Cyber Incident Victim: Bazan Group

On or around July 1, 2023, the websites of Israel's largest oil refinery operator, BAZAN Group, became inaccessible to most visitors from around the world. The company, formerly known as Oil Refineries Ltd., is based in Haifa Bay, generates over $13.5 billion in annual revenue, employs more than 1,800 people, and has a total oil refining capacity of approximately 9.8 million tons of crude oil per year. Incoming traffic to the company's websites, bazan.co.il and eng.bazan.co.il, was observed timing out, returning HTTP 502 errors, or being refused by the company's servers entirely. This widespread inaccessibility was confirmed through testing, though the website remained accessible from within Israel. This suggested the company may have imposed a geo-blocking measure in an attempt to mitigate an ongoing cyber attack, effectively cutting the site off from the global internet while preserving access for a local audience.

The Iranian hacktivist group known as 'Cyber Avengers' or 'CyberAv3ngers' claimed responsibility for the incident through a Telegram channel. The group asserted that it had successfully breached the BAZAN Group's network over the weekend. Beyond the website disruption, the group leaked materials purporting to be screenshots from the company's Supervisory Control and Data Acquisition (SCADA) systems. These software applications are critical for monitoring and operating industrial control systems within a refinery environment. The leaked images included diagrams of specific industrial units such as a "Flare Gas Recovery Unit," an "Amine Regeneration" system, and a petrochemical "Splitter Section," alongside what appeared to be programmable logic controller (PLC) code. The publication of such materials aimed to demonstrate a deep level of access to the company's operational technology infrastructure.

In an official statement provided to BleepingComputer, a spokesperson for BAZAN Group vehemently denied the validity of the leaked materials and the group's claims of a successful network breach. The company characterized the publications as false and the entire incident as an act of propaganda intended to spread misinformation and create a psychological impact. The spokesperson acknowledged that a Distributed Denial-of-Service (DDoS) attack had briefly disrupted their image website but stressed that no damage was observed to the company's core servers or physical assets. The statement emphasized that the company's cybersecurity measures were vigilant and that they were working in close coordination with the Israeli National Cyber Directorate and other partners to monitor all suspicious activity to ensure the continued safety and integrity of their industrial operations.

The Cyber Avengers group provided additional details regarding their purported methods of intrusion. They implied that the breach of the petrochemicals giant was accomplished by exploiting a vulnerability in a Check Point firewall appliance located within the company's network. A specific IP address was associated with this claim, and public records confirmed that this IP was indeed assigned to Oil Refineries Ltd. When accessed, this IP address returned a "Forbidden" error message. However, Check Point software technologies Ltd. directly refuted these claims. A spokesperson for the cybersecurity firm stated that none of the group's assertions were true and clarified that there was no past vulnerability in their products that could have enabled such an attack, thereby supporting BAZAN's position that no breach occurred.

This incident was not the first time the Cyber Avengers group has claimed attacks against Israeli critical infrastructure. The group also boasted of being responsible for fires at the Haifa Bay petrochemical plants in 2021, which were reportedly caused by a pipeline malfunction. Furthermore, the group had previously claimed attacks in 2020 targeting 28 Israeli railway stations by focusing on over 150 industrial servers. The veracity of these prior claims by the threat actor could not be independently verified by BleepingComputer. The recurrence of such claims highlights the group's focus on psychological warfare and spreading fear by targeting and publicizing attacks on essential national infrastructure, regardless of the actual scale of the intrusion or damage inflicted.

The primary observable impact of the incident was the prolonged downtime of the BAZAN Group's public-facing websites for a global audience. The DDoS attack successfully disrupted the availability of these web assets, forcing the company to implement defensive measures that likely included geo-fencing to restrict access to a known and trusted IP range, such as those originating within Israel. While the company maintained that no internal systems were compromised and no physical damage was sustained, the event necessitated a significant response from their cybersecurity team and involved coordination with national cybersecurity authorities. The situation required public relations management to counter the narrative being pushed by the hacktivist group and to reassure stakeholders of the integrity of their operational systems.

The conflicting narratives between the threat actor and the targeted organization present a complex picture. On one side, a hacktivist group claims a profound victory, displaying what it says is evidence of a deep infrastructure breach, including access to sensitive industrial control systems. On the other side, the company and its technology vendor categorically deny these claims, attributing the entire event to a limited DDoS attack and a subsequent disinformation campaign. The technical evidence available to external observers was limited to the website outages and the leaked screenshots, whose authenticity was disputed. The IP address linked to the Check Point firewall was confirmed to belong to the company but was inaccessible, providing no conclusive evidence either way. This incident underscores the challenges in attributing and accurately assessing the scope of cyber incidents in real-time, especially when they involve critical infrastructure and are accompanied by aggressive information operations. The ultimate goal of the Cyber Avengers appears to have been to create maximum disruption and fear, whether through actual cyber means or through the potent weapon of psychological manipulation and propaganda.