10 Nov 2024
Tuesday 18 September 2012 - 13:49
Story Code : 5859

Secret Flame: new evidence of mammoth cyberspying program against Iran

Secret Flame: new evidence of mammoth cyberspying program against Iran
By The Christian Science Monitor

When digital sleuths found Flame a massive cyberespionage campaign targeting Iran they were astounded. Now, it seems, Flame was just the tip of the iceberg.

Not unlike the fictional Mr. Phelps of "Mission Impossible," real-life spies today direct their computer cyberespionage programs to self destruct delete themselves after use. Bare scraps of digital code can be pretty thin evidence for investigators.

Even so, digital forensic sleuths at two antivirus companies Kaspersky LabsandSymantec on Monday announced new discoveries from piecing together the cyber shards of a program called Flame, which further reveal an extensive cyberespionage operation apparently directed atIran.

Already, media reports have claimed that theUSandIsraellaunchedStuxnet the world's first cyberweapon to slow Iran's nuclear program, and that three other cyberespionage programs, including Flame, were part of the same effort. Now, the new analysis reveals traces of at least three more malicious programs targeting Iran, suggesting there are still a significant number of programs yet to be discovered spying on Iranian computers.

There are fresh signs, too, that the harvest has been vast.

Flame's creators are good at covering their tracks," Alexander Gostev, chief security expert at Kaspersky Lab said in a statement. "But one mistake of the attackers helped us to discover more data...."

The evidence was found on two European servers made to evade detection from hosting providers through their benign name, "Newsforyou." A programming mistake left behind one encrypted file and a data log. An analysis of the data showed that the servers were able to receive data from infected machines using four different protocols; Flame was only one of them.

The existence of three additional protocols not used by Flame "provides proof that at least three other Flame-related malicious programs were created," Kaspersky said.

The discovery hints at a cyberespionage operation vast in scope, with more than five gigabytes of data uploaded from more than 5,000 infected machines to just one of the two command and control servers inEuropeeach week. Most of the infected computers were in Iran, some inSudan, and a handful in other countries.

"This is certainly an example of cyber espionage conducted on a massive scale, Mr. Gostev said.

The onion-like layers of this operation have been peeled back since the discovery of Stuxnet, which was discovered to be targeted at Iran's nuclear fuel-refining system in June 2010. After that, a cyberespionage program dubbed Duqu was unearthed in September 2011, followed by Flame in May, and then Gauss in July.

Sifting their program code, investigators found critical links among them enough to call Stuxnet at least a first-cousin to Duqu, Flame, and Gauss. Though built by different teams, the programs had key software that showed the authors were linked in an overarching effort.

In June, theNew York Timesreported that Stuxnet was part of Operation Olympic Games, a joint project of the US and Israel. By their link to Stuxnet, the other three programs appear to be part of a larger program, too.

"The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another example of a sophisticated nation-state sponsored cyber operation," the Kaspersky report said.

It added that the development of Flames command and control platform started as early as December 2006 much earlier that previously thought.

"What these cyberoperations do is allow America to put digital boots on the ground in a foreign country, sparing American lives in the short term," says John Bumgarner, research director for theUS Cyber Consequences Unit, a nonprofit security think tank that advises government and industry. "TheCIAdoesn't need to embed a spy inside Iran, and theUS militarydoesn't need to send a stealth fighter to bomb something."

In the long term, it is not clear whether cyberspying and digital missiles like Stuxnet will be enough to prevent a military conflict, he notes. And the bits and bytes are starting to pile up.

"Despite all these discoveries, there is still a lot of plausible deniability afforded by these digital weapons and espionage tools," he says. "Most of bread crumbs haven't been traced directly back toNSAor CIA. But the traces do, at the very least, suggest such agencies ran these operations."

 

The Iran Project is not responsible for the content of quoted articles.
https://theiranproject.com/vdca.mnmk49naogt14.html
Your Name
Your Email Address