On March 7, 2019 at 4:54 in the afternoon, the worst electrical incident that has happened in the history of Venezuela began, when the Guri hydroelectric plant –the largest in the country– presented a series of massive failures that caused more than 80 percent of the country to be without service for between 36 and 80 hours, or more in some cases.
The government of President Nicolás Maduro has explained that the computer brain of the Guri hydroelectric power station (ARDAS System) and the brain of the distribution system of Corpoelec (in Caracas) –the state-owned electric power company in the country (nationalized last decade by President Chavez from the US corporation AES)– were victims of cyber attacks that made it impossible for the systems to continue to work for many hours. Also, transmission lines of great importance would have been attacked, necessitating the service restoration to be restarted and causing additional delays.
Although circumstantial evidence has been presented, so far no technical information has been presented on how the attack occurred, nor has there been any evidence or traces left by the perpetrators of the attack. The reasons are obvious: the attack just ended a few days ago, and most likely you want to avoid giving information to perpetrators, allowing them to resume attacks or to delete information that can identify them.
This, of course, has caused national and international sectors to reject that the failure was caused by an external attack. They attribute it, rather, to lack of maintenance, incompetence, corruption and errors of the government, although they do not offer more evidence about their own claims.
And, actually, I do not blame them. Since 1991 I am passionate about computer science and programming, in 1997 I graduated as a computer technician and in 2006 I graduated from the Central University of Venezuela with a degree in Computing.
In my professional life, I have often seen people who resort to technicians asking for help, saying that their computer don’t work because they “hacked me” or “have a virus”. When the technicians sit down to examine it, they find that the cause of the problem, most of the times, are related to errors of the user, mis-installed applications or a problem in the computer hardware, including mouse balls that are dirty or keyboards with the keys pasted because they are full of leftovers. With this I am not saying that sabotage doesn’t exist, but often there are other explanations, so specialized multidisciplinary personnel should be the ones who determine the causes.
For that reason, it is that technicians tend to be very skeptical when failures such as those experienced on March 7 in Venezuela are attributed to cyber attacks, and no technical evidence is presented. They are critical facilities, which are physically disconnected from the Internet and have large caliber protections. It is not the same as hacking a website, which by being connected 24 hours, can be a victim of many types of attacks at any time.
Still, I say something: I do believe that the 7-M was a cyber attack, and I have many reasons to think so. Although I have not handled technical information or direct evidence about the causes of the incident, and even though I am not an electrical engineer, there are a number of circumstantial arguments that make me think that the March 7 incident was provoked. I want to synthesize them in this writing, and I would love to hear your opinions about them, which you can leave as comments in this article, or you can write to my Twitter account @lubrio or my Facebook wall.
The context: The electrical fault occurs in the middle of an attempt to depose Maduro
Since last January, the government of Venezuela has been the victim of a frontal and undisguised attack by the Trump administration to depose it. It is public, notorious and communicational. The whole planet talks about it.
Since that month, Venezuela is full of hundreds of journalists and correspondents from international media who expect an “outcome” at any moment.
The US president has even said publicly that he does not rule out a military intervention against Venezuela , and that “all options are on the table including different forms of intervention. The main spokesmen of the US government (from Elliott Abrams, sent from the US government to Venezuela, including Secretary of State Mike Pompeo, US Vice President Mike Pence and President Donald Trump ) have been in charge of issuing statements almost daily threatening Venezuelan President Nicolás Maduro, his government, the military chiefs and ordinary citizens who support him.
Since then, Guaidó has called for marches, demonstrations, has achieved that between 30 and 50 governments recognize him as “president in charge”, has managed to increase the economic sanctions against Venezuela, and has made efforts so that the country be declared in ” humanitarian crisis”, in order to justify the entry of supposed “humanitarian aid” accompanied by military troops , which the Venezuelan government has denounced as the beginning of a foreign intervention. Guaidó does not rule out approving a decree “authorizing” said military intervention against the country that over which presumably he presides.
That is, they ask the military in public to execute a coup d’état.
I do not know if in other countries it is normal for a politician to ask his military to depose the current president, but in Venezuela it is, as you can see below.
Guaidó has given ultimatums practically every week, saying that high-ranking military officers are about to speak out against Maduro, which worries a part of the population a lot because of the consequences that can be caused by a military coup. We live in Latin America, a continent whose peoples have had to deal with and endure military dictators such as Pinochet, Videla, Stroessner or Somoza, many of them supported by the United States, and the last thing we want is to repeat experiences like these.
Fortunately, the prophecies of Guaidó have not been fulfilled and in the end nothing happens. January 30, February 2, on February 12 or March 4, 2019 were some of the dates that were expected great events predicted by Guaidó, which finally never happened .
The most serious of the incidents occurred on February 23, when trucks with alleged help sent by USAID (US government agency) attempted to enter by force at border crossings from Colombia to Venezuela , despite the fact that this country had closed its borders. The trucks were accompanied by groups of rioters presented as “peaceful protesters” to try to legitimize and present the ingress as an “achievement of civil society.”
But these protesters, with stones and Molotov cocktails, tried to get rid of the Bolivarian National Guard troops that looked after the Venezuelan side of the border so that the trucks could not enter by force. The scuffle left many injured that day and caused two of the trucks to catch fire, generating false accusations that Maduro had ordered them to be burned .
Aerial photo of the Francisco de Paula Santander bridge with trucks burned, spread by social networks.
Many of us watched the events on television and wondered what would happen if, on the border between Mexico and the United States, someone took four trucks and decided to force them from the Mexican side to the US, without permission from the authorities of that country. Would not their security forces annihilate them with full lethal power? Why would everyone justify the United States defending its sovereignty like that, but Venezuela can not defend its own?
The Venezuelan government insists that they do not need 4 trucks with supposed “humanitarian aid” to enter our country. (That is too little to help 30 million people, without mentioning the hidden intentions). What they need is that the sanctions and the blockade of billions of dollars that the Venezuelan State maintains in banks in the United States and Europe should cease, in order to allow it to acquire food and medicines, as has been done for countries all over the world.
The convenient blackout
After February 23, it seemed that the political arsenal of Guaidó’s actions against Maduro had run out. The opposition politician had nothing left but to call for peaceful demonstrations, which only served to generate a photo op for the media. Spokespersons from the United States had stated that, for the time being, there were no intentions to carry out a military intervention. The followers of Guaidó were frustrated and the attendance at their marches began to decline. The country recovered slowly and even the economic indicators began to improve a little.
