Stuxnet's Infection Of Chevron Shows Why 'Weaponized' Malware Is A Bad Idea
from the cyberenemy-within dept
The Stuxnet worm that attacked an Iranian nuclear enrichment facility a couple of years ago was exceptional from several viewpoints. It is believed to have been the costliest development effort in malware history, involving dozens of engineers. It also made use of an unprecedented number of zero-day exploits in Microsoft Windows in order to operate. Finally, Stuxnet seems to be the first piece of malware known with reasonable certainty to have been created by the US, probably working closely with Israel.
As Techdirt reported earlier this year, we know all this largely because the malware escaped from the target environment in Iran, and started spreading in the wild. We now learn that one of the companies infected as a result was Chevron:
The oil giant discovered the malware in July 2010 after the virus escaped from its intended target, Mark Koelmel, Chevron's general manager of the earth sciences department, told The Wall Street Journal.
This highlights a huge problem with the use of malware by national security services to carry out these kinds of covert attacks on their enemies. Where a physical attack on a foreign nation is unlikely to cause direct casualties back at home -- although it may lead to indirect ones through retaliation -- attacks using worms and other malware are far less targeted. If they escape, as is likely to happen given the near-impossibility of controlling what happens to them once they have been released, they may well find their way back to the attacker's homeland, and start infecting computer systems there.
"I don't think the U.S. government even realized how far it had spread," he said. "I think the downside of what they did is going to be far worse than what they actually accomplished."
This makes the "weaponization" of malware an inherently dangerous approach. Imagine if a nation deployed worms or viruses that changed data on infected systems in subtle ways, and that these started spreading by mistake among that same country's health organizations or banks. Lives could be lost, and financial systems thrown into disarray.
That's something worth bearing in mind amid increasing calls for the development of software that can be used offensively: as well as the likelihood of tit-for-tat responses, there is also the very real danger that the weapon will turn against the nation that created it.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: stuxnet, weaponized malware
Companies: chevron
Reader Comments
Subscribe: RSS
View by: Time | Thread
No harm done elsewhere
From the WSJ article:
"Chevron was not adversely affected by Stuxnet, says Chevron spokesman Morgan Crinklaw."
Stuxnet was highly targetted. Other than spreading outside of its intended target - it didn't do anything. The malicious part of it did not activate unless it saw a certain number of controllers for a specific model of a certain number of centrifuges.
While there is always an unknown factor, that this could have ended up somewhere else and caused damage/destruction, it didn't.
Since we regularly call out officials for hyping up the impending doom of cyber-war, I want to be fair and make sure we're not doing the same thing.
I'll also argue that the genie was already out of the bottle when it came to cyber-attacks by nation states against other nation states. Stuxnet was particularly effective and exceptional, yes. But it wasn't really the first. Look up the the Russian/Georgian conflict. There's also been plenty of theoretical talk about it for years.
[ link to this | view in chronology ]
Re: No harm done elsewhere
First off, it cost a considerable amount of time and money for Chevron, not to mention everyone else.
Secondly, it reduced Chevron's security in a tangible sense. Stuxnet had remote command and control capabilities, through two web sites. Had someone managed to compromise or spoof those web sites before they were taken down, they would have had remote root access to a crapload of machines.
It's kind of like someone forging a master key to Chevron's buildings, and sneaked in and had a look around, but didn't touch anything. Yeah, they did do something, even if it wasn't as nearly bad as it could have been.
[ link to this | view in chronology ]
Re: Re: No harm done elsewhere
Honestly I think this is a positive more than a negative. Every IT employee who has been pandering for more security and funding at Chevron just received the best talking point possible... and it did no damage.
How often do you have your security and network isolations tested without either paying a fortune for a specialist company to conduct it or damage being done?
[ link to this | view in chronology ]
Re: Re: Re: No harm done elsewhere
[ link to this | view in chronology ]
Re: Re: Re: Re: No harm done elsewhere
That's an example of the perfect solution fallacy. There is no such thing as impenetrable security.
