By RACHAEL KING
Stuxnet, a sophisticated computer virus that former US
officials say was created by the US and Israel to spy on and attack Iran's
nuclear-enrichment facilities, also infected Chevron
Corp.'s network in 2010, shortly after it escaped from its
Chevron found the virus in its systems after the malware's
existence was first reported in a blog post in July 2010,
according to Mark Koelmel, general manager of the
earth-sciences department at the big US oil company.
The US government has never officially acknowledged the Stuxnet
"I don't think the US government even realized how far [the
virus] had spread," said Mr. Koelmel, who oversees
earth-science research and development at Chevron and is
familiar with how information technology is used at the
"I think the downside of what they did is going to be far
worse than what they actually accomplished," he said.
Chevron, which is based in San Ramon, Calif., wasn't hurt by
Stuxnet, said Chevron spokesman Morgan Crinklaw. "We make every
effort to protect our data systems from those types of
threats," he said.
Chevron's experience with Stuxnet appears to be the result
of the malware's unintentional release into cyberspace, much
like an experimental virus escaping from a medical lab.
But many companies also are being specifically targeted by
viruses, sometimes by less-sophisticated groups or individuals
attempting to retaliate against perceived cyberaggression by
the US. Although they have fewer resources behind them, those
guerrilla campaigns are nonetheless capable of doing real,
physical damage to the targeted facilities.
Chevron is the first US company to acknowledge that its
systems were infected by Stuxnet. But most security experts
suspect that the vast majority of hacking incidents go
unreported for reasons of security, or to avoid
The devices targeted by Stuxnet, called programmable logic
controllers are used to automate factory equipment. PLCs are
made by huge companies, including Siemens of Germany, whose
devices were in use at the Iranian facility.
Millions of the devices have been sold world-wide, exposing
the industrial companies that depend on them to the risk of
US officials, meanwhile, blame Iranian hackers with
government ties for the so-called Shamoon virus that destroyed
data on 30,000 computers belonging to Saudi Aramco in August.
Defense officials said a Qatari natural-gas company called
Rasgas was attacked in August.
The incidents show how cyberattacks have escalated in speed and
scale during the past few months.
"All told, the Shamoon virus was probably the most
destructive attack that the private sector has seen to date,"
US Secretary of Defense Leon Panetta said in an Oct. 11 speech
at a Business Executives for National Security dinner.
Aramco said it quickly recovered from the August attack, but
expects more such threats in the future. Rasgas said the August
attack had no impact on its operations.
"The real worry that a lot of us have been talking about for
a year or so is that instead of just stealing information,
[hackers are] gaining control of target systems so that they
can cause" physical damage, said Ed Skoudis, who teaches
cybersecurity classes at the SANS Institute, a private
organization that trains cybersecurity experts and conducts
Employees who have a deep understanding of cybersecurity and
their company's systems are the only defense against viruses
like Stuxnet, which often target vulnerabilities that
securities researchers haven't yet identified or software
vendors haven't patched, said Alan Paller, who founded
He said those employees need to understand malware and
techniques for fighting them, such as deep-packet inspection,
which involves a very detailed examination of traffic on a
They must also have a deep knowledge of what network traffic
should look like.
"There are probably only 18 to 20 people in the [US] who
have those fundamental skills," he said.
Unleashing potent cyberweapons involves the risk of
blowback. "Somebody could recover malware assets, tweak them
and use them" against their creators, according to Skoudis. He
said portions of the Stuxnet code already have been used to
commit financial cybercrimes, such as stealing credit-card data
and bank-account information.
The US government's purported link to Stuxnet makes American
companies an even bigger target, said Mr. Paller. Hackers last
summer went from stealing information to using cyberattacks to
cause destruction, he said.
Stuxnet "opened Pandora's box," he added. "Whatever restraint
might have been holding damaging attacks back is gone."
In the end, companies are left to clean up the mess
associated with viruses such as Stuxnet.
"We're finding it in our systems, and so are other
companies," said Chevron's Mr. Koelmel. "So now we have to deal
Dow Jones Newswires