In that moment in which all the supporters of Guaidó wondered what else could be done to overthrow Maduro, Thursday, March 7 arrives. That day, at 4:54 in the afternoon, during the peak hour, the longest blackout in Venezuelan history happened, which immediately affected other public services such as transportation and drinking water.
The blackout affected the inhabitants of 20 of the country’s 23 states, and it is said that it left 80% of the Venezuelan population without electricity, that is, some 24 million people.
We can not leave aside the discussion on public services in Venezuela, its maintenance problems, personnel and salaries, but is it not at least very casual and convenient that this serious blackout has occurred just at the time when most of them (right wingers) needed it, in a way that has affected so many people in such a serious way?
Of course, this is no more than what the lawyers would call circumstantial evidence, an indication, something indirect. But in Venezuela, one is already used to not believing in coincidences when a problem like this happens so conveniently.
Does the United States have the capacity to carry out these cyber attacks against public services? Do they have a reasons? Have they done it before?
On the one hand, we know that the United States is the main mobilizer of actions to depose the government of Venezuela. Its own President does not tire of repeating that “all options are on the table” in order to achieve the exit of Nicolás Maduro.
When he uses that phrase, the option of a military invasion comes to mind, but this type of action involves mobilizing troops of young US soldiers to fight in countries they do not know, for reasons that do not matter to them. It is not the same a soldier who is mobilized to another country to fight for transnational corporation to seize its oil, than a soldier who fights against invaders to protect his family (and country).
This type of incursions generates strong internal protests on the part of the Americans themselves and reduces the popularity of the government in power, taking away the possibility of re-election. That is why presidents like Barack Obama preferred to intervene in Libya with bombing, use of missiles and financing mercenaries, “rebels” and paramilitaries, rather than making a direct incursion with their soldiers, as was done in Iraq or Afghanistan.
The photo that you do not want to be repeated
Therefore, when it is said that “all options are on the table”, this also involves options not necessarily invasion.
Today there is much talk of low intensity wars, which consist in attacking an enemy country not militarily and directly, but by taking actions that can not be attributed to the attacking government, but that cause discontent in the population of the country attacked and and ending up in the same population getting rid of their own government. These operations have the advantage that they can only be tested decades after they are executed, when nobody cares anymore. Today everyone knows about the participation of the US government in the overthrow of Salvador Allende, with abundant evidence, but at the time there was no way to prove it (although it was inferred) and very few people cared. Dozens of similar cases in Latin America have occurred throughout the twentieth century, and have only remained as anecdotes for history.
The generation of a “great national blackout” that can be attributed to Venezuelan government incompetence is part of the “options that are on the table” of Donald Trump? A national electrical blackout that can take days or weeks to be solved, is an “excellent” way (for them) to generate discontent in the population, in order to cause panic, anxiety, chaos and that it is the same population that ends up deposing their leaders, or at least causing a level of disaster such that the entry of “multinational troops” into the country is justified in order to “restore order” and “bring aid” .
The electric blackouts also cause a lack of potable water due to pumping stations not being able to operate (without electricity) , affected public transport (services such as the Metro and similar) and the production, conservation and storage of food . They affect telecommunications, telephony and the Internet and prevent people from being able to communicate with their family and friends. They affect hospitals and health centers, which can cause fatalities in operating rooms and intensive care units.
Now, we are clear that accusing a country of causing blackouts to overthrow an enemy government is a very serious, heavy accusation that has to be proven. In fact, there are several questions that someone can ask us about it.
Does the United States have the capacity to make these attacks?
Have they done that in the past?
Well, let’s see:
The United States is the country that has two agencies, such as the CIA (Central Intelligence Agency) and the NSA (National Security Agency), they conduct massive surveillance operations and sabotage against all those governments and countries that affect their interests. You do not have to remember all the revelations Edward Snowden made about it.
Since 2009, the United States has a branch of its Army dedicated to cyber warfare, that is, to carry out cyber attacks and to protect itself from them. This is the USCYBERCOM, Cyber Command or Cybercomando, its website is www.cybercom.mil and its current commander is General Paul M. Nakasone, who is also the director of the NSA. Its mission is the direct protection of US computer systems, but also the execution of cyber attacks to protect the interests of the United States. Its headquarters are in Fort Meade, Maryland, where the NSA is also located.
Now, has the United States used its agencies to carry out cyber attacks in countries that they consider their enemies? After decades of Cold War and silent confrontation between the United States and its rivals, it would be incredible that this had not happened before.
Precedents: Sabotage to a Soviet gas pipeline in 1982
In fact, the book At the Abyss: An Insider’s History of the Cold War written by Thomas C. Reed, affirms that American spies sabotaged a trans-Siberian gas pipeline between 1981 and 1982, creating a Canadian front company to sell automation technology for said gas pipeline. Officials would have sold chips and altered electronic components that modified “the pump speed and valve configuration to produce pressures beyond those acceptable for pipe joints and welds,” Reed wrote two decades later.
“The result was the most monumental explosion ever seen from space”, in an incident that occurred in October or November 1982. Fortunately, it did not produce fatalities. The story has not been confirmed either by US or Russian authorities, who allege that the incident was a natural gas explosion caused by construction problems.
The Stuxnet virus, the first cyber attack prepared by a Nation-State
All right. Thanks to The Washington Post and other US media, we know today that the George W. Bush administration launched the ” Olympic Games ” operation in 2006 , a secret program to sabotage Iran’s nuclear program, which they said was aimed at generating an atomic bomb.
The concept of the cyber attack was raised by the American General James E. Cartwright, who was at that time the head of the Strategic Command of that country, with the support of the director of the NSA Keith Alexander, who had the personnel with the knowledge to develop the idea.
Thus, the operation “Olympic Games” became a collaborative effort between the NSA, the CIA and the government of Israel, one of the main stakeholders in sabotaging Iran.
How does it work?
The project “Olympic Games” basically sought to create a “malware”, trojan or computer virus that could be inserted in the Iranian centrifuges, machines used in their nuclear plants in order to perform part of the process of enriching uranium.
The centrifuges are very similar to a washing machine in its operation: “a container that spins at high speed to separate two elements that are mixed in one case is clothing and water, and in the other, two types of uranium ” explains the Quo website . It is required to separate uranium 238 from uranium 235, which are mixed in nature, but only uranium 235 is appropriate as a nuclear fuel.
