Chevron becomes the first U.S. company to confirm a network hit by the Stuxnet virus, an incident that reportedly occurred back in 2010 when the malware – designed to interfere with critical infrastructure operations – was discovered.
CIO Journal, Wall Street Journal's tech news service, broke the news Thursday afternoon, and interviewed Mark Koelmel, the oil giant's general manager of the earth sciences department.
“I don't think the U.S. government even realized how far it spread,” Koelmel told the publication.
When Stuxnet was made public in June 2010, a New York Times article contended that the worm was a creation of the United States and Israel to undermine Iran's nuclear program, where infections were primarily centralized.
Because of Stuxnet's history, it is believed that Chevron's encounter with the worm was accidental – a case of the sophisticated malware running loose beyond its intended targets.
A Chevron spokeswoman told CIO Journal that the company wasn't negatively impacted by the virus. SCMagzine.com reached out to Chevron for comment, but the company did not immediately respond.
Stuxnet is designed to target specific controls, the Siemens supervisory control and data acquisition (SCADA) systems, which manage and monitor critical industrial processes.
Aviv Raff, CTO of Seculert, which specializes in cloud-based advanced threat detection, told SCMagazine.com on Friday that it is likely that other U.S. companies have been impacted by Stuxnet. He is not surprised they haven't come forward.
“I do think there are other companies that are keeping quiet and this is normal behavior,” Raff said. He added that a company the size of Chevron would be a “reasonable” mistake given its operations, which fit the category of the malware's destructive aims.
Philip Kim, the CEO of South Korea-based AhnLab, which provides advanced persistent threat (APT) mitigation solutions for end-user clients and has U.S. operations, said that APT saboteurs are often watching and waiting for the right moment to strike.
Businesses and organizations should be aware that attackers, especially with nation-state backing, are bounds ahead of standard detection methods, like anti-virus programs, he said.
“In terms of APT [perpetrators], they are being hired for this crime,” Kim said. “We need to think about the timing other than just remediating this new malware. Anti-virus programs update the software with new signatures, but they are checking it just before it's updated. They know the timing, so they attack before the update.”