The “Flame” virus is the atom bomb of 21st century espionage, to date the largest and most elaborate computer bug ever discovered. It has lived in the deep recesses of Iranian government computers for years, spying on everyone and everything it comes into contact with.
It is more than a mere surveillance virus, it’s an “entire” self-contained “cyber espionage operation” according to Roel Schouwenberg, a senior security researcher with Russian based Kaspersky Labs, one of the first security networks to analyze the malware. While mostly infecting Iranian computer systems the virus has also been detected throughout the Middle East in Saudi Arabia, United Arab Emirates, Egypt, Sudan and even as far as Europe under the name sKyWIper or “Wiper,” this according to Hungarian based CrySyS Lab. By their estimates Flame may have been active “for as long as five to eight years.”
Iran’s National Computer Emergency Response Team (CERT) or MAHER Center, which initially discovered the worm working its way through their systems, reported it was undetectable by 43 known antivirus protocols and only discovered after several investigations. The intruder has thus far been successful at not only remaining undetected until recently, but responsible for “mass data loss” according to MAHER officials. Iranian agencies have since developed a removal tool to eliminate the threat.
At a whopping 20 megabytes Flame is 20 to 30 times larger than the infamous Stuxnet and Duqu viruses discovered in 2009 and 2010. Stuxnet was used to attack Iran’s nuclear program, the ravenous bug caused centrifuges in a targeted facility to spin out of control, ultimately destroying it and setting back potential nuclear capability by years if new estimates by Israeli intelligence are correct.
Flame exceeds previous generations of malware. It has the capability to collect lists of “vulnerable passwords”, “create series of user’s screen captures,” covertly send intelligence back to remote servers, link to discoverable Bluetooth devices and even act as a beacon for a Bluetooth device to link back. It is quite versatile, capable of infecting Windows XP, Vista and 7 other common operating systems.
While Flame was created on a different platform than Duqu or Stuxnet, in fact utilizing a well known, easier to use “Lua” programming language, responsible for popular games like Angry Birds evidence seems to suggest that Flame is similar enough in that the previously “unassailable” Linux OS is also thought to be vulnerable. The fact that Flame uses this unorthodox, albeit simpler code has been credited with its ability to outwit standard countermeasures even given its relatively colossal size.
One of the most interesting parts of Flame is its various permutations. It has an ability to carry out very specific tasks each time it is recreated. Besides the aforementioned it can also turn on microphones, potentially cameras and send back all relevant information through multiple domains to its command and control servers (C&C) located all over the world. Moreover, as a veritable binary spy it has an exit strategy. The controller can use the “browse32” function to create a digital LZ and pluck the virus out from behind enemy lines leaving not a trace.
The State-Sponsored Cyber War
There is little doubt in the cyber security realm that Flame is anything, but a state-sponsored operation. The two other possible culprits – hacktivists and cybercriminals – don’t match Flame’s modus operandi. Flame isn’t after bank accounts and it doesn’t resemble the rather simple tools known to be used by Anonymous, LulzSec and others. Rather than targeting multilateral corporations or political institutions, the high concentration of attacks within Iran and throughout the Middle East suggests geopolitical objectives generally pursued by nation states.
Israel and the United States top the short list of likely culprits and for simplicity’s sake Israel has been more than happy to tacitly admit complicity – again. According to Vice PM Moshe Yaalon Israel is “blessed as being a country rich with high-tech” and takes pride in the “opportunities” this has given them. More specifically the likely source is Israel’s Unit 8200, equivalent to the United State’s National Security Agency (NSA) and in fact founded in 1952 off surplus American military equipment. The unit has allegedly been responsible for using a secret “kill switch” to deactivate Syrian air defenses during Operation Orchard. Moreover, alumni of the military intelligence branch have gone on to found leading Israeli IT companies. Unit 8200 is shrouded in mystery including its commander a Brigadier-General whose identity remains classified.
