Iran appears to be under a new wave of computer attack from a mysterious virus, which has left online security experts in awe of its sophistication.
The virus, dubbed “Flame,” effectively turns every computer it infects into the ultimate spy. It can turn on PC microphones to record conversations taking place near the computer, take screenshots, log instant messaging chats, gather data files and remotely change settings on computers.
Security experts from the Russian Kaspersky Lab, who announced Flame’s discovery on Monday, said it is found in its highest concentration in Iranian computers. It can also be found in other Middle Eastern locations, including Israel, the West Bank, Syria and Sudan.
The virus has been active for as long as five years, as part of a sophisticated cyber warfare campaign, the experts said.
It is the most complex piece of malicious software discovered to date, according to Kaspersky Lab’s senior security researcher Roel Schouwenberg, who said he did not know who built Flame.
If the Lab’s analysis is correct, Flame could be the third major cyber weapon directed against Iran, after the Stuxnet virus that attacked Iran’s nuclear program in 2010, and its data-stealing cousin Duqu.
The Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics said the new program “covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, Wi-Fi, Bluetooth, USB and system processes,” adding, “Information gathering from a large network of infected computers was never crafted as carefully,” according to a report by the Hexus technology website.
The complexity of the Flame bears the hallmarks of a program engineered by a state, a number of Israeli computer experts told The Jerusalem Post.
As details of Flame filtered through the media, network security experts in Israel, requesting anonymity, studied the initial reports and indicated that they believed small groups of hackers could not be behind the virus.
“This is not a couple of hackers who sat in a basement,” one expert said. “This is a large, organized system. It is possible that years were invested in creating it.”
A second analyst said viruses at this level of sophistication require major capabilities and knowledge of code development, noting that “these are available only to states. And that’s without mentioning a motive for developing [such a program].”
The experts believe that a good computer hacker can put together a complex code made up of thousands of lines, but when hundreds of thousands of lines or more are written, a major organization is far more likely to be involved. According to reports, Flame has 100 times more code than a virus designed to steal financial data, and 20 times more code than Stuxnet.
Yet it is not just the size of the code that is important, but also the knowledge of its target.
The Stuxnet virus, for example, was more than a complex code; it was planned with detailed information on the Siemens supervisory control and data acquisition (SCADA) systems, used by Iran to enrich uranium through spinning centrifuges.
It is this sort of inside knowledge that provides a hint on the type of programmers involved, the experts argued.
Schouwenberg of Kaspersky Lab said there was evidence to suggest the code was commissioned by the same nation or nations that were behind Stuxnet and Duqu, which were built on a common platform.
Both Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and employ a similar way of spreading.
That means the teams that built Stuxnet and Duqu might have had access to the same technology as the team that built Flame, he said.
Schouwenberg said he believed the attack was highly targeted, aimed mainly at businesses and academic institutions.
He estimated that no more than 5,000 PCs around the world have been infected, including a handful in North America.
The discovery by one of the world’s largest makers of antivirus software will likely fuel speculation that nations have already secretly deployed other cyber weapons.
“If Flame went on undiscovered for five years, the only logical conclusion is that there are other ongoing operations that we don’t know about,” Schouwenberg said in an interview.
The Moscow-based company behind Monday’s announcement is controlled by Russian malware researcher Eugene Kaspersky, and gained notoriety in cyber weapons research after solving several mysteries surrounding Stuxnet and Duqu.
Researchers at Kaspersky said they were only starting to understand how Flame works because it is so complex. Its full significance will not be known until other cyber security firms obtain samples of Flame.