Three years ago I was sitting in an air-conditioned trailer just outside Las Vegas watching the awesome and terrifying future of war. In the trailer, British RAF pilots were peering at computer monitors that showed images from Reaper drones they were controlling which were flying thousands of miles away above the battlefields of Afghanistan.
Drones have completely transformed the nature of modern warfare and allowed America and its allies to decimate the leadership of Al-Qaeda. The greatest danger to those drone pilots comes from driving to work each day on Nevada’s freeways.
The drone pilots now have their counterparts in cyber- warfare. Somewhere — almost certainly in America or Israel — technicians controlling a powerful and extraordinarily sophisticated computer virus called Flame are also staring at monitors that show real-time images from thousands of miles away.
Rather than seeing the villages and mountains of Afghanistan, those technicians are peering into the virtual worlds of their enemies and those they wish to spy on, watching everything on their computers and stealing whatever they choose.
Viruses such as Flame and Stuxnet “pretty much redefine the notion of cyberwar and cyber-espionage”, says Alexander Gostev, an analyst with Kaspersky, the Russian security laboratory that released the first information about Flame last Monday.
Advertisement
The virus’s “complexity and functionality exceed those of all other cyber menaces known to date”, says Kaspersky.
On Friday, in the first open acknowledgment of Stuxnet’s origins, The New York Times revealed that the virus was part of a joint US-Israeli operation, codenamed Olympic Games, aimed at sabotaging Iran’s nuclear weapons programme. Begun under President George W Bush, it was closely directed by Barack Obama when he arrived in the White House.
Before it was discovered, Stuxnet is believed to have disabled a fifth of Iran’s centrifuges, which enrich the uranium needed for nuclear weapons, setting back Iran’s nuclear programme for months.
While Stuxnet was developed to sabotage industrial systems, Flame appears to be a fantastically sophisticated spying tool. According to the Laboratory of Cryptography and System Security in Budapest, “it uses five different encryption methods, three different compression techniques and at least five different file formats”. At 20 megabytes its code is some 20 times bigger than Stuxnet.
Once Flame has infected a computer it can siphon back almost any information it wants to its controllers, logging keystrokes, reading files, taking screen shots of instant messages, tapping into wi-fi, even turning on cameras and audio. Another novelty is that it can use Bluetooth to collect information about devices close by, such as mobile phones. Iran has the largest number of infections, followed by the Palestinian West Bank, Sudan, Syria and Egypt.
Advertisement
“It’s like an industrial-strength vacuum cleaner, sucking information at a power previously unknown,” Yossi Melman, an espionage expert, said last week.
It’s like an industrial-strength vacuum cleaner, sucking information at a power previously unknown “It’s a live programme that communicates back to its master,” says Udi Mokady, an Israeli computer security expert. “It asks, where should I go? What should I do now? It’s like a science-fiction movie.”
All the data Flame scoops up is encrypted and fed back to about 80 command and control servers that have been secretly set up in countries including Vietnam, Turkey and Germany. These hand off the data to technicians controlling Flame in the main command and control centre, wherever that may be. If necessary, Flame can erase any trace of itself on the infected computers.
“It seems to have been hiding in plain sight and may have evaded detection for up to five years,” says Professor Alan Woodward, a computer expert at Surrey University.
“Virus checkers didn’t pick it up because it didn’t look like anything we had seen before.”
Advertisement
Woodward is most impressed by what he calls the modular nature of Flame. “Once you’ve got the basic bit of malware onto the computer, it’s really like installing apps on a mobile phone,” he says.
“Whoever is controlling it can download specific modules, different apps onto the infected computer depending on what they have found there.
“So if the computer has a microphone, they can switch it on and listen to whatever is being said in the room or listen to Skype conversations. And the sophistication is such that when they learn to do something new they can just download a new module.
“It allows them to target specific systems very accurately. Whereas in the past malware has infected tens of thousands of machines, this seems to have infected only a few hundred.”
Although Flame appears to be mainly an espionage tool, it seems its controllers can transform it into a cyberweapon at will. It is believed to have attacked computers in the Iranian oil and gas industries, wiping them clean of data, shutting down key energy infrastructure for significant periods of time.
Advertisement
The presumption is that because of the resources needed, Flame must have been created by a nation state rather than cyber criminals or hackers. The only countries believed to have such a capability are America, Israel, Russia and China. US officials have said Flame is not part of the Olympic Games operation but won’t say whether America is behind it. Because of the specific geographical spread of Flame, particularly in Iran, most fingers are pointing at Israel.
The Iranians certainly think Israel is responsible. “It is in the nature of some countries and illegitimate regimes to spread viruses and harm other countries,” says Ramin Mehmanparast, Iran’s foreign ministry spokesman.
The Israelis have been happy to hint they may be behind Flame. “Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it,” Moshe Ya’alon, the Israeli vice prime minister, told Army Radio.
Last week western intelligence sources said the main targets of the virus had been Iran’s president, its supreme leader and the head of its military nuclear programme. They are the only people fully informed about the state of the programme.
Advertisement
“All the rest of the hundreds of computers infected in Iran were either a bonus or a red herring,” says the source, who adds that the virus was inserted by a spy onto a computer he or she had purchased.
The ability to do this was demonstrated when the case of Ali Ashtari came to light. The computer buyer for Iran’s defence industry and nuclear programme, Ashtari was hanged in 2008 after admitting to spying for the Israelis. Under torture he said Mossad, Israel’s overseas espionage agency, had asked him to install bugging devices into the equipment he provided for his clients in Iran.
The creators and controllers of Flame have gone to great lengths to hide its origins. But some researchers believe it may have been developed by the same team of programmers responsible for Duqu, another powerful espionage malware exposed last year. Much as bomb makers leave distinctive “fingerprints” on their devices, so do the creators of computer viruses on their work.
When researchers at Kaspersky examined the working hours of whoever was operating Duqu, they discovered he or she did not work between sunsets on Friday and Saturday, the Jewish Sabbath. Israeli sources suggest Flame may be the work of Unit 8200 of the Israel Defence Forces, its specialised cyberwarfare unit.
Woodward and others believe that whoever is responsible for Flame has not just transformed the nature of cyberwarfare but also ramped up its danger to the rest of us.
When I ask Woodward if terrorists or criminals might be able to re-engineer Flame for their own evil intent, he says: “I guarantee they will. Once the code is in the wild it can easily be modified and reused. You can go on YouTube right now and see how to use Stuxnet.”
There is something that worries him even more: “If you can engineer something like Flame and it went undetected for so long, what else is out there that we don’t know about?”
Additional reporting: Uzi Mahnaimi in Tel Aviv