Flame: Opening a New Weapons Cache
By: Yazan al-Saadi
Published Wednesday, June 6, 2012
A dark truth behind humanity’s technological progress is the ability to conduct war in terrifyingly fresh ways, going far beyond sticks and stones to express power.
Today, war is conducted by unmanned robotic planes in the skies, their operators sitting thousands of miles away. Missiles, bullets, and bombs have become more ingenious in their ability to vaporize bodies and buildings. Nuclear bombs, horrifying specters which could abruptly end humanity entirely, lay waiting in hidden silos and undetectable submarines peppered around the world.
During the last few years, cyber-warfare has become the newest weapon in an arsenal of ways for nation-states to overpower each other. This latest instrument has mainly been focused on the west Asian region, the epicenter being Iran.
In the past four years alone, Iran has been directly attacked by three cyber-weapons, each designed to cause havoc and siphon off data in their own unique ways. Stuxnet, Duqu, and Flame, the latest of the three, have astonished the cyber-security industry. For experts, the coding and function of these viruses have signified the beginnings of an “early age of cyber-warfare”, one that could become “a common trend in everyday life” in the near future.
According to a dossier published by Symantec Corporation, the largest maker of security software for computers in the world, Stuxnet was primarily written to target industrial control systems (ICS) or similar systems with the ultimate goal of reprogramming programmable logic controllers (PLCs) in whatever way the attacker desires. Specifically, Stuxnet targeted Siemens S5/S7 PLCs that are commonly used in gas pipelines and power plants throughout the world.
Analysts and researchers studying the malware widely believe that the intended target was the Iranian uranium centrifuges in the Natanz facility and the Bushehr Nuclear Power Plant in an attempt to sabotage or at least delay the enrichment process.
Duqu, designed along the same source code as Stuxnet, has a different function. While not destructive as Stuxnet, Duqu searches for future targets and captures information such as keystrokes and system information. Like Stuxnet, Duqu’s main target is believed to be the Iranian nuclear program.
Flame: Elevating Cyber-warfare
Flame, discovered this May, is a much more spectacular weapon.
“Flame is a sophisticated attack toolkit, which is a lot more complex than previously encountered malware such as Duqu…[and is] about 20 times larger than Stuxnet,” explained Vitaly Kamluk, Chief Malware Expert of the computer security company Kaspersky Lab that identified the malware.
“[It] has very advanced espionage functionality, including intercepting network traffic, taking screenshots, and recording audio conversations, and this functionality can be extended with the help of additional modules, which can be created by the perpetrators any time. All the gathered data are sent to the authors of Flame via the Internet. Based on the way it works and how it is being deployed, Flame can be classified as a cyber-weapon,” he wrote to Al-Akhbar.
Furthermore, Kamluk noted that Flame can manipulate Bluetooth in order to collect information from nearby devices and even turn the device to service as a beacon.
The malware was first discovered by Kaspersky Lab in the beginning of May after it was contacted by the United Nation’s International Telecommunications Union (ITU) to investigate reports that a virus was deleting and stealing large amounts of information from computers in the Iranian Oil Ministry and the Iranian National Oil Company.
Further investigations have found that although less than a thousand computers were infected, most were concentrated in the west Asian region. According to Kamluk, the top seven countries and areas listed are Iran, the West Bank, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
Despite limited infections so far, Kamluk acknowledged that the general public should be concerned.
“Anyone can fall a victim of cyber-attack and even if you are not the prime target of cyber-attack, then perhaps some of your friends or relatives are. Infecting you might be a slightly easier way for attackers to hit a more important target that you might know,” he wrote. “Flame is the next stage in the uncovering of cyber-weapons developed with the support of [a] nation-state.”
“We believe that [we] are in the early age of cyber-warfare. We have just started discovering a cyber-weapon that was created several years ago. It may take some more years for it to become common trend in everyday life.”
According to a chief malware expert, Kaspersky researchers speculate that the project that designed Flame seemed to have ran in parallel with Stuxnet and Duqu, its makers used similar exploitative methods. But no links beyond that have been found. Like Stuxnet and Duqu, Flame does not contain any information within its coding that points to its country of origin.
Kaspersky has claimed that attacks by Flame may have existed as earlier as 2010, yet analysts at the Budapest University Laboratory of Cryptography and System Security have postulated that the evidence suggests that Flame may have been around for even longer.
