The report, published Wednesday by the Federal Office for Information Security (BSI), revealed one of the rare instances in which a digital attack actually caused physical damage.
The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory’s office networks, from which access to production networks was gained. Spear phishing involves the use of email that appears to come from within an organization. After the system was compromised, individual components or even entire systems started to fail frequently.
[ See also: Natural defenses: 8 IT security tactics found in nature ]
Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant,” the BSI said, describing the technical skills of the attacker as “very advanced.”
The attack involved the compromise of a variety of different internal systems and industrial components, BSI said, noting that not only was there evidence of a strong knowledge of IT security but also extended know-how of the industrial control and production process.
The hack sounds similar to attacks involving the Stuxnet worm. Considered the first known cyberweapon, Stuxnet is believed to have been created by the U.S. and Israel to attack Iran’s nuclear program. Discovered in 2010, the worm has espionage and sabotage functionalities that were used to destroy up to 1,000 uranium enrichment centrifuges at a nuclear plant near the city of Natanz in Iran.