Iranian centrifuges. Photo: CC BY 2.0 / Nuclear Regulatory Commission / Via Sputnik
In order to work, the centrifuges are connected to electronic equipment, called programmable logic controller (PLC) . A PLC can read data from sensors located in the centrifuges, such as temperature, speed, humidity and the like, and from those parameters it can decide to open and close valves, control motors, robotic arms, relays, open or close doors, etc.
For that, the PLC requires software installed in a computer. This software allows an operator to review the different parameters and program actions based on these parameters, such as turning a device on or off, lowering or increasing the speed, etc.
The virus generated by the teams of NSA programmers, called ” Stuxnet “, infected one computer after another in a computer network, and looked at each of those computers if the Step7 software was installed for programming PLCs , developed by the German company Siemens. Step7 allows programmers and operators to interact with the PLCs of the centrifuges and give them instructions. For example: “if the temperature reaches N degrees centigrade, make the engine turn slower”.
Once detected the presence of Step7 in a computer, Stuxnet modifies the parameters of the PLC, causing the centrifuges to turn faster or slower than normal, in order to damage them or damage the processes they performed.
Stuxnet was so well designed, it even delivered false information to operators. IE., although it caused a centrifuge to spin faster or slower than normal, this was not shown to the operators, who saw on their screens numbers that made them think that everything was normal.
In this way, the equipment was damaged without the operators being aware of the anomalies.
But in addition, Stuxnet was designed as a platform to attack supervisory control and data acquisition systems (SCADA), which are large software systems designed to monitor and automate industrial processes.
A typical SCADA is used in the electronic brain of a plant, factory, industry or automation center
SCADA works as control centers or “automated brains” from where technicians supervise, activate and deactivate the different automated processes of the industrial plant. Generally computer networks are used so that the SCADA is connected to different industrial equipment and PLCs, which can be monitored, controlled, activated and deactivated.
“Now it is known that the aim of Stuxnet was only the Siemens SCADA that pointed to very specific industrial processes”, explains Stamatis Karnouskos, a specialist of the German company SAP Research, in a paper that he published in 2011 after analyzing Stuxnet .
“Stuxnet infects the project files of the Siemens WinCC control software and the SCADA Siemens PCS7 and intercepts communications between WinCC, which runs under Windows, and PLC equipment connected to the computer, when both are connected through a data cable (known as ‘man in the middle’ attack) ” .
Infographic done by L-Dopa and the IEEE, indicating how Stuxnet works. Translated by me Click on it to see it in better size.
A problem that the designers of this computer weapon had, was that the Iranian centrifuges and the equipment of the Iranian nuclear plants were not connected to Internet for reasons of security, reason why the CIA and the Israelis had to resort to spies and accomplices ( including workers, engineers and technicians from Iranian plants) to get any of them to connect an infected device in one of the nuclear plant’s systems.
For this reason, they designed Stuxnet with the idea that it could infect computers from a USB flash drive or USB stick., simply by connecting it to a Windows computer at the nuclear plant. If that computer is in a network, it can infect the rest of the equipment in the plant from there.
Stuxnet would have been implemented simply by placing a pendrive in a computer on the network. Photo: referential
On the other hand, Stuxnet used a “digital signature” (a long, encrypted key) stolen from genuine pieces of software, to appear legitimate to Windows. When a program is installed, that operating system usually checks those digital signatures: if it does not have them or if they are invalid, it presents an error message like the one below, which should cause suspicions in the operators that something strange is happening. If Windows believes that the signature is valid, it does not present a message.
Thanks to Stuxnet using “stolen” digital signatures, this message did not appear when inserting an infected pendrive to install itself.
Creating the malware took months of testing and development. In 2008 it began to be effective when some centrifuges started spinning at speeds faster than normal until the sensitive components began to deform and break.
On the effects in the Iranian centrifuges, El País of Spain reported : “These began to operate defectively, too quickly or too slowly. (The Iranians) quarantined a good part of their equipment and they fired some of the technicians, suspecting sabotage. Finally, they could identify Stuxnet, which at that time was already out of control, even for the North American authorities. In the summer of 2010, due to a programming error, the Trojan infected the laptop of an Iranian scientist, who unintentionally spread it on the Internet. Media around the world echoed it in 2010, and he was christened Stuxnet, infecting thousands of computers in Iran, Indonesia, India and the United States, among other nations. ”
When Stuxnet was discovered by major companies in computer security and antivirus of the world, the first thing that amazed them was their high level of complexity. Clearly it was not a virus made by boys without anything to do or by cyber-crackers interested in stealing credit cards, but it required a multidisciplinary team of people working for months, which included computer experts, virus designers, experts in industrial processes and specialists in Siemens SCADA and PLC. The virus, in addition, took advantage of Windows errors that, for that moment, were unknown to the experts.
The US government felt that the “Olympic Games” program was very successful, so much so that, when the transition from Bush to Obama took place in 2009, the new President decided to continue with the secret program, as The New York Times and El Pais from Spain revealed years later .
In fact, Obama continued to support the program in 2010, when a malware is discovered and released by antivirus and computer security companies around the world.
Bush managed to convince Obama to give continuity to the “Olympic Games” operation that, together with Israel, developed the Stuxnet cybernetic weapon.
In spite of everything, the virus was not as successful as some presume, because the damaged centrifuges were quickly replaced by the Iranians. Although some 1,000 of Iran’s six thousand centrifuges were damaged, the International Atomic Energy Agency (IAEA) itself, which monitored the plant, acknowledged that the amount of enriched uranium generated was virtually unchanged .
Flame
After Stuxnet, Flame was discovered in 2012, another extremely complex malware developed to spy and steal information from public institutions in the Middle East.
Flame’s discovery was made public at the end of May 2012 after an investigation carried out between the International Union of Communications ( ITU ) and Kaspersky Lab, published here . They baptized it as the most complex cybernetic weapon created to date . Although it seemed to be something totally different from Stuxnet, the researchers realized that the creators of both projects maintained contact and shared source code and modules between both programs.
Then, in June 2012, US government sources confirmed to The Washington Post that the United States and Israel developed Flame jointly , to – again – attack Iran’s nuclear power plants. The newspaper confirmed that Flame was also created in the “Olympic Games” program created by Bush and later backed by Obama.
