Sophisticated Virus Hits Iranian Computers
By FARNAZ FASSIHI And PAUL SONNE
Thousands of computers in Iran belonging to government agencies and private companies have been infected with a highly sophisticated virus, dubbed Flame, in the latest cyberstrike against the Islamic Republic, said cybersecurity experts and Iran’s telecommunications ministry.
The malware was widely detected across the Middle East in Syria, Israel and the Palestinian Authority, as well as in other parts of the world, but Iran has the largest number of infected computers, experts said.
At least three times since 2010, Iran has been targeted with sophisticated computer viruses such as Stuxnet, Duqu and Wiper. These viruses have disabled centrifuges for enriching uranium, stolen data from nuclear facilities and erased computers at the oil ministry.
The aim of Flame, said experts at Kaspersky Lab, a Russian information-technology security firm that reported the virus on Monday, was espionage, not physical damage or system interruption.
Flame, which Kaspersky said has been in operation since March 2010, was still active as of Monday morning, Alexander Gostev of Kaspersky Lab said. But after Kaspersky reported the existence of the virus publicly, Flame’s operators immediately set about shutting the servers, an effort to protect the stolen data and hide the source of the virus. By Tuesday, Flame had become inactive, he said. “They are trying to hide.”
The creation and operation of the Flame virus must have required a large staff, Mr. Gostev said. He estimated that at least 20 specialists would have been required to create and maintain the cyberweapon, similar to estimates of how many people invented and worked on Stuxnet.
Independent security experts said the scope of its complexity and method of operation suggests Flame was sponsored by a nation-state. It wouldn’t be economically feasible, they argued, for a private corporation to run such a large-scale international cyber attack. Another reason a state is suspected is that the virus is designed to gather information but has no clear monetizing function.
Iran on Tuesday said it was a victim of cyberwarfare by Israel and the U.S., the semiofficial Fars news agency reported.
“It’s in the nature of some countries and illegitimate regimes to spread viruses and harm other countries. We hope these viruses dry out,” Ramin Mehmanparast, Iran’s Foreign Ministry spokesman, said on Tuesday.
Iran’s computer emergency response team, known as Maher, a branch of the telecommunication ministry, said on Tuesday that it was sharing research information on the virus for the first time ever on its website. Maher posted a link to antivirus software developed by its researchers to remove Flame and offered assistance to any infected organization.
Maher also said Flame was linked to an earlier cyber attack that erased data. In March, Wiper disrupted internal Internet communications at Iran’s oil ministry and stole massive amounts of data.
Flame is the biggest and most high-functioning cyber weapon ever discovered, various cybersecurity experts said. It is composed of multiple files that are 20 times larger than Stuxnet and carry about 100 times more code than a basic virus, experts said.
The most alarming feature, experts said, is that Flame can be highly versatile, depending on instructions by its controller. The malware can steal data and social-network conversations, take snapshots of computer screens, penetrate across networks, turn on a computer’s microphone to record audio and scan for Bluetooth-active devices.
The cyber espionage activities described by the researchers are cyberspying techniques employed by the U.S., Israel and a number of other countries, cybersecurity specialists said. Cybersecurity researchers said the complexity of Flame’s coding and comprehensiveness of its spy capabilities could suggest it was the work of a government.
Experts said they believe Flame reports back the information to a central command-and-control network that has constantly changed location. Analysts found servers in Germany, Vietnam, Turkey, Italy and elsewhere, but haven’t located the main server.
White House National Security Council spokeswoman Caitlin Hayden declined to comment on Iranian accusations of U.S. involvement.
Analysts suspected Israel and the U.S. to be behind Stuxnet, but the link hasn’t been confirmed. U.S. officials have declined to comment on Stuxnet’s origins, but former U.S. officials said they regard it as a joint effort between the U.S. and Israel. That virus infected computers in several countries but was written to only sabotage specific systems in Iran, they said.
Stuxnet’s purpose differed considerably from the apparent aim of Flame. Stuxnet was designed to damage computerized control systems running nuclear centrifuges, while Flame appears to have been designed for high-end targeted espionage. Researchers haven’t found evidence of any damage to systems caused by Flame.
Israel has neither confirmed nor denied being involved with Stuxnet.
On Tuesday, Deputy Prime Minister Moshe Ya’Alon hinted that the country may be involved in Flame, saying in an interview with Army Radio, “Anyone who sees the Iranian threat as a significant threat—it’s reasonable [to assume] that he will take various steps, including these, to harm it.”
U.S. officials draw a distinction between cyber espionage and cyberattacks, which have a destructive or manipulative purpose and could be considered an act of war.
“We have strong beliefs that there are nations behind this malware. We assume it’s related to the regimes and political situation in the Middle East,” said Vitaly Kamluk, the chief malware expert for Kaspersky Lab.
Independent experts have been on the virus’s trail for about a month. The International Telecommunications Union, the special agency at the United Nations that coordinates cybersecurity efforts, approached Kaspersky Lab in late April to investigate a series of incidents tied to a malware program known as Wiper. In the process of that investigation, the experts discovered Flame.
Iran’s Supreme Leader Ayatollah Ali Khamenei has called the Internet a threat to national security and a dangerous double-edged knife that has benefits as well as risks.
Since 2009, Mr. Khamenei has instructed security forces to train and form units to battle cyberattacks to curb the influence of social-media websites.
In March, Mr. Khamenei issued a decree ordering the creation of the Supreme Council of Cyberspace, a committee consisting of high-level military and intelligence officials tasked with supervising cyber activity and warfare.
contributed to this article.