By Richard Sale
Major U.S. oil companies already facing increasingly sophisticated cyber attacks by China have also been infected by the Stuxnet virus that has attacked computers in countries from Germany, Indonesia to Kazakhstan, U.S. intelligence sources said.
Victims of the Stuxnet virus, intelligence sources said, include Baker Hughes, ConocoPhillips, Marathon, and Chevron, which last week was the first of the group to declare it had been attacked by the virus.
India on Stuxnet Alert
Talk to Me: Stuxnet, Flame a Global Alert
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
In a Wall Street Journal story late last week, Chevron, the billion dollar oil company based in California, confirmed its computer systems were infected with Stuxnet, a virus developed by the U.S. and Israel to strike Iranian nuclear facilities at Natanz.
Chevron spokesman Morgan Crinklaw was quoted by The Wall Street Journal as saying the company was protected from major damage to its network, adding the company made “every effort to protect our data systems from those types of threats.”
According to U.S. officials, any industrial component is liable to be targeted by such sophisticated attacks. James Lewis, cyber expert at the Center for International and Strategic Studies (CSIS), said “thousands of places around the world were infected but only one was damaged,” the Iranian facility at Natanz.
Lewis said “Stuxnet is an interesting weapons design. You need to introduce the virus and then you need to trigger it. It only works against a specific configuration.” The first stage of the virus uses a “beacon” that performs surveillance of the target, mapping an electrical blueprint of Iran’s centrifuges, with the data sent back to the National Security Agency in Maryland. The second stage, a trigger, added a number of “zero-day exploits” that can cause physical damage. The virus was only configured for Iranian nuclear facilities. It wasn’t designed to spread, U.S. officials said.
But it did.
U.S. sources confirmed the account of researchers at Symantec and Kaspersky Labs that stated Stuxnet had two versions. The first, launched in 2010, had a 21-day period after which the virus would be null and void. Shortly thereafter, the U.S. and Israel launched a second version, believing the first was ineffective. The second version had a different trigger, and U.S. sources said they believed Israel introduced some error in the code trigger. They didn’t elaborate.
Naming the Victims
Chevron was one of the first oil companies to be a victim of the Stuxnet virus. Others, including Baker Hughes, Marathon, ExxonMobil, Shell, and BP, have yet to make any public admission of the attacks of the virus because reporting incidents could trigger liability.
Blair Nicholas, of the law firm Bernstein Litowitz Berger and Grossman based in San Diego, said in a recent news report, “To the extent that there aren’t adequate procedures in place to protect the companies’ crown jewels and somebody gets the key to the jewelry box, there is certainly potential for shareholder derivative liability.”
Besides Chevron, none of Stuxnet’s corporate victims, including Marathon Oil, ConocoPhillips and Baker Hughes, has disclosed the attacks in filings with regulators.
These same companies have already been victims of Chinese-backed industrial espionage assaults that have cost them billions of dollars in plans and intellectual property, sources said, and some of the Chinese attacks remained undetected for years.
In attacks on Baker Hughes and Shell Oil, the Chinese targeted bid data as well as project plans and financial information.
Conoco and Exxon experienced similar breaches, but they went unreported because of client confidentiality. Studies have already been done of malware aimed at seizing data in the computers of a drilling rig working on a ConocoPhillips project, sources said.
None of these companies have commented on this matter to the U.S. press.
New Threats to Platforms
New computer-controlled oil platforms are already a reality. But offshore-onshore contact and the processes out on the platform are often controlled by onshore personnel via networked PCs. When onshore and offshore networks are linked the chances of attacks by viruses and hackers increase dramatically.
Experts say that while oil companies have improved offshore safety, they have lagged in the field of information security. For example, several experts said virus attacks have led to electronic equipment becoming unstable, and while personnel undergo scenario training to reduce risks, such training is seldom employed in the field of information security.
This is especially dangerous when the current trend is going toward the direction of unmanned robot-controlled platforms, which leave electronic equipment more exposed to attack. Ludolf Luehmann, manager of IT at Shell, Europe’s largest oil company, said in a recent news report, “We see an increasing number of attacks on our IT systems and information, and there are various motivations behind it: Criminal and commercial,” all focusing on research and development to gain a competitive advantage.
Cyber war experts like Lewis are aware most industries operate on computers vulnerable to attack, and hackers are increasing in numbers, becoming more knowledgeable and skilled, and making more daring attacks on systems. “The Chinese have been very successful,” Lewis said.
Oil companies are warning the worst case scenario would be one in which valves were accessed, which could set offshore rigs on fire, kill personnel and halt production. The cost of down time on an offshore rig is $6.3 million a day, experts said. The financial loss could be huge.
Stuxnet, which crippled Iran’s nuclear centrifuges, shows the potential devastation of a worm created to cause damage. Experts believe this kind of attack could be replicated on oil producing offshore rigs.
Riemer Brower, head of IT security at Abu Dhabi Company for Onshore Oil Operations, said the oil industry has avoided any damaging incidents so far, but he warned that “the oil companies in charge are no longer really in control.”
Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.