Iran is investigating a suspected cyber attack on its main oil export terminal and on the Oil Ministry itself, Iranian industry sources said on Monday.A virus was detected inside the control systems of Kharg Island – which handles the vast majority of Iran’s crude oil exports – but the terminal remained operational, a source at the National Iranian Oil Company (NIOC) said.
The virus, which is likely to draw comparisons with the Stuxnet computer worm, which reportedly affected Iranian nuclear facilities in 2009-10, struck late on Sunday.
It hit the internet and communications systems of Iran’s Oil Ministry and of its national oil company, the semi-official Mehr news agency reported. Computer systems controlling a number of Iran’s other oil facilities have been disconnected from the Internet as a precaution, the agency added.
Hamdullah Mohammadnejad, the head of civil defence at the oil ministry, was reported as saying Iranian authorities had set up a crisis unit and were working out how to neutralise the attacks.
IT systems at the oil ministry and at the national oil company were also disconnected to prevent the spread of any virus, the Mehr news agency said.
The oil ministry’s own media network, Shana, quoted a spokesman as saying some data had been affected but that there was no major damage.
Virus reminiscent of Stuxnet
Iran’s nuclear programme is thought to be the principal target of the Stuxnet worm – discovered in 2010 – the first virus believed to have been specifically designed to subvert industrial systems.
US-based think-tank, the Institute for Science and International Security (ISIS), said that in late 2009 or early 2010 about 1,000 centrifuges – machines used to refine uranium -out of the 9,000 used at Iran’s Natanz enrichment plant, had been knocked out by the virus – not enough to seriously harm its operations.
Iranian officials have accused the US and Israel of developing the virus to sabotage its atomic programme, an allegation neither country has commented on. The US and its allies suspect Iran is using its enrichment activities to covertly develop a nuclear weapons capability, a charge Tehran denies.
Late last year, Iran also identified damage it said was inflicted by a similar virus aimed at disrupting industrial processes, called Duqu.
Experts say Duqu appears to be designed to gather data to make it easier to launch future attacks and that very few organisations could have written such complex programs. There is no confirmation this latest attack is related to Duqu.
A systems analyst at Hungary’s Laboratory of Cryptography and System Security, which first discovered and named Duqu, told Reuters that Iran needed to be more cooperative with samples of malware codes if it required external help.
“As this recent incident might have been a targeted attack against Iran and only against Iran, security experts in Western countries might be reluctant to help them,” Boldizsar Bencsath said. The authorities said there had been no disruption to production or exports, Mehr news reported, but a shipping source with knowledge of operations at Kharg Island said that the NIOC has been prevented from sending out the crude-loading programme at the terminal.
Most of the world’s oil facilities are controlled by computers, but some processes can be managed manually when necessary.
Experts skeptical about nature of virus
Some experts said it was not yet clear whether the virus reported on Monday was, like Stuxnet, seeking to corrupt industrial processes to cause physical damage, or was a simple data virus.
One cyber security specialist Ali Jahangiri said he had doubts about whether a virus actually existed.
“There is no indication that this is definitely a targeted attack from outside. It could be a technical failure inside the oil ministry’s communications own systems,” he said.
However, John Bumgarner, a security specialist at the US Cyber Consequences Unit think tank, told Reuters a virus was a possibility, and that a sufficiently complex one could have more than a fleeting impact.
“The reason you would put a virus inside this network to erase data is because that causes those facilities to have to shut down,” he said, saying servers would need to be rebuilt to get them back online.
“So during that time the production and refinery operations for Iran could be impacted. And depending on how the virus was written, it could be longer term.”