Corruption At Gazprom Facilitated GUR Hackers' Attack On The Urengoy Gas Pipeline
Alarms that would have warned about increased pressure were never connected
A key section of the data communications network of the gas pipeline that would transmit an alarm when the pipeline was operating outside of acceptable conditions was never connected by the contractor hired by Gazprom to install the system according to documents obtained by GUR hackers, and confirmed to Inside Cyber Warfare by one of the cyber operators involved in causing the explosion and fire at the Urengoy gas field last week.
The schematics included in this article are not mean’t to show how the sabotage was done, merely that the data needed to plan and implement an attack was available to GUR hackers. The “how” part of this operation will not be disclosed publicly for obvious reasons.
What is Known
The above schematic is part of the updated thirty page data communications plan for the Urengoy NGCC (Natural Gas Combined Cycle) plant. The X’s on both sides show that the security alarms were not working at the time of that update (2011), nor had they been connected in 2020 when Gazprom was looking for a new vendor to complete the work, nor last week when the explosion occurred.
The above table is one of seven pages of equipment for use in the NGCC. The foreign manufacturers include Cisco, Dell, HP, Citect (now a part of Schneider Electric), Acronis, and Microsoft. Citect makes SCADA control products and was acquired by Schneider Electric in 2008. Acronis makes backup, disaster recovery, cybersecurity, and endpoint management solutions.
When an attacker has access to this level of information, it isn’t difficult to find known vulnerabilities to exploit (CVEs), or to build and test methods for achieving the desired effect (POCs); especially when the software hasn’t been patched or if the vendor substituted pirated software for genuine software.
Ten Years Without Protection
A proxy for the vendor, Stroyneftegaz Alliance (SNG Alliance), which had filed for bankruptcy in 2017, was sued by Novourengoy Gas Chemical Complex, and on March 12, 2020 the court found SNG Alliance to have not completed many of the contractual items it had been paid to deliver, amounting to several billion rubles. A link to the decision  can be found in the notes after the paywall. Some of the many unfinished items included
“A complex of engineering and technical means of protection and means of anti-terrorist protection (designer of DOAO "Gazprojectengineering")”
“Control room (title 401/080), Administrative building with a laboratory (title 401/080-1)”
“Engineering networks of the administrative and amenity zone, Automated fire safety system”
On Jan 22, 2020, Gazprom announced a solicitation for
Execution of turnkey works on the facility "Automatic fire alarm system, gas pollution control and fire extinguishing of gas pumping units of booster compressor stations (level I) of the installation of complex gas treatment – 7, 8, 9, 10, 12, 13, 15, booster compressor stations (level II) of the installation of complex gas treatment – 1, 2, 4, 9, 10, 11, 12 of Urengoy oil and gas condensate field for the needs of Gazprom dobycha Urengoy LLC (0001/19/1. 1/0101853 / Durengoy/K/STATE/e/20.12.2019) - 1 551 051 576.00 rubles.
Performing major repairs of the fire alarm system for the needs of Gazprom dobycha Urengoy LLC in 2020-2021 (for small and medium-sized businesses) No. 0095/19/5. 1/0097185 / Durengoy / PR/STATE/e/11.12.2019 - 43 726 275.89 rubles.
This incident of vendor incompetence and corruption is not the exception in Russia. It happens far too frequently and in every industry including Space, Energy, Finance, and Defense.
Transparency International rated Russia at 136 out of 180, making it the lowest rated European country on its Corruption Index. Gazprom itself was built on corruption according to this investigation by Proekt Media just released on June 16, 2022, as well as a concurrent profile on Gazprom head Alexei Miller. That profile starts off with a story told by Boris Berezovsky to Dmitry Gordon in a 2007 video interview when then FSB director Vladimir Putin told Berezovsky that the thing he wanted most in life was to own Gazprom:
“I again return to the winter of 1999, when talk began about whether he should think about the presidency. I was at his dacha then, and he stopped and said: “Listen, you know what I want more than anything in the world? I want to be Berezovsky." Then he made such a pause and said: “Give me Gazprom.”
According to the Miller profile, Gazprom became “Putin’s favorite toy. He seized it and divided it among himself, his friends and relatives. He made it a bottomless purse from which you can take money - even for palaces and entertainment, even for war. Gazprom is not just a gas monopoly. This is a personal, specially grown corruption monster, on which Putin's power is attached.”
The long-term impact of corruption can be seen in the performance of Russian equipment during its operations in Ukraine when its expensive missiles repeatedly fail to hit their targets, or when a multi-million dollar tank breaks down in a parade celebrating Russian military prowess, or when a state-owned company as rich and powerful as Gazprom cannot protect its own resources from destructive cyber attacks.
Acts of sabotage by cyber means such as the ones conducted by GUR hackers at Gazprom’s largest plants including the explosions at the Urengoy Yamalo-Nenets region, the Urengoy Kama region, and the gas leak in Yakutia are facilitated by the culture of corruption there; and the only thing that’s preventing these types of attacks from happening more frequently and in greater numbers is not the technical difficulty of the operation, nor that Gazprom has improved its networks’ defenses. It is solely due to the restraint being exercised by Ukraine’s leadership.
Notes for this article and a 30MB download are available for paid subscribers. If you don’t see them, and you’d like to have access to the downloads for all Inside Cyber Warfare articles, please sign up for one of the subscription plans.