The initial objective of the virus was to gather information from the computer networks of various Iranian institutions, to plan a cyber attack. There is a very complete analyzes of its source code, made by IT security companies such as ESET.
Nitro Zeus
As if the “Olympic Games” operation was not enough, Obama also ordered the creation of a new program to carry out cyber-attacks against Iran, should the negotiations over its nuclear program fail. Obama wanted to have “another option on the table” in addition to the conventional military attack, so the Nitro Zeus plan was created: a way to defuse critical elements of the Iranian infrastructure without firing a shot.
Nitro Zeus took cyberwar operations “to a new level,” said one participant interviewed by the US newspaper. The plan was intended to “turn off the electricity grid in much of Iran” if the United States decided to go into military conflict with that country, notes The New York Times in another article, written in November 2018 by David E. Sanger . “Such use of cybernetic weapons is now a key element in the planning of a war by all the major world powers,” in what is now called “hybrid conflicts.”
The plan involved making “all electrical grid systems, Iranian communications and financial systems were infected or had back doors , ” says Business Insider According to the documentary, Nitro Zeus is incorporated into computer systems during the design phase without its users knowing, unlike Stuxnet, which load on a finished system using a pendrive or USB memory.” This built-in feature allows a more secure and effective cyber attack.”
To put back doors into the system during its design, it is obviously required that some of the people and companies in charge of selling or installing these systems be agents or work for the US government.
Gibney, director of the documentary Zero Days, and his research team led by Javier Botero, interviewed participants in the project, who revealed details of the effort to place “implants” in Iran’s computer networks that could be used to monitor the country’s activities. and, if requested by the US President, to attack its infrastructure.
The planning of Nitro Zeus involved thousands of US military and intelligence personnel, using tens of millions of dollars. Sanger believes that Nitro Zeus played an important role in the decision of the United States government, not to sign in 2018 a document proposed by France and signed by 50 countries, whichan international call to prevent cyber attacks that affect civilians and ordinary citizens .
The development of Nitro Zeus in conjunction with the Olympic Games program “demonstrates the critical role that cyber operations play in military planning and covert intelligence operations,” the newspaper said.
The New York Times recalls that only the President of the United States can authorize an offensive cyber attack against a country, in the same way that only the President can approve the use of nuclear weapons, which was revealed by Edward Snowden at the time.
In 2011, anyone could create their own “Stuxnet”
The point is clear: the United States government was the first to openly use cybernetic weapons to attack infrastructures of “enemy” countries, which opened a “Pandora’s box”, as the company Kaspersky pointed out at the time in reference to the famous piece of Greek mythology that, when opened, frees all the evils of the world.
This has served as a justification for other countries to also initiate cyber defense departments, either to protect themselves from these attacks but also to learn to make retaliatory attacks. The same thing has happened throughout history, when the United States was also the first country to create chemical, biological or nuclear weapons,and many others made their own developments to protect themselves.
But by 2011, not only nation-states but political, business and criminal groups had learned to use this type of cybernetic weapons.
Dillon Beresford, a security consultant in Texas, read in Wired magazine an article on Stuxnet and the attacks on Iran and wondered how much a nation-state was required to replicate such attacks on industrial infrastructures and public services . “It inspired me,” Beresford said in an interview with The Washington Post . “I wanted to refute that it would take a nation-state to achieve this.”
As of January 2011, Beresford worked almost nonstop for two and a half months. He focused on investigating the line of programmable logic controllers (PLC) Siemens S7, which, as explained above, are used to monitor industrial equipment and machinery and, according to parameters read from their sensors, to activate, deactivate or modify their operation.
Like any good hacker, Beresford devoted himself to research and found an online source library, created by a German programmer, which included source code for a wide variety of computers and PLCs, including the Siemens S7. Night after night he studied them, focusing on the protocol used by the machine to communicate with other teams.
Beresford convinced his boss, of the computer security company NSS Labs, to buy him this equipment to make tests, and he agreed thinking about the free publicity that his firm would obtain for discovering security flaws.
Dillon Beresford
When studying them, he found numerous security vulnerabilities in the computers, as well as backdoors that allowed him to read his internal memory and his passwords. In the book “Cyber Shadows: Power, Crime, and Hacking Everyone”, written by Carolyn Nordstrom and Lisa Carlson, it is explained that Beresfold developed software very similar to Stuxnet to violate the Siemens S7 “in his room, in two and a half months , working in his spare time after returning from work, he did it with a limited budget and no previous experience in the industrial control software (ICS) that they were hacking. ”
In May 2011, Beresford sent its conclusions to the ICS-CERT (Cyber-Emergencies Response Team of Industrial Control Systems, institution of the Department of Homeland Security of the United States government ), who studied and confirmed their work . In an alert issued on July 5, the agency announced that it was working with Siemens to resolve the vulnerabilities of the S7.
Beresford boasted and explained that “any average man, your typical hacker, could replicate this very easily,” proving that a nation-state was no longer required to make attacks similar to Stuxnet. Beresford, in fact, used Shodan, a web browser for connected systems, by which he reported that, at that time, there were more than 100 Siemens S7 devices connected to the Internet, “all of them potential targets”.
The researcher planned to demonstrate what he had discovered at the TakeDown computer security conference in Dallas, Texas, entitled “Chain Reacts – Hacking a SCADA,” in which they would disseminate their findings about vulnerabilities in Siemens systems. A summary of the conference noted: “We will demonstrate how a group of motivated attackers can penetrate even the most heavily fortified facilities in the world, without the backing of a nation-state.” We will also present how to write industrial-grade malware without direct access to the target hardware. ”
But then they were contacted by representatives of the Department of Homeland Security of the US government and by the company Siemens, who asked him not to publicly disclose the findings . For that reason, they suspended the conference. “We were asked if we could refrain from providing that information at this time,” Beresford told CNET technology portal . “I decided on my own that the best thing would be not to disclose the information.”
Although one might think that Beresford was threatened, it is likely that the company NSS Labs for which he worked has taken the decision to suspend the conference, in order to maintain good relations with Siemens and be hired by it. Beresford continued working with Siemens looking for vulnerabilities in company equipment, and by 2015 had helped correct 18 critical vulnerabilities in industrial products of the German company.
