Why Lie About Attacking Bazan Group - Oil & Gas Company?

Author: Joseph Baum, OTORIO Researcher

Why Did Iranian "Cyber Avengers" Falsely Claim Successful Breach of Israeli Oil Refinery?

On July 30, 2023, The Bazan Group’s website (https://www.bazan.co.il/) was unreachable for a brief time. BAZAN group is an oil refining and petrochemicals company, which operates the largest oil refinery in Israel.

An Iranian group named “Cyber Avengers” posted on their telegram channel saying that the group had successfully breached Bazan’s network. 

The group had posted several screenshots of various systems and code, claiming that these screenshots were taken from inside Bazan’s networks. The group claims that the exploit used in this alleged attack was their own, however given the evidence, this seems highly unlikely. 

Both Bazan group and Checkpoint (whose firewall the group claims to have breached) conveyed the message to Bleeping Computer that both the Exploit and pictures of the compromised systems are completely fabricated.

What can we learn from this incident?

Although the screenshots and the exploit are probably fake, it seems like more cyber-gangs understand the impact of exploiting OT environments, and they are already building knowledge and mileage in this direction, genuinely or not…

The group also posted screenshots of processes allegedly taken from the Bazan Group network. These screenshots include a VNC session of an HMI, as well as a Step7 configuration file including PLC code (Simatic manager + Tia Portal).

What should you take out of this?

Besides the general recommendations to protect the OT network, we especially want to emphasize the importance of keeping the industrial project files kept safe from any attacker.

If one had retrieved and analyzed some Industrial project files (Like the Step7 files mentioned above), One could familiarize themselves with the specific processes, devices and technologies involved, and gain a better understanding of the attack surface and gain a better understanding of how to pull off the most impactful attack on the processes. 

These files can be found inside the OT networks, but also in the IT network (file servers), and also mistakenly uploaded to public repositories like VirusTotal (As covered by our team in the past).