Topher Morrison
The “Flame” virus is the atom bomb of 21st century
espionage, to date the largest and most elaborate computer bug ever
discovered. It has lived in the deep recesses of Iranian government
computers for years, spying on everyone and everything it comes into
contact with.
It is more than a mere surveillance virus, it’s an “entire”
self-contained “cyber espionage operation” according to Roel
Schouwenberg,
a senior security researcher with Russian based Kaspersky Labs, one of the first security networks to analyze the
malware.
While mostly infecting Iranian computer systems the virus has also been
detected throughout the Middle East in Saudi Arabia, United Arab
Emirates, Egypt, Sudan and even as far as Europe under the name
sKyWIper
or “Wiper,” this according to Hungarian based CrySyS Lab. By their
estimates Flame may have been active “for as long as five to eight
years.”
Iran’s National Computer Emergency Response Team (CERT)
or MAHER
Center, which initially discovered the worm working its way through
their systems, reported it was undetectable by 43 known antivirus
protocols and only discovered after several investigations. The
intruder has thus far been successful at not only remaining undetected
until recently, but responsible for “mass data loss” according to MAHER
officials. Iranian agencies have since developed a removal tool to
eliminate the threat.
At a whopping 20 megabytes Flame is 20 to 30 times larger than the
infamous Stuxnet and Duqu viruses discovered in 2009 and 2010. Stuxnet
was used to attack Iran’s nuclear program, the ravenous bug caused
centrifuges in a targeted facility to spin out of control,
ultimately destroying it and setting back potential nuclear capability by years if new estimates by Israeli intelligence are correct.
Flame exceeds previous generations of malware. It
has the capability
to collect lists of “vulnerable passwords”, “create series of user’s
screen captures,” covertly send intelligence back to remote servers,
link to discoverable Bluetooth devices and even act as a beacon for a
Bluetooth device to link back. It is quite versatile, capable of
infecting Windows XP, Vista and 7 other common operating systems.
While Flame was created on a different platform than Duqu or Stuxnet,
in fact utilizing a well known, easier to use “Lua” programming
language, responsible
for popular games like Angry Birds
evidence seems to suggest that Flame is similar enough in that the
previously “unassailable” Linux OS is also thought to be vulnerable.
The fact that Flame uses this unorthodox, albeit simpler code has been
credited with its ability to outwit standard countermeasures even given
its relatively colossal size.
One of the most interesting parts of Flame is its various
permutations. It has an ability to carry out very specific tasks each
time it is recreated. Besides the aforementioned it can also turn on
microphones, potentially cameras and send back all relevant information
through multiple domains to its command and control servers (C&C)
located all over the world. Moreover, as a veritable binary spy it has
an exit strategy. The controller can use the “browse32” function to
create a digital LZ and pluck the virus out from behind enemy lines
leaving not a trace.
The State-Sponsored Cyber War
There is little doubt in the cyber security realm that Flame is
anything, but a state-sponsored operation. The two other possible
culprits – hacktivists and cybercriminals – don’t match Flame’s modus operandi.
Flame isn’t after bank accounts and it doesn’t resemble the rather
simple tools known to be used by Anonymous, LulzSec and others. Rather
than targeting multilateral corporations or political institutions, the
high concentration of attacks within Iran and throughout the Middle East
suggests geopolitical objectives generally pursued by nation states.
Israel and the United States top the short list of likely culprits and for simplicity’s sake Israel has been
more than happy to tacitly admit
complicity – again. According to Vice PM Moshe Yaalon Israel is
“blessed as being a country rich with high-tech” and takes pride in the
“opportunities” this has given them. More specifically the likely
source is Israel’s
Unit 8200,
equivalent to the United State’s National Security Agency (NSA) and in
fact founded in 1952 off surplus American military equipment. The unit
has allegedly been responsible for using a secret “kill switch” to
deactivate Syrian air defenses during Operation Orchard. Moreover,
alumni of the military intelligence branch have gone on to
found leading Israeli IT companies. Unit 8200 is shrouded in mystery including its commander a Brigadier-General whose identity remains classified.
Considering Israel and the U.S. have acknowledged conducting
clandestine operations in Iran this is merely the next logical chapter
after years of ongoing low intensity warfare. No conventional troops,
no sorties just faux color revolutions,
Nevada trained proxy insurgencies
a la Mujadahideen-e-Khalq (MEK), multi lateral sanctions and a cornucopia of sabotage or given recent events the newest tactic –
cybertage. The perfect strategy for the 21
st century, after all it’s discrete and politically correct.
