Cyberwarfare: US, Israel’s electronic attacks on Iran and Palestinians

Malware found in the West Bank and Iran has strong links to a cyberweapon that sabotaged an Iranian nuclear power facility.

Payam Borazjani MaanImages

The latest news in the escalating cyberwar raging through the Middle East came out at the end of May. A piece of malware dubbed “Flame” was discovered to be infecting thousands of computers across the region. By general consensus, Flame bears the hallmarks of creation by a state apparatus.

The greatest number of Flame infections were found in the occupied West Bank and Iran. This new worm has strong links to Stuxnet, the cyberweapon which physically sabotaged an Iranian nuclear power facility in 2008 and 2009. It is now known that Flame’s origins date back to at least 2008, possibly longer.

Stuxnet caused physical harm to Iran’s Natanz nuclear facility, by instructing its centrifuges to spin too fast, causing them to shake themselves apart. Flame, on the other hand, is a multi-purpose toolkit for spying on Windows computer users, stealing data and sending it back to its controllers via encrypted Internet connections.

“Opening up opportunities” for Israel

The day after Russian Internet security firm Kaspersky revealed Flame to the world, a high-level Israeli minister hinted Israel may be behind it.

Vice Prime Minister Moshe Yaalon told Israeli Army Radio that “[a]nyone who sees the Iranian threat as a significant threat — it’s reasonable [to assume] that he will take various steps, including these, to harm it.”

Yaalon, a former military chief of staff, boasted that “Israel was blessed as being a country rich with high-tech. These tools that we take pride in open up all kinds of opportunities for us” (“Israel hints it may be behind ‘Flame’ super-virus targeting Iran,” The Independent, 30 May 2012).

Typically, Yaalon stopped short of claiming direct responsibility. But a “senior Israeli source” also seems to be leaking just such a confirmation to Richard Silverstein, the US-based blogger an Israeli TV channel once dubbed “The Wikileaks of Israel.” His source said Flame “is a product of Israeli cyberwarfare experts,” Silverstein wrote on his blog the same day Flame was unmasked (“Flame: Israel’s new contribution to Middle East cyberwar,” 28 May 2012).

But could such indirect claims be more about psychological warfare than fact? Who is really behind this escalation in the regional cyberwar? The answers to these questions may lie in a closer look at Flame and Stuxnet. Crucial too are recent revelations in The New York Times about US cyberwar programs.

What is Flame?

World-renowned security and cryptography expert Bruce Schneier told The Electronic Intifada that Flame was “much more sophisticated than the typical worm.” Over email, he commented that while it “seems definitely the work of a large, well-funded, well-coordinated team” there was also “some hype” about it on the technical level.

Flame was first revealed on 28 May when Kaspersky lab expert Alexander Gostev posted a detailed analysis on the company’s blog (“The Flame: Questions and Answers”).

Soon after, Symantec, another anti-virus vendor, posted its own analysis, and CrySyS, a security lab at the Budapest University of Technology and Economics, did the same (see “sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks).

The Hungarian researchers appear to have independently discovered Flame and approached Symantec soon after. Iran’s national computer emergency response team also published an analysis.

“Based on the number of compromised computers, the primary targets of this threat are located in the Palestinian West Bank, Hungary, Iran and Lebanon,” Symantec wrote in its analysis (“Flamer: Highly sophisticated and discreet threat targets the Middle East,” 29 May 2012).

“Probably thousands” have been infected

Flame can infect a target computer via USB memory stick, or, if instructed, by traveling over networks. Once installed, it can steal a wide variety of information.

Flame is able to take screenshots, switch on the microphone and record audio conversations, snooping on Skype calls, for example. Screenshots are triggered when sensitive information is likely to be revealed: such as when instant messaging software is running. It can intercept keystrokes, search for passwords and steal files.

Flame zeroes in on certain files: images, photos with geographic data, presentations, project files and PDFs. Later, more detailed analysis by Kaspersky revealed that Flame’s controllers seem especially interested in stealing digital blueprints: “the attackers seem to have a high interest in AutoCAD drawings,” the report said (“The Roof Is on Fire: Tackling Flame’s C&C Servers,” 4 June 2012).

According to experts, most of this has been seen before in other malware. But a feature seemingly novel to Flame is the ability to interact with nearby Bluetooth devices. In this way, Flame was also capable of stealing information from mobile phones, such as phone numbers and text messages.

