Thursday, May 31, 2012

FLAME: Cyber-Espionage Revolutionised

The recent discovery of a computer virus has confirmed fears that the world has entered a new age of cyber espionage and sabotage.

Security experts discovered a highly complex computer virus, referred to as super virus, in Iran and other states of the Middle East which they believe was deployed at least five years ago to engage in espionage and the prime targets so far have been energy facilities. There is purportedly evidence to suggest that the virus named FLAME may have been commissioned by or on behalf of the same nation or group of nations that commissioned the STUXNET worm responsible for attacking Iran’s nuclear programme in 2010.

It is the third cyber attack weapon targeting systems in the Middle East to be exposed in recent years. 

Iran has alleged that the West and Israel are orchestrating a secret war of sabotage using cyber warfare and targeted assassinations of its scientists as part of the dispute over its nuclear programme. The suspicion is that, it is Israel’s crack Unit 8200 which possibly developed this cyber espionage tool.

Stuxnet attacked Iran's nuclear programme in 2010, while a related programme, Duqu, named after the Star Wars villain, stole data. Unlike the Stuxnet virus, which attacked an Iranian enrichment facility, causing centrifuges to fail, Flame does not disrupt or terminate systems. Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats. Experts describe it as a multitasking mole. It can wipe data off hard drives, but also be a tireless eavesdropper by activating audio systems to listen in on Skype calls or office chatter. It also can also take screenshots, log keystrokes and - in one of its more novel functions- steal data from Bluetooth-enabled mobile phones.

Kaspersky Labs said the programme appeared to have been released five years ago and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
"If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don't know about," Roel Schouwenberg, a Kaspersky security senior researcher, said. 

Professor Alan Woodward from the department of computing at the University of Surrey said the virus was extremely invasive. It could "vacuum up" information by copying keyboard strokes and the voices of people nearby. 

The virus contains about 20 times as much code as Stuxnet, which attacked an Iranian uranium enrichment facility, causing centrifuges to fail. Iran's output of uranium was suffered a severe blow as a result of the Stuxnet activities. In fact, the Flame malware is much larger than Stuxnet and is protected by multiple layers of encryption.

Schouwenberg said there was evidence to suggest the code was commissioned by the same nation or nations that were behind Stuxnet and Duqu hinting thereby that Israel and/or the United States were the brains behind the virus.

Iran's Computer Emergency Response Team said it was "a close relation" of Stuxnet, which has itself been linked to Duqu, another complicated information-stealing virus which was believed to be the work of state intelligence. 

It said organisations had been given software to detect and remove the newly-discovered virus at the beginning of May. 

Crysys Lab, which analyses computer viruses at Budapest University said the technical evidence for a link between Flame and Stuxnet or Duqu was inconclusive. 

The newly-discovered virus does not spread itself automatically but only when hidden controllers allow it. 

Unprecedented layers of software allow Flame to penetrate remote computer networks undetected. 

The file, which infects Microsoft Windows computers, has five encryption algorithms, exotic data storage formats and the ability to steal documents, spy on computer users and more.
Components enable those behind it, who use a network of rapidly-shifting "command and control" servers to direct the virus, to turn microphone into listening devices, siphon off documents and log keystrokes. 

Eugene Kaspersky, the founder of Kaspersky Labs, noted that "it took us 6 months to analyse Stuxnet. [This] is 20 times more complicated". 

Once a machine is infected additional modules can be added to the system allowing the machine to undertake specific tracking projects. 

Flame uses at least 80 different servers and domain names to relay its data back home, so it is extremely difficult to track usage and where the information is transferred.

As has been stated, none of the experts in the field are willing to state on record as to who could be behind this complex super virus. Speculation has been that either Israel or Israel in conjunction with the US could possibly have developed this deadly programme. Israel has the necessary expertise in developing tools of cyber espionage and cyber warfare. Unit 8200 (Unit Eight Two-hundred) (or shmone matayim in Hebrew) referred to earlier is an Israeli Intelligence Corps unit, responsible for collection of signal intelligence and code decryption. It is also known in military publications as the Central Collection Unit of the Intelligence Corps. This Unit is alleged to have developed the computer worm Stuxnet which targetted the Iranian nuclear programme in 2010.

Israel is the master of cyber warfare. If Israel has been responsible for launching Flame using gaming code, then certainly Israel has revolutionized espionage by going high tech, obviating the necessity of sending in human agents. At this point of time one can only speculate as to how Israel might 'successfully' disable Iran’s nuclear enrichment program and its economy with greater dexterity than the bludgeon of more legislated 'tougher sanctions' or a conventional military strike. 

Cyber-snooping has indeed been revolutionised with the introduction of this new virus.


Pete said...

Hi Kumar

Obama has just admitted the US was behind Stuxnet in the last few hours Others link the US with Israel's Unit 8200 (as you indicated) in Stuxnet production.

I'm assuming the NSA is behind Flame with Israel first being a victim then joining the US in a Flame intelligence collection alliance.


Attreyi said...

Very interesting!

Kumar said...

Thanks Attreyi & Pete
Pete, when I read your comment about Obama's admission, I was wondering why would a President go on record claiming that US was behind this operation. I am reproducing the last few lines from the article -
US officials confirm Stuxnet was a joint US-Israeli op – John Leyden

"Sanger's research is more evidence in support of this theory and the only real question is why officials have begun talking about the secret spy op.
The reasons could be political, security experts speculate.
"Obama wanted to get credit for Stuxnet, as that makes him look tough against Iran," said Mikko Hypponen, chief research officer at F-Secure. "And he needs that as Presidential elections are coming."

I think it was very foolish on the part of the head of a state to make admissions of this nature, given the sensitive and covert nature of the operation.


Pete said...

Hi Kumar

I agree. US Presidents publisising what is normally considered secret or top secret for political gain damages morale throughout intelligence communities and can even risk lives.

Obama seems bent on being the "Special Ops President". He's claimed credit for ording bin Laden's execution, for the Stuxnet electronic special op and now receiving implicit credit for Flame.

Here's another good source on Flame