at tampering with fluid control systems of the type that Fukushima used for emergency safety.”

      “And now I will explain in detail why the problems before the explosions had to be sabotage. The diesel generators were not out in the open as we were led to believe; they were in fact located in the basements of the turbine buildings which were sealed off and never significantly flooded. One of them stayed running the entire time, but the electrical switch gear attached to it disconnected it for an unexplained reason which made it useless. Each of the backup generators at Fukushima were capable of running 14,000 households each, which means they had to be over ten megawatts each. It is obvious then that Fukushima was set up to survive on only ONE of 13 backup generators, and ONE did keep running. One would be many times larger than needed to run last ditch backup systems at all reactors, but would not keep business as usual. But that is not the real story, which is that even others which were high and dry stopped as well. I hypothesize that the ONE generator that kept running was kept as a lone reserve, never hooked up to a SCADA controller. Why did the switch gear disconnect a working generator? That is the type of thing Stuxnet was designed to do. On top of these things, emergency generators arrived on scene within 9 hours, before anything bad happened at all, but were not able to provide power because the switch gear would not let them.” (my italics)

  4. Lol what if ? …more than “2” are playing the covert ops …”game?” I mean like…. on more …than multi-levels ??? On planet ….off world ? ….Heavenly ….realm? & if ya mix in them darn ( man that just doesn’t sound right 🙁 ) ….Predator’s mud ,mud ,Mud MUD ! 🙂

  5. First thought.
    Go deep from the get-go. Warfare causes an inherent sharpening of the swords in play; increasing the awareness and intellect of each side. So the group benefits; as well as the individual. It’s just too bad that the goal is not to strengthen the living wealth of the planet; but the opposite, killing the planet. In fact, the technology is not geared for building life; but, destroying it.

    Ransomware is taking advantage of another inherent weakness: a corrupted internet. Now there are the “in” players, who know the backdoors built into the “system”. So when breached by malware is it a state player; an extra-state player, or a criminal[organization]?
    Then there’s the stock market. Could this malware then bring the company’s stock way down, and effectively kill the potential golden goose?
    Or, is there a problem that has nothing to do w/malware; and, that’s simply the public cover story?
    Or, is it enemy action in covert warfare?

    From my perspective, the danger comes from using living warfare/biological. That’s where the control factors are playing in a field chalk-full of deep time players in genetic engineering/Nature herself. Biological fire is nothing to play with.

    And, two can play this game.
    Then others join in to pretend they’re one of the other two; so when both weaken, number 3 can become #1.
    But # 4 knows this, and he….

    Yep,
    and the biological fires are just the beginning…

  6. One must question why we are always given a binary choice, either Chinese or Russian. I can think of at least two other choices who operate by deception and there are, most likely, several others. Today’s world is much more complicated than that; and the USSA has made far more enemies than just China and Russia. We have made enemies around the globe and are targeted by them all, even factions within our own government.

  7. It is good that the malware was only able to infest the IT & OT systems, rather than manipulate physical systems to go BOOM. On the other hand, what if this was mainly a ‘scouting’ expedition? Most likely, natural gas compression facilities throughout the US & Canada use the same/similar software. Infiltrate one, and you can probably infiltrate them all. This moves this incident from an annoyance to a threat. The same goes with all the software in other, pipelined (sorry) industries.

    I am more concerned with the StuxNet side. That malware is designed to go after industrial controllers and literally cause BOOMs. I truly hope that industrial plants/facilities throughout the world have swapped-out software-dependent controllers for man-in-the-loop controllers. Otherwise, BOOMs are awaiting…

Comments are closed.