Secret Flame: new evidence of mammoth cyberspying program against Iran

When digital sleuths found Flame – a massive cyberespionage campaign targeting Iran – they were astounded. Now, it seems, Flame was just the tip of the iceberg.

Not unlike the fictional Mr. Phelps of "Mission Impossible," real-life spies today direct their computer cyberespionage programs to self destruct – delete themselves – after use. Bare scraps of digital code can be pretty thin evidence for investigators.

Even so, digital forensic sleuths at two antivirus companies – Kaspersky Labs and Symantec – on Monday announced new discoveries from piecing together the cyber shards of a program called Flame, which further reveal an extensive cyberespionage operation apparently directed at Iran.

Already, media reports have claimed that the US and Israel launched Stuxnet – the world's first cyberweapon – to slow Iran's nuclear program, and that three other cyberespionage programs, including Flame, were part of the same effort. Now, the new analysis reveals traces of at least three more malicious programs targeting Iran, suggesting there are still a significant number of programs yet to be discovered spying on Iranian computers.

There are fresh signs, too, that the harvest has been vast.

“Flame's creators are good at covering their tracks," Alexander Gostev, chief security expert at Kaspersky Lab said in a statement. "But one mistake of the attackers helped us to discover more data...."

The evidence was found on two European servers made to evade detection from hosting providers through their benign name, "Newsforyou." A programming mistake left behind one encrypted file and a data log. An analysis of the data showed that the servers were able to receive data from infected machines using four different protocols; Flame was only one of them.

The existence of three additional protocols not used by Flame "provides proof that at least three other Flame-related malicious programs were created," Kaspersky said.

The discovery hints at a cyberespionage operation vast in scope, with more than five gigabytes of data uploaded from more than 5,000 infected machines to just one of the two command and control servers in Europe each week. Most of the infected computers were in Iran, some in Sudan, and a handful in other countries.

"This is certainly an example of cyber espionage conducted on a massive scale,” Mr. Gostev said.

The onion-like layers of this operation have been peeled back since the discovery of Stuxnet, which was discovered to be targeted at Iran's nuclear fuel-refining system in June 2010. After that, a cyberespionage program dubbed Duqu was unearthed in September 2011, followed by Flame in May, and then Gauss in July.

Sifting their program code, investigators found critical links among them – enough to call Stuxnet at least a first-cousin to Duqu, Flame, and Gauss. Though built by different teams, the programs had key software that showed the authors were linked in an overarching effort.

In June, the New York Times reported that Stuxnet was part of Operation Olympic Games, a joint project of the US and Israel. By their link to Stuxnet, the other three programs appear to be part of a larger program, too.

"The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another example of a sophisticated nation-state sponsored cyber operation," the Kaspersky report said.

It added that the development of Flame’s command and control platform started as early as December 2006 – much earlier that previously thought.

"What these cyberoperations do is allow America to put digital boots on the ground in a foreign country, sparing American lives in the short term," says John Bumgarner, research director for the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry. "The CIA doesn't need to embed a spy inside Iran, and the US military doesn't need to send a stealth fighter to bomb something."

In the long term, it is not clear whether cyberspying and digital missiles like Stuxnet will be enough to prevent a military conflict, he notes. And the bits and bytes are starting to pile up.

"Despite all these discoveries, there is still a lot of plausible deniability afforded by these digital weapons and espionage tools," he says. "Most of the bread crumbs haven't been traced directly back to NSA or CIA. But the traces do, at the very least, suggest such agencies ran these operations."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.