Bazan Group

Website of Israel’s largest oil refinery operator, BAZAN Group is inaccessible from most parts of the world as threat actors claim to have hacked the Group’s cyber systems.

The Haifa Bay-based BAZAN Group, formerly Oil Refineries Ltd., generates over $13.5 billion in annual revenue and employs more than 1,800 people.

The company boasts to have a total oil refining capacity of about 9.8 million tons of crude oil per year.

BAZAN website cut off from the internet

Over the weekend, incoming traffic to BAZAN Group’s websites, bazan.co.il and eng.bazan.co.il is either timing out, with HTTP 502 errors, or being refused by the company’s servers.

BleepingComputer confirmed that the oil refinery’s website has been made inaccessible for most visitors from around the world.

In our tests, the website was, however accessible from within Israel, possibly after imposition of a geo-block by BAZAN in an attempt to thwart an ongoing cyber attack.

Bazan Group website shows forbidden (HTTP 403) error message
Bazan Group website shows an ‘Access Denied’ error message

Cyber Avengers claims responsibility

In a Telegram channel, Iranian hacktivist group, ‘Cyber Avengers’ aka ‘CyberAv3ngers’, has claimed responsibility for breaching BAZAN’s network.

On Saturday evening, the group additionally leaked what appear to be screenshots of BAZAN’s SCADA systems, which are software applications used to monitor and operate industrial control systems.

These include diagrams of “Flare Gas Recovery Unit,” “Amine Regeneration” system, a petrochemical “Splitter Section,” and PLC code, as seen by BleepingComputer.

The hacktivist group states that it breached the petrochemicals giant via an exploit targeting a Check Point firewall at the company.

Alleged Check Point Firewall exploit used by threat actors
Alleged Check Point Firewall exploit used by threat actors

The IP address (194.xxx.xxx.xxx) purportedly belonging to the firewall device is indeed assigned to Oil Refineries Ltd., BleepingComputer can confirm via public records. At the time of writing, the IP address is returning a “Forbidden,” error message when accessed in our test.

“Since 2020 we’ve blown u up a lot, but the worst is yet to come,” reads the Telegram message posted by the threat actor.

“Your recent behaviors and actions have motivated us to display small portion of the shots!”

CyberAvengers taunting BAZAN
CyberAvengers taunting BAZAN on Telegram (BleepingComputer)

CyberAvengers members also shared an image of an internal kiosk that they claim to have vandalized with their messages:

Message displayed on monitors
A message displayed on monitors (CyberAvengers)

Lastly, CyberAvengers boasts that they are responsible for the 2021 fires at the Haifa Bay petrochemical plants caused by a pipeline malfunction.

In 2020, the same group of threat actors also claimed attacks on 28 Israeli railway stations by targeting more than 150 industrial servers.

BleepingComputer has not been able to independently verify the veracity of these claims made by the threat actor.

We have approached both Bazan Group as well as its stakeholders, Israel Corp. and Israel Petrochemical Enterprises Ltd. requesting more information with regards to the development prior to publishing (Sunday is a work day in Israel) and are awaiting a response.


Source link