[ link to this | view in chronology ]
Re: Re: Re: No harm done elsewhere
[ link to this | view in chronology ]
Re: No harm done elsewhere
Yes because we should believe the spokesman for Chevron.
Phooey. Its his job to reassure investors no "damage" was done.
If a machine is infected, it is damaged, and will need someone to re-image it. Then you need to be sure all of the thousands of computers were not compromised. And then there is the specialized scientific equipment sometimes running on NT(in the case of ExxonMobile). It is a costly event even if centrifuges werent damaged.
Oh yeah then there is the time needed to (DFIR)Digital Forensics, Incident Response to put policies in place so it doesnt happen again.
No damage? Depends on how you define damage.
[ link to this | view in chronology ]
Not a new argument
Think "genie out of the bottle."
[ link to this | view in chronology ]
Re: Not a new argument
Now if they can just keep focused on cyber warfare, instead of going back to germ warfare. We'll lose vital infrastructure, but at least we won't all die.
[ link to this | view in chronology ]
Re: Re: Not a new argument
[ link to this | view in chronology ]
Re: Re: Not a new argument
Apparently you don't realize how many people could die as a direct result of an attack to that infrastructure. Hospitals are especially problematic. Just walk into any hospital and look around at how much is ran by computers. These days loosing the computers would cripple a hospital. This could easily cause the loss of many lives and it is just one example.
The use of computer viruses for warfare is just as stupid as using real viruses. You can never truly anticipate the effects it will have in the wild. Once a virus is loose their is no calling it back.
[ link to this | view in chronology ]
Re: Re: Re: Not a new argument
[ link to this | view in chronology ]
Thousands upon thousands of computers companies and people worldwide were infected with Stuxnet.... that was kind of the plan in assisting the delivery. However [b]Stuxnet was so specifically written that only the intended target would see the effects. I.e. only nuclear centrifuges using the make and model of parts only found in Iran would be affected.[/b]
What is more noteworthy is that Chevron was unable to prevent the infection that any off the shelf anti-malware would protect against
[ link to this | view in chronology ]
Re:
Stuxnet used quite a few zero-day exploits. These are exploits which are unknown to anyone but the exploiter, or those in which have not been publicly released and in which there are no patches and no defenses.
So no, your copy of AVG Free Edition is not going to protect you, or Chevron, against them.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
That should be " I.e. only nuclear centrifuges using the make and model of parts only found in Iran at this point in time would be affected."
What happens if the Iranians do quit, and sell off their components for other uses? Or this thing ends up in someone else's systems down the road that have the same make and model of parts? The problem with stuff like this is that once you cut it loose, realistically, it's around as long as the internet is because there is always someone who doesn't keep up with their security requirements or plugs in an antique computer they bought at a yard sale.
[ link to this | view in chronology ]
/cyber-tinfoilhat
[ link to this | view in chronology ]
Re: cyber-tinfoilhat has been patented.....
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
We live in strange times.
Perhaps when news is slow, you guys might try some original writing, proposing specific solutions not just whining. Of course, if you did, and became a source, then you might begin to understand why creators object to every yahoo ripping off work.
Anyhoo...
"It is believed to have been the costliest development effort in malware history, involving dozens of engineers. It also made use of an unprecedented number of zero-day exploits in Microsoft Windows in order to operate." -- Suggesting that Microsoft was involved. Difficult to even guess, though, as Microsoft surely creates as many zero-day exploits by incompetence as by design.
Click here for Mike "Streisand Effect" Masnick!
http://en.wikipedia.org/wiki/Streisand_effect
Help make Mike the #1 quipper on the net! -- Click one for The Quipper!
[ link to this | view in chronology ]
Re: We live in strange times.
I write for fun, you stupid yahoo. If someone takes my work and can do better, more power to them.