All this data was sent back to command and control servers as directed by Flame’s operators. The data was transmitted with SSL, a cryptographic protocol widely used on the web, especially for banks and online shops to protect credit card details. It is thought this technique was part of the reason Flame remained undetected for so long.

Unlike the worms and viruses created by cyber criminals or hacker pranksters, which sometimes infect millions, Flame is highly targeted. Kaspersky estimates that “probably thousands” have been infected.

Some of the command and control servers that controlled Flame went dark almost immediately after its existence was first made public. But somehow, its controllers were still able to send out a new module that caused the worm to go into “urgent suicide” mode, Symantec revealed on 6 June.

But the worm was able to operate secretly since at least 2008, according to the latest Kaspersky analysis. The security lab CrySyS even says it “may have been active for as long as five to eight years, or even more.” We can’t really know how many computers have been infected, since Flame contained a routine allowing it to remove itself, covering up all traces of its presence.

Stuxnet and “Olympic Games”

At the start of June, as part of the publicity for his new book Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, the chief Washington correspondent for The New York Times made some important revelations.

In an adapted book extract based on anonymous sources, David Sanger wrote that the US was responsible for the wave of cyber attacks on Iran in the last few years, and that Israel was a partner in the program (“Obama Order Sped Up Wave of Cyberattacks Against Iran,” 1 June 2012).

While the nature of Stuxnet had previously led experts to point to a nation state, with many naming Israel, the article marks the most direct claim of responsibility for the worm.

Sanger wrote that his account was “based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program … None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.”

The Obama administration no doubt has its own interests in leaking such information, so the article must be treated with skepticism.

Sanger says Stuxnet was only one part of a wider cyberwar programme, dubbed “Olympic Games.” The campaign began during the George W. Bush administration, but Obama continued and expanded it after he came to office.

Sanger’s account portrays Stuxnet as an attempt to reign in the Israelis, buying the US time to act: “If Olympic Games failed, [Obama] told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.”

Sanger claims that US officials included an Israeli team in the creation of Stuxnet in order to “dissuade the Israelis from carrying out their own pre-emptive strike … The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.”

Wanted: software engineers for “offensive” and “attack” operations

Much of the speculation and media reportage surrounding Stuxnet over the last few years has been focused on how it was supposedly a revolution in cyber warfare, and how sophisticated the code was. In light of such gushing praise, it’s perhaps unsurprising Israeli officials might want to drop ominous hints in order to intimidate its Arab and Iranian enemies.

Since 2000 and 2006, when Israel was twice defeated in south Lebanon by a small group of volunteer militias, the Israeli military has lost an element of psychological intimidation it once had in the Arab world. Mishaps and bungles by its international intelligence agency Mossad have also contributed to this, with large Israeli spy rings being captured in Lebanon, for example. Is it any wonder that Israel might try and recapture its mobster reputation in other ways?

Sanger’s account does claim that Israel’s cyberwar gang (dubbed Unit 8200) “had technical expertise that rivaled” the US’s National Security Agency. But it does not seem very credible that the US government really needed the Israelis when it was capable of authoring Stuxnet alone. It is possible that Israel’s role was merely as a junior partner.

The US certainly seems to be escalating the cyber arms race in its own right. A recent Forbes article examined how Pentagon contractors are more and more openly recruiting software engineers for “offensive” and “attack” operations (“New grad looking for a job? Pentagon contractors post openings for black hat hackers,” 15 June 2012).

Flame’s connection to Stuxnet: the smoking gun

Recent analysis reveals stronger ties between Flame and Stuxnet than initially thought. Although the two codebases are generally very different, Kaspersky found a smoking gun: identical code in key sections. “In 2009, part of the code from the Flame platform was used in Stuxnet,” wrote Gostev (“Back to Stuxnet: the missing link,” 11 June 2012).

This indicates Flame was probably another aspect of the Olympic Games offensive authorised by Bush and Obama, even predating Stuxnet. Not to be outdone by The New York Times, The Washington Post on 19 June drew on its own high level government contacts to confirm that the US and Israel were behind Flame, citing anonymous “Western officials with knowledge of the effort” (US, Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say). Sanger’s sources had denied Flame was part of Olympic Games, but declined to comment on whether or not the US was behind the worm.

Security and cryptology expert Bruce Schneier told The Electronic Intifada that “[i]t seems reasonable to assume that probably the US was behind that portion of the code in both Stuxnet and Flame,” but cautioned there was no absolute proof.