Venezuelan journalist Ricardo Durán (killed by right wing mercenaries a few years back) made reference to this case in interviews conducted in 2011 on the Venezuelan broadcaster Alba Ciudad. He noted that Siemens industrial control equipment was used in the Venezuelan electricity industry and that two Venezuelan engineers who were sent to Canada at that time to sign a contract renewing the use of these equipment, were detained for a few days in the United States because they refused to sign an agreement that prohibited them to spread the vulnerabilities discovered in these teams.
After Stuxnet and Flame, other viruses, malwares and Trojans with capabilities to attack industrial control equipment, PLCs and SCADAs began to appear on the Internet.
We present below some of the best known cases, including the first cases of blackouts caused by cyber attacks.
Harvex
In June 2014 there were reports of attacks against several companies using Harvex, a remote access Trojan that collects data from SCADA systems. The Finnish antivirus company F-Secure discovered that among the victims were two large educational organizations in France, as well as a producer of industrial machinery in that country, and two German manufacturers of machines and industrial applications.
A company was also affected in California, United States. At that time , 88 variations of Harvex had been detected, used to “obtain access and collect data from networks and machines of interest”.
Ukraine: the first use of malware to cause electric blackouts
Although Stuxnet was used for an attack on Iran’s nuclear plants, there are no records that it has affected in any way the public services of that country.
It is considered that the first successful cyber attack against a country’s electrical network occurred on December 23, 2015 in Ukraine. The attackers were able to compromise the information systems of three power distribution companies and temporarily interrupt the supply of electricity in the Ivano-Frankivsk region, leaving 250,000 people without electricity at a time of the year when there is extreme cold .
The attackers used the BlackEnergy malware to have remote access to the computers of the power station, in an operation that took a while while using different techniques to steal passwords and information from the workers of the company. The computer security company ESET explains that the attackers sent emails with infected Microsoft Office documents, which when opened by workers from the electricity companies installed the BlackEnergy Trojan on their computer.
Once the computer was infected, the attackers used it to enter it without the workers of the electricity companies finding out, and thus they stole their passwords, they explored the company network and they investigated how to enter the SCADA of the control center, overcoming the computer security provided by firewalls, VPN and other mechanisms.
On the day planned by the attackers, they proceeded to cut off electricity, made massive telephone calls to power plants’ public service centers so that legitimate users could not communicate and report power failures, and tried to damage the configuration of the systems SCADA to hinder the reactivation of the electrical system.
For this, the attackers also used a malware called ” KillDisk “, which ices or freezes the computers of the operators when damaging the files of the operating system, and also damages the boot sector of the hard disks, in such a way that, if the operator decides to restart the computer, this one no longer loads the operating system.
According to Wired magazine, the most affected by the attack were the consumers of the energy company Prykarpattya Oblenergo, of which 30 electrical substations went out and approximately 230 thousand people were without electricity during a period between 1 to 6 hours. Two months later, the Ukrainian control centers had not yet fully recovered from the attack, according to a report by the US government .
Headquarters of the energy company Prykarpattya Oblenergo, the main affected by the attack
The Ukrainian government and the Western media attributed these attacks to Russia, or Russian hackers, due to the tension that exists between these two countries after Russia regained Crimea in 2014. It is said that, since that conflict, thousands have been carried out of cyber attacks against Ukraine, allegedly by groups of Russian hackers.
However, Robert M. Lee, one of the experts cited by Wired, says that although the attack was very well planned and sophisticated, “it did not necessarily have to be done by a nation-state.” He found indications that multiple actors collaborated to create the attack.
It must be taken into account that on November 21, 2015, one month before the blackout of December 23,Ukrainian ultranationalist groups placed explosives in power towers that carry electricity to Crimea, the Ukrainian region that was annexed or recovered by Russia in 2014, leaving two million inhabitants of that region without electricity, including a Russian naval base. Hence, some believe that Russia, Russian or Crimean hackers were the ones who carried out the attack in revenge.
Energy towers demolished by a possible sabotage of Ukrainian extremists, which left part of Crimea powerless in November 2015.
However, experts agree that the computer attack on electricity companies in Ukraine had to be planned several months in advance, long before the attack on electricity pylons.
But we must also remember that, most of the time, cyber attacks are made using computers that have been penetrated by the attackers without their owners knowing. Only time will reveal who actually carried out the attacks on the Ukrainian electricity grid.
Industroyer
On December 17, 2016, a new power outage affected regions of Ukraine, including its capital, Kiev. The blackout lasted an hour and affected a fifth of the city’s consumption, according to the energy company Ukrenergo. It affected the Pivnichna substation on the outskirts of Kiev, and left 230,000 people without power in part of the Ukrainian capital and its surroundings.
On January 18, 2017, Ukrenergo company sources confirmed to Reuters that work stations and SCADAs linked to the 330-kilowatt substation “Norte” were affected by external attackers. “The analysis of the impact of the symptoms on the initial data of these systems indicates a premeditated and multilevel invasion” Ukrenergo said.
At that time, law enforcement officials and cyber experts were still working to establish a chronology of events, develop a list of compromised accounts and determine the point of penetration, while track potentially infected computers with malware.
The Ukrainian authorities determined that the flaw was due to a cyber attack using a new malware, called Industroyer. Computer security company Panda analyzed the virus, explaining that it has the abilityto “take over remotely the circuits that control a power plant.” To do this, it uses industrial communication protocols, used in all the world’s electricity factories, as well as control systems that are used in another type of industries such as water or gas supply “. The ESET company drew the same conclusions in its analysis .
Industroyer is much more worrisome than BlackEnergy or Havox for a simple reason: while the first two are spies, Industroyer is specifically made to look for industrial control systems and looks like Stuxnet in that they seek to destroy in their path .
The key is that, to this day, electrical switches and circuit breakers are electronic . They can be programmed to perform various functions, and the functioning of the entire electrical network depends on them. These stations with Windows were directly connected to the protection systems, and that’s how Industroyer got out.
Once it has reached the electrical system, it waits patiently for it to arrive on December 17, 2016. When this date is reached, it executes an attack with several modules . These attacks are made to attack specific systems, taking advantage of specific vulnerabilities.
Siemens Siprotec
For example, one of the Industroyer modules uses a vulnerability present in Siemens SIPROTEC field devices (equipment to monitor, protect and control processes within power plants) that makes them useless. Industroyer just had to get to these devices, and I was programmed for it . He even had instructions to attack specific devices, such as those produced by General Electric .