Course, they'll get lambasted by my fans so... ;P
[ link to this | view in chronology ]
Re: We live in strange times.
http://www.techdirt.com/articles/20111208/12500917012/riaa-doesnt-apologize-year-long-blog-cen sorship-just-stands-its-claim-that-site-broke-law.shtml
HA HA HA HA HA HA HA HA HA HA HA
[ link to this | view in chronology ]
Re: We live in strange times.
This is progress people! He can learn!
[ link to this | view in chronology ]
Re: Re: We live in strange times.
[ link to this | view in chronology ]
Re: We live in strange times.
That is NOT suggesting Microsoft was involved in developing this malware. All the writer said was it involved 0-days that are in Windows. You're suggesting that because if I find a exploit in the Linux kernel then somehow Linus Torvalds helped me.
Do you even know what a 0-day even is? No? Didn't think so.
[ link to this | view in chronology ]
Re: We live in strange times.
A simpler explanation is that someone at Microsoft leaked a copy of the Windows source code to the malware authors. I hope they were well paid.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So...while i tmight have spread, what would it actually do on any other machine? does it open the machine further to other threats? can it be hijacked? I know these aren't the kind of security questions techdirt normally deals with, but without some discussion of ACTUAL harm, the article reeks of FUD.
[ link to this | view in chronology ]
Re:
I bet a team of engineers could even repurpose the whole package to target something else. Especially the iranian engineers since they know what the target looked like and can detect the parts of the code that identify them.
[ link to this | view in chronology ]
Biological Weapons
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Cyber-warfare
[ link to this | view in chronology ]
Microsoft offered a Stuxnet patch Sept 15th
Personally I think Not only Chevron but all industrial and infrastructure computers should be secured off the net.... And made to accept only secured recognized files and such.
[ link to this | view in chronology ]
This is like complaining about an employees email that passed through the corporate network. Yes the email might have been offensive illegal etc.... But since it just passed through and even to this day has no way for either the creators or others to use it to do harm to Chevron then uhm..... I'm sure an occasional Chevron handles dynamite does that make him a terrorist because he handled dynamite but never used it for other than intended???
[ link to this | view in chronology ]
Re:
If we applied your logic to others, then we shouldn't be arresting any virus writer until its proven to harm your system. Because what it seems to me you are saying is that the US (and whoever else helped them) didn't do any damage so they should get a pass. If we can do that for the government then we should be doing that for everyone. The reason we don't is that its been deem illegal to do this, because of potential damage, not because of actual damage. So why should we give the government a pass. They purposely infected more than just their target. I guarantee that if anyone of us did this, we would have guys in suits and sunglasses breaking in the door within an hour of discovering our identity. The cost to businesses around the world to analyze and clean this from their systems (which needed to be done, even if they knew it was from the government, and they didn't for a long time) is a drain to their profits, which in turn could be driving stock prices, downsizing, higher consumer prices, you name it. So this little attack has most likely played a part in the global economic issues over the last several years. And who's to say that this is the only one.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Never assume .....
Take that malware which interfered and was blamed for bringing down that airliner (I believe it was in Spain, if I'm not mistaken). After news of it came out, and their stock began to dip, another story was released, claiming the malware was actually on the avionics diagnostic machine, at a mx facility, and not aboard the aircraft's avionics systems after all (they always do that, after the cat's out of the bag --- or never release the real truth).
The malware wasn't targeted at the airliner's avionics, it simply interfered with the routine alarms being sounded as it occupied specific memory vector spaces it shouldn't have --- similar to that Sony attack on millions.
When Sony CDs were sent out with their own malware aboard --- which interfered with the running of any other brand's CDs on PCs, and also made the infected PC's vulnerable to further hacks, or cracker attacks, ect., plus caused major rebooting loops when an OS patch was trying to be downloaded (funny how the corporate media never mentions this when they mentioned those Anonymous hacks against Sony).
Remember those at least 1,300 computers at embassies around the world which were infected by malware from China? It activated the workstation, or PCs', cams and microphones, and it lasted almost 2 years (discovered by Canadian computer scientists back in 2009).
That was bad enough, but who knows who else accessed those hacked computers as well????
