Chevron says computer network was infected by anti-Iranian virus Stuxnet | Hydrocarbon...

Page 1 of 2

COPYING AND DISTRIBUTING ARE PROHIBITED WITHOUT PERMISSION OF THE PUBLISHER

Chevron says computer network was infected by anti-Iranian

virus Stuxnet
11.09.2012 |
Chevron found the virus in its systems after the malware's existence was first reported in a blog post in July 2010,
according to Mark Koelmel, general manager of the earth-sciences department at the big US oil company. The US
government has never officially acknowledged the Stuxnet program.
Keywords:
By RACHAEL KING
Stuxnet, a sophisticated computer virus that former US officials say was created by the US and Israel to spy on and
attack Iran's nuclear-enrichment facilities, also infected Chevron Corp.'s network in 2010, shortly after it escaped
from its intended target.
Chevron found the virus in its systems after the malware's existence was first reported in a blog post in July 2010,
according to Mark Koelmel, general manager of the earth-sciences department at the big US oil company.
The US government has never officially acknowledged the Stuxnet program.
"I don't think the US government even realized how far [the virus] had spread,"
said Mr. Koelmel, who oversees earth-science research and development at
Chevron and is familiar with how information technology is used at the
company.
"I think the downside of what they did is going to be far worse than what they
actually accomplished," he said.
Chevron, which is based in San Ramon, Calif., wasn't hurt by Stuxnet, said
Chevron spokesman Morgan Crinklaw. "We make every effort to protect our
data systems from those types of threats," he said.
Chevron's experience with Stuxnet appears to be the result of the malware's unintentional release into cyberspace,
much like an experimental virus escaping from a medical lab.
But many companies also are being specifically targeted by viruses, sometimes by less-sophisticated groups or
individuals attempting to retaliate against perceived cyberaggression by the US. Although they have fewer resources
behind them, those guerrilla campaigns are nonetheless capable of doing real, physical damage to the targeted
facilities.
Chevron is the first US company to acknowledge that its systems were infected by Stuxnet. But most security experts
suspect that the vast majority of hacking incidents go unreported for reasons of security, or to avoid embarrassment.
The devices targeted by Stuxnet, called programmable logic controllers are used to automate factory equipment.
PLCs are made by huge companies, including Siemens of Germany, whose devices were in use at the Iranian facility.

http://www.hydrocarbonprocessing.com/Article/3116037/Chevron-says-computer-network... 1/27/2013

Chevron says computer network was infected by anti-Iranian virus Stuxnet | Hydrocarbon... Page 2 of 2

Millions of the devices have been sold world-wide, exposing the industrial companies that depend on them to the
risk of being infected.
US officials, meanwhile, blame Iranian hackers with government ties for the so-called Shamoon virus that destroyed
data on 30,000 computers belonging to Saudi Aramco in August. Defense officials said a Qatari natural-gas
company called Rasgas was attacked in August.
The incidents show how cyberattacks have escalated in speed and scale during the past few months.
"All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date," US
Secretary of Defense Leon Panetta said in an Oct. 11 speech at a Business Executives for National Security dinner.
Aramco said it quickly recovered from the August attack, but expects more such threats in the future. Rasgas said
the August attack had no impact on its operations.
"The real worry that a lot of us have been talking about for a year or so is that instead of just stealing information,
[hackers are] gaining control of target systems so that they can cause" physical damage, said Ed Skoudis, who
teaches cybersecurity classes at the SANS Institute, a private organization that trains cybersecurity experts and
conducts information-security research.
Employees who have a deep understanding of cybersecurity and their company's systems are the only defense
against viruses like Stuxnet, which often target vulnerabilities that securities researchers haven't yet identified or
software vendors haven't patched, said Alan Paller, who founded SANS.
He said those employees need to understand malware and techniques for fighting them, such as deep-packet
inspection, which involves a very detailed examination of traffic on a computer network.
They must also have a deep knowledge of what network traffic should look like.
"There are probably only 18 to 20 people in the [US] who have those fundamental skills," he said.
Unleashing potent cyberweapons involves the risk of blowback. "Somebody could recover malware assets, tweak
them and use them" against their creators, according to Skoudis. He said portions of the Stuxnet code already have
been used to commit financial cybercrimes, such as stealing credit-card data and bank-account information.
The US government's purported link to Stuxnet makes American companies an even bigger target, said Mr. Paller.
Hackers last summer went from stealing information to using cyberattacks to cause destruction, he said.
Stuxnet "opened Pandora's box," he added. "Whatever restraint might have been holding damaging attacks back is
gone."
In the end, companies are left to clean up the mess associated with viruses such as Stuxnet.
"We're finding it in our systems, and so are other companies," said Chevron's Mr. Koelmel. "So now we have to deal
with this."

Dow Jones Newswires

http://www.hydrocarbonprocessing.com/Article/3116037/Chevron-says-computer-network... 1/27/2013