Stuxnet's Infection Of Chevron Shows Why 'Weaponized' Malware Is A Bad Idea

from the cyberenemy-within dept

The Stuxnet worm that attacked an Iranian nuclear enrichment facility a couple of years ago was exceptional from several viewpoints. It is believed to have been the costliest development effort in malware history, involving dozens of engineers. It also made use of an unprecedented number of zero-day exploits in Microsoft Windows in order to operate. Finally, Stuxnet seems to be the first piece of malware known with reasonable certainty to have been created by the US, probably working closely with Israel.

As Techdirt reported earlier this year, we know all this largely because the malware escaped from the target environment in Iran, and started spreading in the wild. We now learn that one of the companies infected as a result was Chevron:

The oil giant discovered the malware in July 2010 after the virus escaped from its intended target, Mark Koelmel, Chevron's general manager of the earth sciences department, told The Wall Street Journal.

"I don't think the U.S. government even realized how far it had spread," he said. "I think the downside of what they did is going to be far worse than what they actually accomplished."
This highlights a huge problem with the use of malware by national security services to carry out these kinds of covert attacks on their enemies. Where a physical attack on a foreign nation is unlikely to cause direct casualties back at home -- although it may lead to indirect ones through retaliation -- attacks using worms and other malware are far less targeted. If they escape, as is likely to happen given the near-impossibility of controlling what happens to them once they have been released, they may well find their way back to the attacker's homeland, and start infecting computer systems there.

This makes the "weaponization" of malware an inherently dangerous approach. Imagine if a nation deployed worms or viruses that changed data on infected systems in subtle ways, and that these started spreading by mistake among that same country's health organizations or banks. Lives could be lost, and financial systems thrown into disarray.

That's something worth bearing in mind amid increasing calls for the development of software that can be used offensively: as well as the likelihood of tit-for-tat responses, there is also the very real danger that the weapon will turn against the nation that created it.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: stuxnet, weaponized malware
Companies: chevron


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 20 Nov 2012 @ 6:08pm

    I don't know of any zero day exploits that have not been patched in reference to Stuxnet. I suspect that those that were used, the company hardware and software were told of the exploit after the it was in place but under speculation I would think they were requested by the US gov to have the patches ready but not to use them until notified.

    I suspect this to be the case simply because after the own up of the US involvement almost everyone from Siemens to Microsoft had a patch out in days.

    Chevon's SCADA control is not hooked to the net. It runs on a separate system, tied through the company's intranet and by itself is not able to connect to the internet. A separate computer is used for report generation, record keeping, company emails, and web surfing. Changing ladder logic requires the software as well as a dongle to obtain authorization access to alter software settings as well as making changes in operation parameters outside those already set up. I know this because I used to run such systems for them.

    It is hooked up this way so that when a hurricane abandonment happens, the offshore platforms are now left running. The crews that operate them come inshore and continue to monitor and operate the platforms from remote control. Due to Federal laws, some operations can not be restarted if they go down unless the operator is physically present to restart them. This due to things like if you had a hole in a line spraying oil and had a shut down due to a low pressure sensor, the last thing you would want is for someone to be able to restart with out looking over the area first.

    In addition, video feeds for sea conditions as well as current, wave, on site weather conditions, are all fed through the system. The operators are liable to be several hundred miles from the platform they are controlling under hurricane conditions.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.