One can't make unequivocal statements about the damages wrought from malware, unless you've gone through every single line of code, and are equally familiar with every single existing system out there.
Assumptions simply don't cut it.....
[ link to this | view in chronology ]
Re: Never assume .....
And yet you're comparing it to planes falling out of the sky. That is what I am arguing against, the alarmism displayed in your comment, and a subtle tone of it in the original article.
We can have rational discussions on information security without resorting to the hype that we rightly criticize when some congressman does the Chicken Little routine trying to scare up votes for their overreaching bill.
Perhaps me saying there was no harm done was not strictly correct - but we currently know of no ill effects outside of the intended target - and it has been awhile - besides some people and organizations having to do routine scans and purges of their systems. If you know of any, please share, but until we have evidence, we also shouldn't assume there was harm.
[ link to this | view in chronology ]
Re: Re: Never assume .....
Again, I just gave several examples you appear to have completely ignored --- it was never made publicly exactly what malware intefered with the normal alarm systems and cause at least one (???? who really knows if there were more) airliner crash, with many dead, it could have been the earliest version of Stuxnet --- airliners and their pax do get around, ya know?????
Any malware, when it gets into biomedical devices with limited memory onboard --- can cause untold problems, etc.
And the full amount of problems caused by Sony is still unknown --- two prime examples (three counting Stuxnet) with untold and unknown consequences.
Until all the information and data is in, you are making unqualified assumptions.
[ link to this | view in chronology ]
Re: Re: Re: Never assume .....
There is a lot more data and evidence around about the extent that Stuxnet spread (relatively limited to a few Mid-East countries), and what it was capable of, than you seem to be aware of.
Based on the evidence we have so far, I feel comfortable saying that Stuxnet did not cause whatever plane you're referring to crash. What are the pieces of evidence I'm basing that on? First, again Stuxnet was highly targeted and had a limited spread, primarily in the Mid-East. And second, there are tens of thousands of malware families (and millions of variants, but lets keep it simple), of which Stuxnet is only one - and many of those pieces of malware are far more aggressive and damaging. It is much more likely that if whatever plane crash you're referring to was caused by malware, it was caused by one of the "garden variety" threats we see every day, and not some specialized version that was designed to infect an Iranian nuclear facility.
[ link to this | view in chronology ]
Re: Re: Re: Never assume .....
There is a lot more data and evidence around about the extent that Stuxnet spread (relatively limited to a few Mid-East countries), and what it was capable of, than you seem to be aware of.
Based on the evidence we have so far, I feel comfortable saying that Stuxnet did not cause whatever plane you're referring to crash. What are the pieces of evidence I'm basing that on? First, again Stuxnet was highly targeted and had a limited spread, primarily in the Mid-East. And second, there are tens of thousands of malware families (and millions of variants, but lets keep it simple), of which Stuxnet is only one - and many of those pieces of malware are far more aggressive and damaging. It is much more likely that if whatever plane crash you're referring to was caused by malware, it was caused by one of the "garden variety" threats we see every day, and not some specialized version that was designed to infect an Iranian nuclear facility.
[ link to this | view in chronology ]
I suspect this to be the case simply because after the own up of the US involvement almost everyone from Siemens to Microsoft had a patch out in days.
Chevon's SCADA control is not hooked to the net. It runs on a separate system, tied through the company's intranet and by itself is not able to connect to the internet. A separate computer is used for report generation, record keeping, company emails, and web surfing. Changing ladder logic requires the software as well as a dongle to obtain authorization access to alter software settings as well as making changes in operation parameters outside those already set up. I know this because I used to run such systems for them.
It is hooked up this way so that when a hurricane abandonment happens, the offshore platforms are now left running. The crews that operate them come inshore and continue to monitor and operate the platforms from remote control. Due to Federal laws, some operations can not be restarted if they go down unless the operator is physically present to restart them. This due to things like if you had a hole in a line spraying oil and had a shut down due to a low pressure sensor, the last thing you would want is for someone to be able to restart with out looking over the area first.