Industroyer not only has surgical precision when attacking. In addition to deleting its trace, it also deletes several important entries from the system registry and overwrites the system files. In this way it prevents the computer from restarting, andit hinders the recovery of the electrical system .
Not only does it erase the evidence, it also tries to stop efforts to recover electricity after the attack.
They indicate that, with a few modifications to their code, this malware can attack a rail or maritime transport network, or even end the water or gas supply in an entire city.
Now that we know that the United States (and surely other countries and even groups of hackers and criminals) do have the ability to make cyber attacks on electrical installations, let’s see what happened in Venezuela on March 7.
The Venezuela case
As is well known, on Thursday, March 7 at 4:54 in the afternoon there was an electrical failure that interrupted the electric service almost nationally, at the time when hundreds of thousands of people left their jobs.
At 6:09 in the afternoon, the Venezuelan electricity minister, Luis Motta Domínguez, reported that it was an attack on the generation and transmission system at the Guri hydroelectric plant , which they estimated to recover within 3 hours. They still had no idea of the magnitude of it. In any case, few people could hear it.
If a malevolent mind had to decide what time to start an electric sabotage in Venezuela to cause the greatest possible dislike in the population, assuredly it would choose the time of departure of work: it is the moment in which people are exhausted, just think about getting home, and the last thing they want is to have to face a collapsed public transportation system. In Caracas, the Metro depends entirely on electricity and serves two million people a day. In an outage, the buses become insufficient. The consequence: millions of people had to walk through the city, in some cases for several hours, until they reached their homes.
Photo: EPA / BBC
Many people who work in Caracas live in nearby cities and use the Valles del Tuy electric railway or the Los Teques Metro to get there. Even when the government of Miranda enabled buses, they were not enough either and thousands of people had to patiently wait in long queues that extended early on March 8 to reach their homes. The buses of the government worked heroically without stopping all that time.
The failure immediately affected all mobile cellular telephone systems of the three companies that provide the service in the country (two private and one public); It was impossible to make calls of any kind, or have access to Internet browsing. There was no signal. It was not until half an hour after the failure that some telephone companies began to operate.
Movilnet , the cellular telephone company of the State, experienced persistent failures and it was impossible to communicate for at least 3 days in most of the country. Cantv, that provides fixed telephony, had serious problems, with sectors that for days did not have tone, or that had it but they did not leave messages, not even to other fixed telephones of the same Cantv. None of the companies has publicly denounced having been the victim of any sabotage.
He indicated that ARDAS is “a kind of computerized electronic brain that regulates the 20 machines of the Guri.” If there is an increase in voltage and electrical demand, the system tells the Guri machines that they must activate and increase the revolution so that If you are working too much, the system tells you to lower it a little bit. “When this system is attacked, for protection the Guri machines stop,” explained Rodríguez.
President Nicolás Maduro gave more details on Monday, March 11. “The first cyber attack went to the brain of the company Corpoelec in the generation there in Guayana, in Guri, in Macagua.” He indicated that it is the computerized system that processes, carries, conducts, directs and self-regulates the entire generation process and all the electricity transmission service in the country. “The screens went black, the driving map was lost. That’s how we stayed for more than 36 hours. ”
But it also revealed for the first time that there was another simultaneous cyber attack, from the outside to the distribution control center of the state energy company Corpoelec, which is in Caracas and that controls the transmission and distribution at the national level. “It is the national brain, to drive the electrical system, as in any country, which remains in Caracas, it was also black, canceled, was left dead”.
He also described that there were attacks on the transmission lines, which, he explained, would have been carried out “using mobile devices that emit electromagnetic signals.”
In addition, an electrical substation exploded on March 11 at dawn in La Ciudadela, Baruta, one of the 5 municipalities of Caracas, leaving half of the inhabitants of the municipality without electricity at a time when they had already recovered the service in almost the entire capital. Maduro described it as another phase of sabotage to the electrical system.
Maduro on March 11 showing the explosion in the electric substation of La Ciudadela, occurred hours before.
Maduro also said that “cyber attack against the electrical system, the telecommunications and Internet” was directed “from Houston and from Chicago, from two cities in the US , ” another speech on March 12 . It is important to note that the sabotage of public companies of the Venezuelan State have many precedents. The government of Maduro and its predecessor, Hugo Chávez, have been confronted frontally and permanently with the administration of the United States since 2001, when the approval of laws of agrarian reform and protection of the oil industry showed that Chavez was not a charlatan, but someone who was willing to carry out a nationalist revolution in his country to improve the living conditions of its citizens.
What is in dispute after the problems in Venezuela, is the control of the immense natural resources under its subsoil: oil, iron, bauxite, gold, diamonds, coltan and rare elements. In addition, there are immensely fertile and cultivable lands throughout the year and it has beautiful tourist potentials. All this is of great interest to the transnational corporations that make up the establishment American and European. The great closeness of Venezuela to the United States, in relation to other oil suppliers, is combined with the colonialist character that this country maintains with the Latin American nations, from whom it expects an attitude of submission. Not even Barack Obama, perhaps the most progressive of the US leaders in the last 20 years, was devoid of this attitude.
In April 2002, Chávez was on the verge of being deposed by a coup d’état, caused in large part by the United States’ interest in controlling the country and its oil industry. One of the triggers of the coup was that Chávez had removed, on April 8, senior managers of the state oil company PDVSA, a group of technocrats who openly rejected and despised him for his past as a soldier, and who did not accept his intentions to know better how the industry worked, in order to make changes in it.
Chavez had appointed new PDVSA managers in February, who came from outside the industry, but the top managers rejected them, alleging that this broke the meritocratic culture of the organization. Chávez wanted to reduce the immense operating expenses of the state oil company and redirect a portion of its profits to the creation of social care plans that would help alleviate the problems of poverty and inequality.
Hugo Chávez returning to the Miraflores palace on April 14, 2002 at dawn.
After the April coup failed, Chávez adopted a conciliatory attitude, accepted the resignation of the PDVSA managers he had appointed and reinstated those he had fired. But these, in December, joined the Venezuelan opposition in a 62-day business strike that paralyzed the country.
The top managers and middle managers of the Venezuelan state-run PDVSA, including engineers and employees with university degrees who lived in the big cities, joined the strike, while the workers and technicians who lived in the oil fields, however, yes they were with Chavez. Because these middle managers controlled the electronic brain and automated systems for control of processing and distribution, they used their knowledge to paralyze and sabotage the industry and bring production to zero .
