BOSTON
(Reuters) - Security experts have discovered a highly sophisticated computer
virus in Iran and other Middle East countries that they believe was deployed at
least five years ago to engage in state-sponsored cyber espionage.
Evidence suggest that the virus,
dubbed Flame, may have been built on behalf of the same nation or nations that
commissioned the Stuxnet worm that attacked Iran's nuclear program in 2010,
according to Kaspersky Lab, the Russian cyber security software maker that
claimed responsibility for discovering the virus.
Kaspersky researchers said on
Monday they have yet to determine whether Flame had a specific mission like
Stuxnet, and declined to say who they think built it.Iran has accused the United States and Israel of deploying Stuxnet.
Cyber security experts said the
discovery publicly demonstrates what experts privy to classified information
have long known: that nations have been using pieces of malicious computer code
as weapons to promote their security interests for several years."This is
one of many, many campaigns that happen all the time and never make it into the
public domain," said Alexander Klimburg, a cyber security expert at the
Austrian Institute for International Affairs.
A cyber security agency in Iran said on
its English website that Flame bore a "close relation" to Stuxnet,
the notorious computer worm that attacked that country's nuclear program in
2010 and is the first publicly known example of a cyber weapon. Iran ’s National Computer Emergency Response Team
also said Flame might be linked to recent cyber attacks that officials in Tehran have said were
responsible for massive data losses on some Iranian computer systems. Kaspersky
Lab said it discovered Flame after a U.N. telecommunications agency asked it to
analyze data on malicious software across the Middle East in search of the
data-wiping virus reported by Iran .
STUXNET CONNECTION
Experts at Kaspersky Lab and
Hungary's Laboratory of Cryptography and System Security who have spent weeks
studying Flame said they have yet to find any evidence that it can attack
infrastructure, delete data or inflict other physical damage.Yet they said they
are in the early stages of their investigations and that they may discover other
purposes beyond data theft. It took researchers months to determine the key
mysteries behind Stuxnet, including the purpose of modules used to attack a
uranium enrichment facility at Natanz ,
Iran
"Their initial research
suggest that this was probably written by the authors of Stuxnet for covert
intelligence collection," said John Bumgarner, a cyber warfare expert with
the non-profit U.S. Cyber Consequences Unit think tank.
Flame appears poised to go down
in history as the third major cyber weapon uncovered after Stuxnet and its
data-stealing cousin Duqu, named after the Star Wars villain.
The Moscow-based company is
controlled by Russian malware researcher Eugene Kaspersky. It gained notoriety
after solving several mysteries surrounding Stuxnet and Duqu.
Their research shows the largest numbers
of infected machines are in Iran ,
followed by Israel and the
Palestinian territories, then Sudan
and Syria .
The virus contains about 20 times as much code as Stuxnet, which caused
centrifuges to fail at the Iranian enrichment facility it attacked. It has
about 100 times as much code as a typical virus designed to steal financial
information, said Kaspersky Lab senior researcher Roel Schouwenberg.
GATHERING DATA
Flame can gather data files,
remotely change settings on computers, turn on PC microphones to record
conversations, take screen shots and log instant messaging chats.
Kaspersky Lab said Flame and
Stuxnet appear to infect machines by exploiting the same flaw in the Windows
operating system and that both viruses employ a similar way of spreading.
That means the teams that built
Stuxnet and Duqu might have had access to the same technology as the team that
built Flame, Schouwenberg said.He said that a nation state would have the
capability to build such a sophisticated tool, but declined to comment on which
countries might do so.The question of who built flame is sure to become a hot
topic in the security community as well as the diplomatic world.
There is some controversy over
who was behind Stuxnet and Duqu. Some experts suspect the United States and
Israel, a view that was laid out in a January 2011 New York Times report that
said it came from a joint program begun around 2004 to undermine what they say
are Iran's efforts to build a bomb.
The U.S. Defense Department, CIA,
State Department, National Security Agency, and U.S. Cyber Command declined to
comment.Hungarian researcher Boldizsar Bencsath, whose Laboratory of
Cryptography and Systems Security first discovered Duqu, said his analysis
shows that Flame may have been active for at least five years and perhaps eight
years or more.
That implies it was active long
before Stuxnet. "It's huge and overly complex, which makes me think it's a
first-generation data gathering tool," said Neil Fisher, vice president
for global security solutions at Unisys Corp (UIS.N).
"We are going to find more of these things over time." Others said
that cyber weapons technology has inevitably advanced since Flame was
built." The scary thing for me is: if this is what they were capable of
five years ago, I can only think what they are developing now," Mohan Koo,
managing director of British-based Dtex Systems cyber security company. Some
experts speculated that the discovery of the virus may have dealt a
psychological blow to its victims, on top of whatever damage Flame may have
already inflicted to their computers.
"If a government initiated
the attack it might not care that the attack was discovered," said
Klimburg of the Austrian Institute for International Affairs. "The
psychological effect of the penetration could be nearly as profitable as the
intelligence gathered."