Chevron says computer network was infected by anti-Iranian virus Stuxnet


Stuxnet, a sophisticated computer virus that former US officials say was created by the US and Israel to spy on and attack Iran's nuclear-enrichment facilities, also infected Chevron Corp.'s network in 2010, shortly after it escaped from its intended target.

Chevron found the virus in its systems after the malware's existence was first reported in a blog post in July 2010, according to Mark Koelmel, general manager of the earth-sciences department at the big US oil company.

The US government has never officially acknowledged the Stuxnet program.

"I don't think the US government even realized how far [the virus] had spread," said Mr. Koelmel, who oversees earth-science research and development at Chevron and is familiar with how information technology is used at the company.

"I think the downside of what they did is going to be far worse than what they actually accomplished," he said.

Chevron, which is based in San Ramon, Calif., wasn't hurt by Stuxnet, said Chevron spokesman Morgan Crinklaw. "We make every effort to protect our data systems from those types of threats," he said.

Chevron's experience with Stuxnet appears to be the result of the malware's unintentional release into cyberspace, much like an experimental virus escaping from a medical lab.

But many companies also are being specifically targeted by viruses, sometimes by less-sophisticated groups or individuals attempting to retaliate against perceived cyberaggression by the US. Although they have fewer resources behind them, those guerrilla campaigns are nonetheless capable of doing real, physical damage to the targeted facilities.

Chevron is the first US company to acknowledge that its systems were infected by Stuxnet. But most security experts suspect that the vast majority of hacking incidents go unreported for reasons of security, or to avoid embarrassment.

The devices targeted by Stuxnet, called programmable logic controllers are used to automate factory equipment. PLCs are made by huge companies, including Siemens of Germany, whose devices were in use at the Iranian facility.

Millions of the devices have been sold world-wide, exposing the industrial companies that depend on them to the risk of being infected.

US officials, meanwhile, blame Iranian hackers with government ties for the so-called Shamoon virus that destroyed data on 30,000 computers belonging to Saudi Aramco in August. Defense officials said a Qatari natural-gas company called Rasgas was attacked in August.

The incidents show how cyberattacks have escalated in speed and scale during the past few months.

"All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date," US Secretary of Defense Leon Panetta said in an Oct. 11 speech at a Business Executives for National Security dinner.

Aramco said it quickly recovered from the August attack, but expects more such threats in the future. Rasgas said the August attack had no impact on its operations.

"The real worry that a lot of us have been talking about for a year or so is that instead of just stealing information, [hackers are] gaining control of target systems so that they can cause" physical damage, said Ed Skoudis, who teaches cybersecurity classes at the SANS Institute, a private organization that trains cybersecurity experts and conducts information-security research.

Employees who have a deep understanding of cybersecurity and their company's systems are the only defense against viruses like Stuxnet, which often target vulnerabilities that securities researchers haven't yet identified or software vendors haven't patched, said Alan Paller, who founded SANS.

He said those employees need to understand malware and techniques for fighting them, such as deep-packet inspection, which involves a very detailed examination of traffic on a computer network.

They must also have a deep knowledge of what network traffic should look like.

"There are probably only 18 to 20 people in the [US] who have those fundamental skills," he said.

Unleashing potent cyberweapons involves the risk of blowback. "Somebody could recover malware assets, tweak them and use them" against their creators, according to Skoudis. He said portions of the Stuxnet code already have been used to commit financial cybercrimes, such as stealing credit-card data and bank-account information.

The US government's purported link to Stuxnet makes American companies an even bigger target, said Mr. Paller. Hackers last summer went from stealing information to using cyberattacks to cause destruction, he said.

Stuxnet "opened Pandora's box," he added. "Whatever restraint might have been holding damaging attacks back is gone."

In the end, companies are left to clean up the mess associated with viruses such as Stuxnet.

"We're finding it in our systems, and so are other companies," said Chevron's Mr. Koelmel. "So now we have to deal with this."

Dow Jones Newswires

From the Archive