In fact, the oil brain of the industry was privatized . The private company Intesa, with 40 percent share in PDVSA and 60 percent held by the American company SAIC , was the one that administered the PDVSA system that controlled the industrial processes. SAIC’s own website showed and still shows with pride that several of its executives came from the US Army and had extensive experience working with intelligence agencies and branches of the armed forces of that country, in the development and consolidation of projects of all kinds. That is to say, PDVSA’s computer brain was under the control of the US agencies.
PDVSA was recovered thanks to the fact that a part of its professionals did not join the strike and they, working together with the workers of the industry and with the help of external technicians and engineers, regained control of the state oil company. A few weeks after the end of the strike, PDVSA was running again at 100 percent capacity.
Chávez was aware of the serious implications that the control centers and computer platforms of the Venezuelan companies and public institutions had been provided by corporations from First World countries, which could very easily look for a way to repeat a sabotage and a paralysis like the one in 2002. So the In December 2004, the president signed a decree to migrate the systems and platforms of the State to Free Software, called the “Presidential Decree 3,390”. This was a great news worldwide, but it was taken with a lot of skepticism and resistance in most public institutions. It was difficult for many to understand the need at a political and technical level of free software in institutions.
We, the members of the Free Software community, tried to explain its importance by reciting the famous four freedoms , as if we were religious evangelists. But more than installing Linux instead of Windows or changing Microsoft Office software by OpenOffice, what should be sought was that our engineers and technicians could understand perfectly how each piece and component of the systems worked in any industry: from machinery even the computers that controlled them (and their software), in such a way that, if any component failed, it could be repaired, modified, replaced or a solution could be devised by our own technicians,without having to resort to those foreign transnationals that could either refuse or implement components to spy on us or sabotage us.
That is the real sense of using Free Software and Free Hardware in the State. Venezuelans call this “technological independence.”
However, it is my opinion that the officials around Chávez in the areas of science and technology were not the best at explaining and motivating those changes. In fact, some of them changed sides and today they are radical opponents .
In the so-called “Free Software community”, to which I belong, many mistakes were also made. The vast majority were more able to change Windows to Linux in the computers and servers of public entities, when what should have been addressed from the very beginning were the SCADA and PLC applications of electronic brains and control centers of public institutions such as PDVSA, because these applications were provided – and continue to be provided – by transnationals from the United States and Germany.
However, a task like that is immense, expensive and requires many years of work.In institutions such as Pdvsa, Cantv or Corpoelec, this was treated with great secrecy and confidentiality, and the managers simply fled any project of migration of these electronic brains. They went the easiest way: to continue working with large corporations, which continued to install their powerful systems and were often “grateful”, paying “commissions” to the managers and managers who hired them (these “commissions” are illegal bribes and secrets that a corporation makes with public officials who make decisions in hiring, in order to “hook” them and ensure that they continue to hire them in the future).
Complaints by Ricardo Durán
But there were always people who denounced the inconvenience of this. The journalist Ricardo Durán, winner of the National Prize for Journalism and a person highly appreciated in Venezuela, made a series of investigations that he presented in 2011 about the problems in the Electric System of the country. Some of them were reflected in the portal of the Alba Ciudad radio station , where he was interviewed by Gustavo Villapol and Yrosva Michinaux.
Ricardo Durán
Durán explained that a SCADA system was acquired between 1994 and 1996 by La Electricidad de Caracas (EDC), which was then a private company. It was implemented in 2000, when the revolutionary process had just arrived, when EDC was already owned by the transnational AES. They said that this SCADA had the function “to operate and maintain the distribution of energy in Caracas and throughout Venezuela.” The scope of work included the delivery of hardware, software, documentation and training.
However, at that time the Venezuelan State made a study on the system and determined that “their vulnerabilities reached 50 percent” However, “in a strange way in 2010 “, when La Electricidad de Caracas had been nationalized and converted into part of Corpoelec, the same system was bought again, denouncing Venezuelan electrical engineers at that time. They were sent to Canada to sign the contract, but were detained for 10 days in the United States because they refused to sign an information privacy document that prohibited them from disclosing the vulnerability of the system.
He also denounced at that time the preferences given by the Human Resources department of Corpoelec to hiring openly right wing people to place them in key positions in the company (which facilitated finding people willing to carry out sabotages or, at least, not to report them. ). Many of the people who were fired from PDVSA in 2003 for participating in the oil strike ended up working in Corpoelec, he explained.
And although the generation and transmission capacity of the National Electric System at that time was more than enough for the country, however, power cuts frequently occurred because they were made through computer systems.
The journalist Duran was murdered in January 2016, in a case that initially was spread as a robbery, although nothing of value was stolen. Then, the sicariato thesis gained strength. They investigated fourteen active police of Chacao municipality. Twelve of them were released. By the time of writing this article, results of the investigations and the causes of his death are still awaited.
Ricardo Durán, Corpoelec and SNC Lavalin
Durán also denounced at that time, in 2011, the Canadian company SNC-Lavalin, a giant transnational of the construction world that works with plants and hydroelectric power stations, of which he indicated that he was responsible for installing SCADA systems for the control and distribution of electric power.
In this regard, it is necessary to remember that the spokeswoman of the Russian Foreign Ministry, María Zajárova, declared on March 15, days after the blackout in Venezuela , that the Venezuelan electric power sector was the target of attacks from abroad, people who knew the operation of the Canadian electrical equipment used in the South American country.
María Zajárova
Although the Russian official did not expressly indicate the Canadian company SNC Lavalin, this corporation has acquired a terrible reputation for being involved in very serious cases of corruption worldwide. It will be up to the Venezuelan authorities to investigate whether SNC Lavalin carried out acts of corruption to obtain its contracts with the Venezuelan electric power company Corpoelec, and if it used these to introduce equipment with vulnerabilities in the Venezuelan electricity system.
In 2012, the executive director of SNC Lavalin, Pierre Duhaime, was relieved of his duties in the company, although he received almost 5 million dollars in compensation . The company did internal investigations and discovered that Duhaime approved a series of”unauthorized payments” worth 56 million dollars, requested by the company’s former vice president of construction, Riadh Ben Aissa, in different countries. Financial Post notes that the payments were delivered by the company to people called “agents”: people and firms hired by SNC to “help the company to establish relationships with potential customers, obtain permits and, in general, provide assistance in places where wants to get contracts “: euphemisms for the delivery of commissions to corrupt officials.
