The NATO Computer Incident Response Capability (NCIRC) informed Turkish authorities of a cyber espionage attack, codenamed SNAKE, on Turkey’s state-owned energy giant the Petroleum Pipeline Corporation (BOTAŞ) by a Russian hacker group, a classified memo has confirmed.
SNAKE is a Russian cyber espionage campaign using complex techniques for evading host defenses and providing the attackers with covert communication channels.
The memo, issued by the Communications, Electronics and Information Systems (MEBS) department of the Turkish General Staff, revealed that NCIRC shared a report on the cyber activities of the Russian hackers by e-mail on June 16, 2016. The NATO report, which was sent to the Cyber Incidents Response Teams (Siber Olaylara Müdahale Ekipleri, or SOME) of the Turkish military, was prepared by British cyber specialist BAE Systems Applied Intelligence, the document underlined.
According to the memo, the report disclosed the Russian cyber attack, SNAKE, on BOTAŞ and claimed that the hacker group successfully infiltrated BOTAŞ’s network and deployed malicious software to ensure that they retain a long-term foothold for the purpose of intelligence collection. But it was not yet clear if any data had been stolen.
The memo also revealed that complex techniques, infrastructure and components of the overall SNAKE cyber campaign were analyzed in the report.
According to the memo the NATO report on Russian cyber espionage activities claimed that the Russian hacker group targeted ministries, embassies and commercial entities to collect intelligence and that the hackers had focused on the South Caucasian states and energy agencies of Azerbaijan and Georgia during the previous 12 months [June 2015-June 2016].
The report was also circulated to the National Cyber Incidents Response Center (Ulusal Siber Olaylara Müdahale Merkezinin, or USOM), the memo noted.
The brief MEBS note titled “Infiltration into BOTAŞ A.Ş.”:
SNAKE was disclosed for the first time by BAE Systems in 2014. Since then, the Western intelligence community has been examining how the attackers behind SNAKE penetrated highly secured systems.
The attack on BOTAŞ’s network might have been part of a worldwide campaign. In at least one case, German authorities detected an attack on the government computer network in 2017, after which the chief federal prosecutor’s office launched a preliminary investigation into possible espionage related to the incident. However, the BOTAŞ case was not investigated by Turkish prosecutors.
BOTAŞ is responsible for crude oil and natural gas pipelines in Turkey. In addition to its partnerships with Russia’s Gazprom, it operates the Trans-Anatolian Natural Gas Pipeline Project (TANAP) with Azerbaijan’s SOCAR to reduce gas imports from Russia.
On one hand, BOTAŞ has signed contracts with Gazprom to construct a gas pipeline running under the Black Sea to Turkey. On the other, it continues working together with SOCAR for a gas supply from Azerbaijan to the European and Turkish energy markets. The geographical energy rivalry and projects aiming at diversifying energy sources might have attracted the attention of the Russian hacker group.