The responsibility for conducting these offensive cyber operations in
the new digital battlefield is likely the newest player on the military
industrial complex’s bench, the Pentagon’s Cyber Command (USCYBERCOM),
which virtually ties together the strategic mosaic of American global
hegemony.
According to the U.S. officials USCYBERCOM is responsible for merely
“defense” of military telecommunications infrastructure (.mil etc.), but
recent reinterpretations of what the best defense actually
is and broad mission statements
make vividly clear its hegemonic intent:
“USCYBERCOM plans, coordinates, integrates, synchronizes
and conducts activities to: direct the operations and defense of
specified Department of Defense information networks and; prepare to,
and when directed, conduct full spectrum military cyberspace operations
in order to enable actions in all domains, ensure US/Allied freedom of
action in cyberspace and deny the same to our adversaries.”
Domestic considerations are left to the Department of Homeland
Security (DHS) and its brand new baby the National Cybersecurity Center,
a mini Pentagon, recently completed and based in Salt Lake City, Utah.
Ring leading the cyber security circus is undoubtedly the now nearly
century old ultra secretive NSA no stranger to flouting international or
U.S. law. A fact well documented by James Bamford in his works Puzzle Palace and Body of Secrets.
Digital attacks are nothing new to the U.S. strategy. Preceding even Hollywood movies like
War Games and
Hackers the CIA was purportedly behind “
the mother of all Scada attacks”
30 years ago when it used a “logic bomb” to blow up a Siberian gas
pipeline. The KGB was trying to steal pipeline control software and the
CIA rigged the software to over pressurize the Soviet pipelines. In a
similar vein, Flame has been found infecting the Iranian oil industry
responsible for 80% of the country’s revenue.
Digital Blowback
Over and over again we hear from not only
Iran’s leadership, but through our own intelligence services that Iran is demonstrably
no closer to a nuclear weapon
than they were almost 10 years ago. That is precisely the need for an
all encompassing super virus like Flame, a virus capable of telling us
about literally every key stroke Iranian officials make. Western
nations have no evidence thus far of Iran’s nefarious intent merely
hearsay, the opinion of “intelligence experts”, former “security chiefs”
and crazy theocrats bent on Islamic empire. Western and Israeli
intelligence agencies are looking for a “smoking
calutron,” thus far they have failed.
Nevertheless it is political gold to be tough on Persia with
persistent little regard for how we arrived at this point of mistrust –
meet our lingering
Iranian war psychosis. Probably the most disturbing part of it all is the obvious self-fulfilling prophecy and the clear opportunity for
digital blowback and ultimately the validation of everything the government wishes to convince us is a real threat.
In March on “
60 Minutes”
retired U.S. Air Force General Michael Hayden, former director of the
CIA and NSA, commented on the downside of the Stuxnet virus. “There are
those out there who can take a look at this… and maybe even attempt to
turn it to their own purposes,” Hayden said. His opinion was backed up
by Sean McGurk, a former cybersecurity official at DHS who noted the
Stuxnet source code could be copied and used against new targets,
possibly aimed back at the United States. Whoever created Stuxnet or
DuQu, “They opened the box. They demonstrated the capability… It’s not
something that can be put back,” according to Mcgurk.
Flame opens the same Pandora’s Box. As Thomas Friedman was famous
for noting, the World is Flat – so is the digital battlefield. “In
warfare, when a bomb goes off it detonates; in cyberwarfare, malware
keeps going and gets proliferated,”
said Roger Cressey,
senior vice president at security consultancy Booz Allen Hamilton, at a
Bloomberg cybersecurity conference held in New York last month. The
idea that our own espionage malware will proliferate in our fruitless
attempt the prevent the proliferation of other weapons of mass
destruction (albeit physical in nature) will surely use up a life time
supply of irony.
Alas, this is the sign of our times. We end one war only to receive
another in its stead. The code wars of the future may be entirely of
our own design and will make the asymmetrical warfare of the War on
Terror seem like a brief and illequipping prologue as citizens and or
terrorists with sophisticated knowledge of software coding could wreak
crippling global havoc. Perhaps if our own government’s malware doesn’t
pervade every system on Earth an idealistic Luddite might send us all
back to the Stone Age so that we might live history all over again.
Reset.
