(Tomado de wsj.com)
Stuxnet, a sophisticated computer virus created by the United States and Israel, to spy on and attack Iran’s nuclear enrichment facilities in Natanz also infected Chevron ’s network in 2010, shortly after it escaped from its intended target.
Chevron found Stuxnet in its systems after the malware was first reported in July 2010, said Mark Koelmel, general manager of the earth sciences department at Chevron. “I don’t think the U.S. government even realized how far it had spread,” he told CIO Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished,” he said.
- Vahid Salemi/AP Photo
- An Iranian technician works at a uranium conversion facility just outside the city of Isfahan.
Chevron was not adversely affected by Stuxnet, says Chevron spokesman Morgan Crinklaw. “We make every effort to protect our data systems from those types of threats,” he said.
Chevron’s experience with Stuxnet appears to be the result of the unintentional (and perhaps, inevitable) release of malware upon a larger network, much like an experimental virus escaping from a medical lab. But many companies are also being specifically targeted, sometimes by less sophisticated actors attempting to retaliate against perceived U.S. cyber-aggression. Although they have fewer resources behind them, those guerrilla campaigns are nonetheless capable of doing real, physical damage to targeted plants.
Chevron is the first U.S. company to acknowledge that its systems were infected by Stuxnet, although most security experts believe the vast majority of hacking incidents go unreported for reasons of security or to avoid embarrassment. The devices used in industrial equipment and targeted by Stuxnet are made by huge companies, including Siemens (whose devices were in use at Iran’s facility). Millions of these devices have been sold around the world, so potentially every industrial company that uses these devices, called programmable logic controllers, or PLCs, are at risk of being infected.
U.S. officials blame Iranian hackers with government ties for the so-called Shamoon virus that destroyed data on 30,000 computers belonging to Saudi Arabian Oil Co. in August. A Qatari natural gas company called Rasgas was also attacked in August. The Shamoon virus is likely the work of a single individual who lacked the sophistication of state-sponsored hackers, according to a Bloomberg report.
Aramco said it quickly recovered from the August attack, but expects more attacks in the future. Rasgas says the August attack had no impact on its operations.
“The real worry that a lot of us have been talking about for a year or so is that instead of just stealing information, [hackers are] gaining control of target systems so that they can cause kinetic impact,” said Ed Skoudis, an expert who teaches cybersecurity classes at SANS, an organization that trains cybersecurity experts and conducts information security research.
“All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” said U.S. Secretary of Defense Leon Panetta in an October 11 speech at a Business Executives for National Security dinner. The virus is an example of an escalation that has happened in the scale and speed of cyber attacks during the last few months.
Employees who have a deep understanding of cybersecurity and the company’s systems are the only defense against a virus like Stuxnet that often target vulnerabilities that haven’t yet been identified by security researchers or patched by the software vendor, says Alan Paller, founder of SANS. Those employees need to understand malware and techniques like deep packet inspection, and have a deep knowledge of what the network traffic should look like. “There are probably only 18-20 people in the country who have those fundamental skills,” he said.
Unleashing potent cyber weapons points to the larger problem of blowback, where “somebody could recover malware assets, tweak them and use them,” said SANS’ Skoudis. He said portions of the Stuxnet code have already been reused in financial cybercrime to steal credit cards and bank account information.
The tacit acknowledgement by U.S. government officials that they created Stuxnet makes U.S. companies an even bigger target, said Paller at SANS. He says hackers last summer went from stealing information to using cyber attacks to cause destruction. Stuxnet “opened Pandora’s box,” he said. “Whatever restraint might have been holding damaging attacks back are gone.”
In the end, companies are left to clean up the mess associated with viruses such as Stuxnet. “We’re finding it in our systems and so are other companies,” said Chevron’s Koelmel. “So now we have to deal with this.”
Write to firstname.lastname@example.org