Stuxnet's Infection Of Chevron Shows Why 'Weaponized' Malware Is A Bad Idea

from the cyberenemy-within dept

The Stuxnet worm that attacked an Iranian nuclear enrichment facility a couple of years ago was exceptional from several viewpoints. It is believed to have been the costliest development effort in malware history, involving dozens of engineers. It also made use of an unprecedented number of zero-day exploits in Microsoft Windows in order to operate. Finally, Stuxnet seems to be the first piece of malware known with reasonable certainty to have been created by the US, probably working closely with Israel.

As Techdirt reported earlier this year, we know all this largely because the malware escaped from the target environment in Iran, and started spreading in the wild. We now learn that one of the companies infected as a result was Chevron:

The oil giant discovered the malware in July 2010 after the virus escaped from its intended target, Mark Koelmel, Chevron's general manager of the earth sciences department, told The Wall Street Journal.

"I don't think the U.S. government even realized how far it had spread," he said. "I think the downside of what they did is going to be far worse than what they actually accomplished."
This highlights a huge problem with the use of malware by national security services to carry out these kinds of covert attacks on their enemies. Where a physical attack on a foreign nation is unlikely to cause direct casualties back at home -- although it may lead to indirect ones through retaliation -- attacks using worms and other malware are far less targeted. If they escape, as is likely to happen given the near-impossibility of controlling what happens to them once they have been released, they may well find their way back to the attacker's homeland, and start infecting computer systems there.

This makes the "weaponization" of malware an inherently dangerous approach. Imagine if a nation deployed worms or viruses that changed data on infected systems in subtle ways, and that these started spreading by mistake among that same country's health organizations or banks. Lives could be lost, and financial systems thrown into disarray.

That's something worth bearing in mind amid increasing calls for the development of software that can be used offensively: as well as the likelihood of tit-for-tat responses, there is also the very real danger that the weapon will turn against the nation that created it.

Follow me @glynmoody on Twitter or, and on Google+

Filed Under: stuxnet, weaponized malware
Companies: chevron

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 21 Nov 2012 @ 8:46am


    I'll take digital warfare over nuclear warfare any day.

    Excellent idea.

    If a nuclear strike hits a city, the (majority of) victims will die quickly, almost instantaneously.

    If a digital strike manages to disrupt major civic infrastructure, we only have to worry about the slow deaths of disease, starvation, and dehydration. And perhaps some localized violence as a side effect.

    I don't beleive that we are in any sort of cyber danger right now. I do not beleive we need a massive cyberwar program that monitors everything going on over the nets. But I am not foolish or complacent enough to assume that there is no threat.

    Large cities are only sustainable through amazing feats of logistics. Anyone familiar with the resources needed to maintain a city understands that a significant disruption in the infrastructure causes conditions to degrade rapidly. When you have millions of people in the close proximity of any major city, you require millions of gallons of water and millions of pounds of food to be made available on a daily basis, as well as massive amounts of electricity to power everything from hospitals to iPods. Food and water can be kept in reserve, but any disruption longer than a week on a large scale can have dramatic consequences.

    True, we have a robust and redundant infrastructure, and are able to truck in food and water if necessary, and power essential devices. But we're far from invulnerable.

    If I'm going to be a casualty of war, I'd rather be incinerated by a bomb than starve to death as I watch civilization crumble from within.

    We don't face an imminent threat. Any major blow from cyberwarfare would be several years into the future, and would require significant coordination, but it's not impossible.

    The point of Mr. Moody's post is that we're playing with fire. Fire can be a very good thing, when properly controlled and understood. But there's nothing alarmist in reminding people that fire is in fact dangerous.

    Stuxnet is simply one of many examples of a widely-acknowledged truism. There is no such thing as perfect security. With unlimitied time and money, a thousand monkeys with typewriters will bypass your triple authentication biometric-passcode-keyed lock. Stuxnet managed to jump air gaps, exploit vectors, and hack the Gibson.

    More importantly, Stuxnet was a generalized attack with a specific payload. It "attacked" millions of computers, and was successful in doing so. It didn't "do anything" because the payload was limited. The cyberware scares come from the idea of a generalized attack with a generalized payload. This is somewhat overstated because computers don't really have the uniformity required for a generalized payload to exist. HOWEVER, a payload can be successfully crafted so that it isn't quite as specific as Stuxnet. With a more generalized payload, the scattershot approach of weaponized malware can easily turned into "pissing in the wind," so to speak.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.