Attacks/Breaches
11/12/2012
02:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Cyber Weapon Friendly Fire: Chevron Stuxnet Fallout

Malware's jump from Iranian uranium enrichment facility to energy giant highlights the downside to custom-made espionage malware -- its capability to infect friends as well as foes.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The pioneering Stuxnet computer virus, which was designed to attack a single Iranian uranium enrichment facility, went on to infect PCs around the world. Security experts have identified thousands of resulting Stuxnet infections. On Monday, multinational energy giant Chevron became the first U.S. company to admit that it, too, was infected by Stuxnet.

Chevron found that some of its systems had been infected by Stuxnet soon after security firms discovered the virus in July 2010. "I don't think the U.S. government even realized how far it had spread," Mark Koelmel, general manager of the earth sciences department at Chevron, told The Wall Street Journal. "I think the downside of what they did is going to be far worse than what they actually accomplished," he said.

But according to Chevron spokesman Morgan Crinklaw, Stuxnet caused no damage to Chevron's network. "We make every effort to protect our data systems from those types of threats," he told The Wall Street Journal.

[ Read Flame Malware Code Traced To Stuxnet. ]

Confirmation that Stuxnet was designed by the U.S. government -- reportedly working with Israel -- came in June 2012 via journalist David Sanger, who reported that Stuxnet was developed as part of a classified cyberweapons program codenamed "Olympic Games," which was begun under President Bush and accelerated by President Obama. The malware was designed to forestall Israeli airstrikes against Iran, instead using a virus that sabotaged the high-frequency convertor drives used in centrifuges inside the Iranian nuclear facility at Natanz.

Stuxnet reportedly did disable a number of centrifuges at Natanz, but it also spread. "The fundamental problem with the use of viruses as weapons is that once deployed, one loses control of it. It is as likely to damage one's friends as one's enemies," said William Hugh Murray, an executive consultant and trainer in information assurance who's an associate professor at the Naval Postgraduate School, in a recent SANS Institute newsletter.

People with knowledge of the Olympic Games program, speaking to Sanger, did say that the virus had unexpectedly gotten out of control. But many security experts have disputed the notion that Stuxnet somehow broke loose unexpectedly, given that it was a virus incorporating multiple infection techniques, including the ability to exploit four zero-day vulnerabilities.

"'Escaped' continues to be a puzzling term when applied to a virus that relied on numerous Microsoft zero-day vulnerabilities and propagation vectors," said Sean McBride, the director of analysis for Critical Intelligence, in a SANS newsletter. "On the other hand, if your system was not the single underground facility in Iran that Stuxnet was intended to disrupt, the infection was benign. Such collateral damage is part of the price industry gets to pay for -- what was then -- two more years of Iran [being] without a nuclear weapon."

What remains worrying about Stuxnet is the ease with which the custom malware was able to surreptitiously alter the behavior of programmable logic controllers (PLCs) used in industrial control systems. As the Chevron infection highlights, PLCs aren't just used in uranium refineries, but for a broad range of applications -- spanning oil and gas enrichment, manufacturing plant floors and even prisons. Furthermore, businesses might replace their industrial control systems only every 10 or 20 years.

In the interim, what could safeguard PLC environments against future attacks of the Stuxnet variety, especially if launched by foreign adversaries? "There are no automated defense systems that can protect power systems and other critical infrastructure resources against these advanced attacks," said Alan Paller, director of research at the SANS Institute, in a SANS newsletter. "The only defense -- admittedly imperfect -- is radically improved technical skills."

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
11/12/2012 | 9:54:55 PM
re: Cyber Weapon Friendly Fire: Chevron Stuxnet Fallout
Wonder why Chevron decided to go public about this.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/18/2012 | 10:36:16 PM
re: Cyber Weapon Friendly Fire: Chevron Stuxnet Fallout
Stuxnet, Flame, and Duqu seem to be creations of the same entity based on their coding and methods of operation. For a quick rundown of how these worms and other malware work, have a look here:

http://dougvitale.wordpress.co...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.