Operation: Olympic Games
Various security researchers and an investigation conducted by Iran have pointed directly at the United States and Israel as culprits behind these extraordinary computer viruses.
Adding to the mounting claims, David E. Sanger, the chief Washington correspondent for The New York Times, has released a new book early this month titled Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.
In an abridged version published in The New York Times a day before the book’s release, Sanger claimed that President Obama during his first months in office accelerated cyber-attack operations, codenamed Olympic Games and which began under the Bush administration, against the Islamic Republic.
Sanger’s account was derived from “interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts.” He noted that all those interviewed stressed on anonymity because “the effort remains highly classified, and parts of it continue to this day.”
Sanger claimed that the cyber-attack on Iran was first tested on aging centrifuges handed over in 2003 by Libyan dictator Col. Muammar Gaddafi that were kept in Texas. A replica of the Iranian nuclear enrichment facilities was constructed and the virus was unleashed in order to assess its efficiency. The Israeli Unit 8200 was called in during the development process and provided intelligence about the various nuclear facilities in Iran.
The virus was then allegedly sneaked into the computer systems of these facilities through a flash drive, either by operatives or an unsuspecting victim. As the centrifuges began to spin out of control in 2008, the Iranians “were mystified about the cause” and initially blamed their own technicians.
It was vital for President Obama and his administration that the virus remain hidden in order to sow paranoia within Iranian ranks and to ensure that the US did not face repercussions. However an “error” within the code caused Stuxnet to go public in the summer of 2010, which allowed it to be discovered and dismantled. Sanger’s sources alleged that the American administration blamed the Israelis for this error. Despite concerns about the virus’s existence after the news broke, Obama ordered for cyber-attacks to continue.
In regards to Flame, Sanger noted that American officials denied that this new cyber-weapon was part of Operation: Olympic Games, but they declined to say whether the United States was responsible.
Israel has been coy about its involvement. When Flame’s discovery was spotlighted by the press, Israel’s Vice Prime Minister and Strategic Affairs Minister, Moshe Yaalon told the country’s Army Radio, “Anyone who sees the Iranian threat as a significant threat – it’s reasonable that he will take various steps, including these, to harm it.”
"Israel is blessed as being a country rich with high-tech, these tools that we take pride in open up all kinds of opportunities for us," he added.
Crossing the Rubicon, Controlling the Information Space
Security experts have persistently warned against the use of cyber-warfare by nation-states, fearing that common application may unleash a Pandora’s Box for the world. The danger grows over time as reliance on the Internet and computer technology within key infrastructures has become common.
This fear has prompted a number of states to act. On 12 September 2011, United Nations representatives from China, Russia, Tajikistan and Uzbekistan addressed a letter to the UN Secretary-General outlining an “International Code of Conduct for Information Security”.
The letter urged the voluntary adoption of a code, drafted by these countries, that identified the rights and responsibilities of states in the information space and to ensure that the Internet is not used maliciously.
This proposal was considered problematic by the Civil Society Internet Governance Caucus, a group of NGOs and civil society organizations concerned with maintaining Internet freedom. For the group, vague terminologies within the letter, its emphasis on national sovereignty, and its lack of any reference to the role of non-state actors were seen as potential loopholes for abuse. The Caucus, nevertheless, were warm to the idea and called for more discussions as long as the rights of all citizens are upheld.
For Western states, the proposed international Internet code proposed was completely ignored. Moreover, the US Congress approved a bill that bluntly rejects any attempt for international regulation. At the same time, the US and EU have been gradually introducing treaties and laws governing the internet under the justification of intellectual property rights. Laws like ACTA, which were negotiated in secret, has been dubbed a ”global threat to freedoms” by a number of civil society groups and NGOs.
The US came up with its own
International Strategy for Cyberspace months prior to the drafting of the International Code of Conduct. The American strategy pledged a vision of openness, security, and prosperity. Placing aside the flowery rhetoric, the strategy is mainly concerned with protecting intellectual property rights, projecting American political and economic power, and protecting the development of the US’s own cyber-industries.
Ironically, the strategy noted the administration’s right to “use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law” if cyber-attacks were used against it.
One wonders, is this right to “use all necessary means” granted for Iran?