Asia Time Online - Daily News
Asia Times Chinese
AT Chinese

    Middle East
     Jun 1, 2012

Israel fans a virtual Flame against Iran
By Pierre Klochendler

JERUSALEM - A new super-weapon has entered the Middle East cyber-arena. First detected on Monday by a Moscow-based security company, Worm.Win32.Flame - just call it Flame - might be "the most sophisticated cyber-weapon yet unleashed" on Iran's secret nuclear networks.

"Flame can easily be described as one of the most complex threats ever discovered. Big and incredibly sophisticated, it redefines the notion of cyber-war and cyber-espionage," Alexander Gostev posted on the Securelist blog of Kaspersky Labs, the company that uncovered the worm. Gostev is head of the firm's Global Research and Analysis Team.

The newly-discovered multi-task device sniffs network traffic, takes screenshots when certain applications of interest are run,


records audio conversations, intercepts keyboard strokes - the web seems to be the limit.

From an initial analysis performed by Kaspersky Labs, the Flame creators gather intelligence on highly sensitive operations of states, principally in the Middle East - e-mails, documents, messages or discussions inside sensitive locations - and can "target SCADA [supervisory control and data acquisition] devices, ICS [industrial control systems], critical infrastructure and so on".

The hijacked data is then retrieved by operators through links to command-and-control (C&C) servers. "Key here is Flame's completeness - the ability to steal data in so many different ways," Gostev notes.

Kaspersky Labs discovered Flame following a request from the United Nations. The world body's International Telecommunication Union suspected the existence of an unknown malware - codenamed Wiper - whose task would be to delete sensitive information across the Middle East.

Iran is the top target, with the worm "crawling" in at least 189 of its computers. The West Bank comes second with 89 infected computers.

Sudan comes third with 32 damaged computers. Then almost in a tie, stands Syria with the worm identified in 30 computers. Eighteen computers were targeted in Lebanon; 10 in Saudi Arabia. Next but not last is Egypt, with five contaminated computers. All except the latter are considered enemy states of Israel.

In its blog, the security software maker Symantec said Flame was also uncovered in computers in Hungary, Austria, Russia, Hong Kong and the United Arab Emirates.

Though no trace in the code ties the latest malware to any specific copyrighter, author or state, Iran indirectly blamed Israel for Flame.

"Some countries and illegitimate regimes are used to producing viruses," Foreign Ministry spokesman Ramin Mehman-Parast was quoted on Tuesday in the semi-official Iranian news agency Fars.

Tehran often refers to Israel as "the illegitimate Zionist regime". The allegation was based on an interview given on Monday by Israeli Vice Prime Minister Moshe Ya'alon to Israel Army Radio.

"Anyone who sees the Iranian [nuclear] threat as a significant threat - it's reasonable [to assume] that he'll take various steps, including these, to harm it," Ya'alon declared. He said "Israel is blessed as a country rich with high-tech; these tools that we take pride in open up all kinds of opportunities for us."

According to a New York Times investigation published in January, Stuxnet, the cyber-villain discovered in 2010 that attacked Iranian centrifuges, specifically in the Natanz uranium enrichment facility, was tested within the premises of the Dimona nuclear complex located in southern Israel.

According to Gostev, links could indicate that the Flame wizards accessed technology used in Stuxnet. Indeed, the worm seems to have run in parallel to the Stuxnet project as preliminary analyses show it's been disseminated since February 2010.

Kaspersky Labs points at certain characteristics shared by Flame and Stuxnet, but unlike Stuxnet that damages computerized equipment, Flame is meant to collect information.

Duqu, another information-gathering malware useful in targeting ICS systems and attached to Stuxnet, was first uncovered in 2011 by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.

In April, news came out from Iran that Tehran disconnected servers from the Internet as a cyber-outbreak struck at the Kharg island oil terminal (from which Iran exports some 80% of its crude oil). The attack is now thought to have been provoked by Flame.

The major difference between the Flame and the Stuxnet/Duqu projects lies in the fact that the Flame code is 20 times larger, and targets thousands of systems worldwide, including computers in academia, private companies and of specific individuals.

What's more, operators "can conduct analysis of the data of the victim systems and uninstall Flame from systems that aren't interesting, leaving the most important ones in place. After which they start a new series of infections," Gostev emphasized.

Ilan Proimovich, Kaspersky's representative in Israel, told Army Radio that the worm "is operated by remote control. It's not always active, thus it's so difficult to detect."

Though the common assumption is that a small code like the one of Stuxnet is easier to hide, the large size of the Flame code (over 20 MB) is precisely why it wasn't discovered for so long, notes Gostev.

While the analysis of the Stuxnet code (500K) took months, it's estimated that deciphering the more complex Flame code will last at least a year.

Israeli Information Security analysts say the worm highlights the Iranian nuclear program's Achilles heel - its inability to ward off cyber attacks.

Assaf Turner, chief executive officer of the Israeli-based Maya Security company, believes that "Flame likely penetrated highly secure computer systems" in Iran.

"Iran's brush with Duqu and disastrous encounter with Stuxnet prove that the Islamic Republic is, indeed, lacking in the field of cyber-security," he asserted on the Israeli news site YNet.

One could entertain the euphoric dream that the current cyber-espionage war would provide an elegant, virtual, way to put an end to the alarming suspicion that Iran is developing the capability to master the doomsday weapon. This, before other far more mortal means are employed to try to destroy the nuclear threat once and for all.

(Inter Press Service)

Coded messages for Iran (May 30, '12)

Stuxnet raises virus stakes (Oct 2, '10)

Top judge falls in the Philippines

2. Hard truths from Pyongyang's prodigal son

3. Coded messages for Iran

4. Got war if you want it

5. Iran's pipe dream in space

6. Pyongyang starts to feel the heat

7. Facebook - equities' death knell

8. Turkey's Erdogan pushes into Eurasia

9. Ikea felling ancient trees

10. The sweet and sour of oil

(24 hours to 11:59pm ET, May 30, 2012)


All material on this website is copyright and may not be republished in any form without written permission.
Copyright 1999 - 2012 Asia Times Online (Holdings), Ltd.
Head Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East, Central, Hong Kong
Thailand Bureau: 11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110