In addition, video feeds for sea conditions as well as current, wave, on site weather conditions, are all fed through the system. The operators are liable to be several hundred miles from the platform they are controlling under hurricane conditions.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Excellent idea.
If a nuclear strike hits a city, the (majority of) victims will die quickly, almost instantaneously.
If a digital strike manages to disrupt major civic infrastructure, we only have to worry about the slow deaths of disease, starvation, and dehydration. And perhaps some localized violence as a side effect.
I don't beleive that we are in any sort of cyber danger right now. I do not beleive we need a massive cyberwar program that monitors everything going on over the nets. But I am not foolish or complacent enough to assume that there is no threat.
Large cities are only sustainable through amazing feats of logistics. Anyone familiar with the resources needed to maintain a city understands that a significant disruption in the infrastructure causes conditions to degrade rapidly. When you have millions of people in the close proximity of any major city, you require millions of gallons of water and millions of pounds of food to be made available on a daily basis, as well as massive amounts of electricity to power everything from hospitals to iPods. Food and water can be kept in reserve, but any disruption longer than a week on a large scale can have dramatic consequences.
True, we have a robust and redundant infrastructure, and are able to truck in food and water if necessary, and power essential devices. But we're far from invulnerable.
If I'm going to be a casualty of war, I'd rather be incinerated by a bomb than starve to death as I watch civilization crumble from within.
We don't face an imminent threat. Any major blow from cyberwarfare would be several years into the future, and would require significant coordination, but it's not impossible.
The point of Mr. Moody's post is that we're playing with fire. Fire can be a very good thing, when properly controlled and understood. But there's nothing alarmist in reminding people that fire is in fact dangerous.
Stuxnet is simply one of many examples of a widely-acknowledged truism. There is no such thing as perfect security. With unlimitied time and money, a thousand monkeys with typewriters will bypass your triple authentication biometric-passcode-keyed lock. Stuxnet managed to jump air gaps, exploit vectors, and hack the Gibson.
More importantly, Stuxnet was a generalized attack with a specific payload. It "attacked" millions of computers, and was successful in doing so. It didn't "do anything" because the payload was limited. The cyberware scares come from the idea of a generalized attack with a generalized payload. This is somewhat overstated because computers don't really have the uniformity required for a generalized payload to exist. HOWEVER, a payload can be successfully crafted so that it isn't quite as specific as Stuxnet. With a more generalized payload, the scattershot approach of weaponized malware can easily turned into "pissing in the wind," so to speak.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
And many of us find such opinions, based upon pure ignorance rendered by the corporate media's false and fictionalized reporting -- or rather misreporting, of statements from Iranian politicians, more than ironic, dangerously ignorant.
Since the overthrow of their democratically elected president or prime minister by the CIA, Brits and criminal elements within that country (Iran), and with the theft of their monies on account in the USA during the hostage crises --- which very likely was precipitated by at least two major events: the previous overthrow, and installing of the dictator that Shah of his Peacock Throne, and during their revolution in the late '70s, Jimmy Carter's presidential directive to destabilize the then-secular government of Afghanistan (moving Islamic Wahabist extremists from Saudi Arabia, with Saudi Arabian financial backing as well, to Afghanistan's northern border with the old Soviet Union to foment political and religious turmoil there --- the precursor to the Mujahedeen and eventually the Taliban --- when Sufi Islam [a more moderate form and non-extremist] was the majority religion among those living at the northern border).
No irony involved, simply the typical American ignorance of their own history, which is why, with the typical American media attention span of 20 seconds, when President Obama claims it to be the right of Israel to "defend" itself against retalitory missiles fired into that country, when President Obama has directed exactly how many missiles fired by US drones into how many different foreign countries?????
[ link to this | view in chronology ]
No, this is GOOD news!
Good things will happen, though, I can feel it!
[ link to this | view in chronology ]
Re: No, this is GOOD news!
[ link to this | view in chronology ]
[ link to this | view in chronology ]