“Of the more than 600 companies that are listed as forbidden to do business with the World Bank for acts of corruption, 117 are Canadians,which makes the country accumulate the largest number of companies in all countries included. Of these, 115 represent SNC-Lavalin and its subsidiaries , “he said in 2013 the Canadian publication Financial Post . Today , SNC is facing trial in Canada in which, if proven guilty, he could stop for 10 years have contracts in Canada.
The Prime Minister of Canada, Justin Trudeau, is accused of putting pressure on the then Attorney General Jody Wilson-Rayboul for corruption cases of SNC Lavalin
This scandal is causing very serious problems to the Canadian Prime Minister, Justin Trudeau , causing the resignation of several members of his cabinet and endangering his re-election, among other reasons, because he is accused of putting pressure on the former Attorney General, Jody Wilson- Rayboul, to avoid the prosecution of SNC through an extrajudicial agreement, with which she did not agree.
Conclusions
I know that many people find it difficult to trust the voices of the Venezuelan government. There is work done worldwide by the media and politicians against the government of Venezuela, from which they highlight their mistakes (real or supposed) and conceal their achievements, to convince the public that it is a gross and incapable government that They deserve to be evicted from power. This work of discrediting is at least 20 years old and has had consequences in the psyche of many people, who tend to represent any information that comes from their spokespersons.
I decided to write this article from Caracas, when it was still dark because of the blackout, and I started writing it, I barely had electricity. It took me several days, mainly doing it in my spare time, but I did it thinking about unifying in one place the great information that I have been handling for years on this subject, sure that, if this information was known by other people, they would not distrust so quickly the denunciations of the Venezuelan government regarding the cyber attacks, when in fact it is the obvious thing, the natural thing and what more could be expected, given the circumstances and the geopolitical context lived in the United States and in Venezuela.
On the issue of lack of maintenance in the Venezuelan electricity system, An article by Forbes, written on March 9 by Kalev Leetaru , an American academic and entrepreneur with more than 20 years of experience in the Internet world, points out that this could have been used by the US government as an excuse to deny their involvement in the attack on Venezuela. In fact, the lack of maintenance and the desertion of specialists is something that facilitates computer attacks.
Leetaru explained in Forbes that not only was it very likely that a hehco cyber attack had occurred in the United States, but the United States needed to deny it,and the best way to do it was to take advantage of the press information (real and supposed) that there were flaws in the maintenance of the Venezuelan electricity system, because that would make it easier to convince the public that they were not the cause.
Elliott Abrams, special envoy of the US government for Venezuela, also stuck to the script and said something similar on March 9, when he said that “the national blackout in Venezuela is a reminder that the infrastructure, once sophisticated in the country, has been looted and it has deteriorated under Maduro’s mismanagement. ”
We can not deny the problems that exist in the electrical system and in the country, but we can not deny that those problems also offer opportunities for saboteurs. The low salaries that are reported among the workers of the electrical industry facilitate finding willing people to sabotage the system in exchange for bribes, which is essential if you have to access the system remotely because you do not have an Internet connection, as Americans and Israelis must have done to implant the Stuxnet virus in Iran.
Maduro is aware that people within the industry who could help with the sabotage .” There are many infiltrators attacking the electricity industry from the inside, as happened in the 2002 and 2003 unemployments, but those moles will be discovered and punished,” denounced the head of state on March 9, when the blackout was still in the process of being resolved. .
The investigation
On March 12, President Maduro announced that a presidential commission was being created, which would be led by Vice President Delcy Rodríguez, vice president of the country, and will be invited by the Public Prosecutor’s Office, the National Scientific Council and the country’s scientific institutes, in order to investigate the blackout.
Maduro indicated that he has requested the incorporation of international specialists. “I will ask for the support of the UN, and also the active support of Russia, China, Iran, Cuba, countries with great experience in these issues of cyber attacks. We already have the support of these countries. ”
Russia responded a few days later, indicating that they are willing to collaborate in the investigations. “If an official request is received for our specialists to assist in the investigation, it will be considered very carefully,” said Russian Foreign Ministry spokeswoman María Zajárova on March 15.
However, it is necessary that specialists in computer forensics and other related disciplines collect evidence and present them, on the way in which the cyber attack was carried out in Venezuela. It is important to determine exactly how the cyber attack was carried out, in order to correct any vulnerability that still exists not only in the national electricity industry, but also in the control systems, SCADA, PLC and computer systems of any other national public company.This must be done as soon as possible.
Another very common problem is that when a computer suffers a hack or real computer attack, often the rush to resume regular operations make the staff format the computer and reinstall applications from scratch,thus losing logs, records and any evidence that can be used to determine who were the culprits. Therefore, it is better to protect the affected teams (or at least some of them) and not touch them until experts can review them.
And of course it is necessary for the government to answer many questions that we all ask ourselves.
Why, with the country having so many thermoelectric plants in practically all the states, which could have been operational hours or minutes after the blackout, were they not activated?
Corpoelec workers have been making public complaints for years about low salaries and the problems of job desertion that this has caused. In this regard, President Maduro also informed, in a visit he made this March 16 to the three hydroelectric power stations that exist in the Caroní River (Guri, Macagua and Cariachi) that there will be a profound restructuring in the public company Corpoelec.
Nor have official explanations been given about the serious problems that the public telecommunications companies Movilnet and Cantv had during the blackout, although we did know about the hard effort made by their workers to recover their operation.
We hope that soon, in the near future, we will not only have much more information about this cyber attack, but that it will help to protect the Venezuelan electrical system, since circumstances like the ones that Venezuelans live on March 7 do not repeat themselves.
He is passionate about computer science since he was about 14 years old, at that age “a man gave me a small computer that he had bought in the eighties, of those that were connected to a television and had to be programmed to work (a Sinclair ZX81 ), and I really liked it.” On his political inclination, his parents were a great influence. “They were people of very humble origins, both emigrants, dissatisfied with injustice and inequality. But they were not militants of the left. I had many other influences, classmates in HS whose parents were on the left, as well as several teachers who were trained in the Pedagogical and gave us classes at a time as conflictive as it was the presidency of CAP and the military insurrection of Chávez ” He enrolled in the UCV and in 2006 he graduated in Computing, a career that he complements with popular communication in the digital field.