Considering Israel and the U.S. have acknowledged conducting clandestine operations in Iran this is merely the next logical chapter after years of ongoing low intensity warfare. No conventional troops, no sorties just faux color revolutions, Nevada trained proxy insurgencies a la Mujadahideen-e-Khalq (MEK), multi lateral sanctions and a cornucopia of sabotage or given recent events the newest tactic – cybertage. The perfect strategy for the 21st century, after all it’s discrete and politically correct.
The responsibility for conducting these offensive cyber operations in the new digital battlefield is likely the newest player on the military industrial complex’s bench, the Pentagon’s Cyber Command (USCYBERCOM), which virtually ties together the strategic mosaic of American global hegemony.
According to the U.S. officials USCYBERCOM is responsible for merely “defense” of military telecommunications infrastructure (.mil etc.), but recent reinterpretations of what the best defense actually is and broad mission statements make vividly clear its hegemonic intent:
“USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”
Domestic considerations are left to the Department of Homeland Security (DHS) and its brand new baby the National Cybersecurity Center, a mini Pentagon, recently completed and based in Salt Lake City, Utah. Ring leading the cyber security circus is undoubtedly the now nearly century old ultra secretive NSA no stranger to flouting international or U.S. law. A fact well documented by James Bamford in his works Puzzle Palace and Body of Secrets.
Digital attacks are nothing new to the U.S. strategy. Preceding even Hollywood movies like War Games and Hackers the CIA was purportedly behind “the mother of all Scada attacks” 30 years ago when it used a “logic bomb” to blow up a Siberian gas pipeline. The KGB was trying to steal pipeline control software and the CIA rigged the software to over pressurize the Soviet pipelines. In a similar vein, Flame has been found infecting the Iranian oil industry responsible for 80% of the country’s revenue.
Over and over again we hear from not only Iran’s leadership, but through our own intelligence services that Iran is demonstrably no closer to a nuclear weapon than they were almost 10 years ago. That is precisely the need for an all encompassing super virus like Flame, a virus capable of telling us about literally every key stroke Iranian officials make. Western nations have no evidence thus far of Iran’s nefarious intent merely hearsay, the opinion of “intelligence experts”, former “security chiefs” and crazy theocrats bent on Islamic empire. Western and Israeli intelligence agencies are looking for a “smoking calutron,” thus far they have failed.
Nevertheless it is political gold to be tough on Persia with persistent little regard for how we arrived at this point of mistrust – meet our lingering Iranian war psychosis. Probably the most disturbing part of it all is the obvious self-fulfilling prophecy and the clear opportunity for digital blowback and ultimately the validation of everything the government wishes to convince us is a real threat.
In March on “60 Minutes” retired U.S. Air Force General Michael Hayden, former director of the CIA and NSA, commented on the downside of the Stuxnet virus. “There are those out there who can take a look at this… and maybe even attempt to turn it to their own purposes,” Hayden said. His opinion was backed up by Sean McGurk, a former cybersecurity official at DHS who noted the Stuxnet source code could be copied and used against new targets, possibly aimed back at the United States. Whoever created Stuxnet or DuQu, “They opened the box. They demonstrated the capability… It’s not something that can be put back,” according to Mcgurk.
Flame opens the same Pandora’s Box. As Thomas Friedman was famous for noting, the World is Flat – so is the digital battlefield. “In warfare, when a bomb goes off it detonates; in cyberwarfare, malware keeps going and gets proliferated,” said Roger Cressey, senior vice president at security consultancy Booz Allen Hamilton, at a Bloomberg cybersecurity conference held in New York last month. The idea that our own espionage malware will proliferate in our fruitless attempt the prevent the proliferation of other weapons of mass destruction (albeit physical in nature) will surely use up a life time supply of irony.
Alas, this is the sign of our times. We end one war only to receive another in its stead. The code wars of the future may be entirely of our own design and will make the asymmetrical warfare of the War on Terror seem like a brief and illequipping prologue as citizens and or terrorists with sophisticated knowledge of software coding could wreak crippling global havoc. Perhaps if our own government’s malware doesn’t pervade every system on Earth an idealistic Luddite might send us all back to the Stone Age so that we might live history all over again.