Iranian Gas Cyberattack
On Tuesday 26/10/2021 a cyberattack hit no less than 10 gas stations in Iran. No details about how the attack happened yet. I did my best to imagine how the nature of this attack. In order to do so , I needed to know the fuel system that was targeted. According to the news, the Iranian gas stations implemented an intelligent fuel system that is based on smart-card. This fuel system is called: Fuel Card Management System (FCMS). The idea of using this system was to prevent the leakage of subsidized petroleum products onto the black market.
Allow me to share some technical knowledge . I found out that these fuel systems contain a database that stores fuel cards and cardholders details. The database is hosted on a server. The administrative fuel system is available online as a web portal . Customers also can use smart phone apps to access their accounts and fuel services. As you can see there are possible threat vectors and factors that could help facilitate this attack, let me share my ideas:
- Online fuel system: This could be found through Shodan , I found many check my Github.
- Exploitation of database servers.
- Brute force or social engineer credentials of the administrative credentials.
- Vulnerable fuel system and other hosted software on the same server.
- Open ports that shouldn’t be opened.
- OSINT: I found documents that contain technical detail this fuel system. I also found few Github projects that explains how these intelligent system work. The availability of these documents is of high value to an attacker.
- Supply chain: Is it possible that the vendors of fuel systems reused existed code in Github. Its worth to bear this in mind , read about “sbom” to get to know more about supply chain issues.
Let’s discuss the OT impact. According to some resources: the smart fuel system controls the gas nozzles. The nozzle is not released unless the smart card is working , some systems require a pin code. If the system is not available, the smart cards don’t work. That is exactly what happened and that lead to causing big car queues in many stations. This impacted sales of fuels and also indirectly impacted other people, who needed this fuel to do their daily tasks. Distribution networks were down all day long. They resumed operation next day on Wednesday.
Who was behind this attack , black market mafia or nation states ? Attribution is hard. Finally is this an OT attack ? To answer this question , one should examine the details fo these system and see if they have any relationship with OT that could have a physical or financial impact. To me it looks like an OT attack because in this incident, the nozzle (physical component) stopped working , add to that the financial impact.
So if you are a fuel station owner, and wondering how to protect yourself from being hit by a cyber attack providing you have the same system. I highly advice you to limit the online exposure of your systems.By going through the above bullet points and find out if they are applicable to your system. Your team should be able to do so or you can delegate it to others, like a 3rd party who can do these services for you.
