Cyberattacks2008 Turkish oil pipeline explosion may have been Stuxnet precursor

Published 17 December 2014

The August 2008 Baku-Tbilisi-Ceyhan (BTC) oil pipeline explosion in Refahiye, eastern Turkey, was ruled at the time to be an accident resulting from a mechanical failure, which itself was a result of an oversight by Turkish government’s supervisors. Western intelligence services concluded that the explosion was the result of a cyberattack. According to people familiar with an investigation of the incident, hackers had infiltrate the pipeline’s surveillance systems and valve stations, and super-pressurized the crude oil in the pipeline, causing the explosion.

Oil pipeline flames in 2008 explosion in Turkey // Source: newsbaku.info

The August 2008 Baku-Tbilisi-Ceyhan (BTC) oil pipeline explosion in Refahiye, eastern Turkey, was ruled at the time to be an accident resulting from a mechanical failure, which itself was a result of an oversight by Turkish government’s supervisors. The Kurdistan Workers’ Party (PKK), a militant pro-Kurdish organization, claimed credit for the explosion — which was plausible, because of the PKK’s history of bombing pipelines and other Turkish infrastructure assets.

For some Western intelligence agencies, however, the explosion was beyond the capabilities of the PKK, and not likely the result of an accident. Instead, these intelligence services concluded, the explosion was the result of a cyberattack. According to people familiar with an investigation of the incident, hackers had infiltrate the pipeline’s surveillance systems and valve stations, and super-pressurized the crude oil in the pipeline, causing the explosion.

In 2010 U.S. and Israeli intelligence agencies were credited with the first major cyberattack against a foreign power via the Stuxnet malware which crippled uranium-enrichment centrifuges in Iran’s nuclear weapons program. The revelation of a possible cyberattack against the BTC pipeline, however, “rewrites the history of cyberwar,” said Derek Reveron, a professor of national security affairs at the U.S. Naval War College in Newport, Rhode Island.

Companies with major interest in the BTC pipeline have denied rumors of an attack. “We have never experienced any kind of signal jamming attack or tampering on the communication lines, or computer systems,” Huseyin Sagir, a spokesman for Botas International Ltd., the state-run company which operates the pipeline in Turkey, said in an e-mail to Bloomberg News. In its 2008 annual report, British Petroleum — majority owner of the pipeline — said the temporary shutdown of the BTC pipeline was due to a fire.

The Sydney Morning Herald reports that investigators working with the Turkish, British, Azerbaijani, and other governments have been examining why the security control systems designed to detect oil leaks or fires failed to work moments before the explosion. Investigators eventually discovered that hackers infiltrated the system via the surveillance cameras, the communications software of which had backdoors used by the hackers to gain entry into the system’s internal network. Once inside the network, the hackers could have manipulated the pipeline pressure by cracking into small industrial computers at a few valve stations.

Roughly sixty hours of pipeline surveillance footage were erased by the hackers, but a single infrared camera operating on an independent network captured images of two men with laptops near the pipeline days before the explosion. The men wore black military-style uniforms without insignias, similar to those worn by troops considered to have been working on behalf of Russia in Crimea during Russia’s invasion of Ukraine earlier this year. Investigators have also matched the time-stamp of the infrared image of the two men to data logs that showed the pipeline’s security system had been breached by an outsider.

In lieu of the investigation, many intelligence analysts now believe that the BTC pipeline explosion was not an accident, as the Turkish government claimed in 2008. Regarding the PKK’s involvement, leaked U.S. State Department cables note that the PKK has in the past received arms and intelligence from Russia; therefore it is possible that the group might have arranged in advance with the actual attackers to take credit for the explosion.

It is unlikely that the PKK orchestrated the BTC explosion, analysts say. Sophisticated hacking does not fit the profile of the PKK, said Didem Akyel Collinsworth, an Istanbul-based analyst for the International Crisis Group. “That’s not their modus operandi,” she said. “It’s always been very physical, very basic insurgency stuff.” Additionally, investigators involved with the incident claim that no evidence of a physical bomb was found near the explosion site.

The construction of the BTC pipeline, which connects Baku, the capital of Azerbaijan and Ceyhan, a port on the south-eastern Mediterranean coast of Turkey, via Tbilisi, the capital of Georgia, dealt a major blow to Russia as it aimed to reassert power over former Soviet territories. “Given Russia’s strategic interest, there will always be the question of whether the country had a hand in it,” said Emily Stromquist, an energy analyst for Eurasia Group, a political risk firm based in Washington, D.C.

Days after the explosion, Russia invaded Georgia, and according to Georgia’s then-prime minister Nika Gilauri, Russian fighter jets dropped bombs meters away from the BTC line near the city of Rustavi, missing their target. It seemed a cyberattack was the better weapon.