The Obama administration’s leaks to Sanger seem to lay the blame on Israel for how they lost control of Stuxnet, which was never meant to escape from Natanz.

This apparently happened when an Iranian engineer took a laptop home and connected it to the Internet. The worm then began to propagate across the world, copying itself over and over again. Sanger’s account blames Israel for this exposure: “[Vice President Joe] Biden fumed. ‘It’s got to be the Israelis,’ he said. ‘They went too far.’”

Psychological operations and the war of reputations

Despite the wink-and-a-nod intimations from Israeli officials, could Flame too be primarily an American rather than Israeli initiative? Richard Silverstein doesn’t think so: “My Israeli source is sure that Israel is behind the creation of Flame,” he told The Electronic Intifada via email.

Yet highly placed Israeli sources seem unlikely to leak such information unless there were a benefit to them. In this case the gain would be regaining Israel’s lost “deterrence” capability. The war of reputations still seems very much in the air. Many tech news sites covering Flame over the last few weeks have been practically swooning.

Flame is an “engineering marvel to behold” wrote Dan Goodin, IT Security Editor at Ars Technica. It is “probably orders of magnitude more sophisticated” than Stuxnet, he declaimed.

Others are more skeptical, including the world’s foremost expert on Stuxnet.

“Flame is nothing really new. It doesn’t bring any new qualities,” Ralph Langner told Ars Technica. Langner recently spoke at CyCon, an annual conference organized by NATO’s cyberwar institute based in Estonia. Langner seems to be something of a hawk who considers the US “the good guys” in the cyberwar.

A detailed analysis by UK tech news site The Register mocked Flame as “boring bloatware” on account its huge size. Unusually for malware, the worm is 20 megabytes when fully installed. Authors of malware (a term encompassing viruses, worms and trojans) usually pride themselves on lean, pithy code. Smaller footprints usually mean the malware stays undetected for longer periods — clearly a key consideration with spy software like Flame. Nonetheless, Flame’s encrypted communication with its controllers seem to have protected it for a long time.

Several known modules of the code are yet to be understood by researchers, so Flame may well yet contain more secrets. The process of reverse-engineering and fully analyzing such a large body of code could take many years.

In its analysis, the anti-virus vendor Symantec wrote that “[t]he modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware.”

This points to the possibility that, like Stuxnet, Flame was created by the US government (possibly via a military contractor) with the intention of letting the Israelis operate it. The list of targets certainly suggests the Israelis have at least been operating it.

Thin line between cyberwar and real-world war

The seriousness of cyberwar should not be underestimated. In a new policy document released last month, the US reserved to itself the right to respond to “hostile acts in cyberspace” with “all necessary means — diplomatic, informational, military and economic.” By the same standards, Iran would surely now have the right to “all necessary means” to “respond” to the US’s cyber attacks (“International strategy for cyberspace” [PDF]).

Reconstructed parts of the Stuxnet source code are now available online and could be modified and used by others. Iran is unlikely to take such attacks lying down. The country’s experts already demonstrated the ability to strike back in December last year when they hacked an American drone, tricking it into landing in Iran, fully intact.

In August 2010, the Lebanese resistance party Hizballah appeared to have been able to intercept footage from Israeli spy drones, using the footage as part of its case that Israel had been behind the car bomb assassination of Lebanese Prime Minister Rafiq Hariri.

The activists and regimes battling it out during the course of the Arab uprisings have also traded blows over cyberspace. Since the start of 2012, the Electronic Frontier Foundation has discovered trojans which, posing as PDF files purporting to be plans for coordinating protests, or as privacy software, install spy software in the background (“Trojan hidden in fake revolutionary documents targets Syrian activists,” 31 May 2012).

All of this lends weight to security and cryptology expert Schneier’s call for states to agree to new international treaties that would protect against the threat of cyberwar, and agree to limits on such capabilities. He told The Electronic Intifada that in the Middle East context, such treaties “are no less important than other war treaties.”

Writing on his blog earlier this month, Schneier cautioned against a virtual arms race: “We’re in the early years of a cyberwar arms race. It’s expensive, it’s destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat … The danger is that military problems beg for military solutions” (“Cyberwar Treaties,” 14 June 2012).

Asa Winstanley is an investigative journalist from London who has lived and reported from occupied Palestine. His website is