Russia's Kaspersky Lab, the same group that analyzed the Stuxnet, Duqu and Flame worms, has uncovered evidence of what might be the first return fire from Iran in the Middle East's cyberwar.
Kaspersky Lab researchers have today announced the results of a joint-investigation with Seculert, an Advanced Threat Detection company, regarding “Madi,” an active cyber-espionage campaign targeting victims in the Middle East. Originally discovered by Seculert, Madi is a computer network infiltration campaign that involves a malicious Trojan which is delivered via social engineering schemes to carefully selected targets.
Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.
In addition, examination of the malware identified an unusual amount of religious and political ‘distraction’ documents and images that were dropped when the initial infection occurred.
“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicolas Brulez, Senior Malware Researcher, Kaspersky Lab. “Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”
“Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language,” said Aviv Raff, Chief Technology Officer, Seculert.
Next thing you know they'll discover that it washes dishes too....
A Symantec expert says that the allegedly US-Israeli developed Flame computer virus doesn't just collect data. It also destroys files.
Iran had previously blamed Flame for causing data loss on computers in the country's main oil export terminal and Oil Ministry. But prior to Symantec's discovery, cyber experts had only unearthed evidence that proved Flame could spy on conversations on the computers it infects and steal data.
Symantec researcher Vikram Thakur said on Thursday that the company has now identified a component of Flame that allows operators to delete files from computers, which means it can cause critical programs to fail or completely disable operating systems.
"These guys have the capability to delete everything on the computer," Thakur said. "This is not something that is theoretical. It is absolutely there."
...
If Symantec's conclusions are validated, that means Flame could be used as a weapon to attack computers that run critical infrastructure systems, including dams, chemical plants and manufacturing facilities, security specialists said.
Boldizsár Bencsath, an expert on cyber warfare with Hungary's Laboratory of Cryptography and System Security, said there was at least a 70 percent chance that Flame was used to attack Iran in April.
"Of course it can be used for sabotage," said Bencsath, who began investigating Flame several weeks before it was first reported to the public. "It may have been used to attack critical infrastructure and it may be used in the future."
Sean McGurk, a former Department of Homeland Security official who helped direct the US effort to protect critical infrastructure from cyber attacks, said that Flame was not the first piece of malicious software designed to sabotage systems by deleting data.
What makes it unique, he said, is that the data-wiping module works alongside a suite of other programs including the espionage tools that have previously been identified.
"It could render computing devices useless," said McGurk, who is now chief executive of a consulting firm known as NExt Generation Micro LLC.
That presents a threat, he said, because computers are used in all sorts of industrial control systems, affecting everything from critical processes at manufacturing plants to the pressure inside water networks. "Cyber elements can have catastrophic impacts," he said.
This is really cool so long as it's only used to attack bad guys like Iran. And definitely not my computers.
Obama administration leaks more information on cyber war, blames Israel
Desperate for votes, the Obama administration has once again leaked information about the American-Israeli cyber war against Iran, this time to the Washington Post. And they're trying to pin the blame for the program's exposure on Israel (Hat Tip: Memeorandum).
The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected critical intelligence in preparation for cyber-sabotage attacks aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.
The massive piece of malware was designed to secretly map Iran’s computer networks and monitor the computers of Iranian officials, sending back a steady stream of intelligence used to enable an ongoing cyberwarfare campaign, according to the officials.
The effort, involving the National Security Agency, the CIA and Israel’s military, has included the use of destructive software such as the so-called Stuxnet virus to cause malfunctions in Iran’s nuclear enrichment equipment.
The emerging details about Flame provide new clues about what is believed to be the first sustained campaign of cyber-sabotage against an adversary of the United States.
“This is about preparing the battlefield for another type of covert action,” said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber collection against the Iranian program is way further down the road than this.”
Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its U.S. partners off guard, according to several U.S. and Western officials, speaking on the condition of anonymity.
...
Despite their collaboration on developing the malicious code, the United States and Israel have not always coordinated attacks. Israel’s April assaults on Iran’s Oil Ministry and oil export facilities caused only minor disruptions. The episode led Iran to investigate and ultimately discover Flame.
“The virus penetrated some fields — one of them was the oil sector,” Gholam Reza Jalali, an Iranian military cyber official, told Iranian state radio in May. “Fortunately, we detected and controlled this single incident.”
Some U.S. intelligence officials were dismayed that Israel’s unilateral incursion led to the discovery of the virus, prompting countermeasures.
The disruptions led Iran to ask a Russian security firm and a Hungarian cyber lab for help, according to U.S. and international officials familiar with the incident.
Last week, researchers with the Kaspersky Labs, the Russian security firm, reported their conclusion that Flame — a name they came up with — was created by the same group or groups that built Stuxnet. Kaspersky declined to comment on whether it was approached by Iran.
Isn't it convenient for Obama that Israel has a policy of not commenting on these kinds of reports?
'Stuxnet is so deeply embedded in Iran, their counterstrike plans are already known'
Here's a blog that the 'anti-virus experts' at Symantec and Kaspersky (and others) ought to be reading. They claim - and back it up - to have known about Stuxnet and Flame (which they call Stuxnet 3.0) since 2009 (Hat Tip: Jawa Report).
If they are correct, Flame is not automatically uninstalling on every computer in Iran, but only on computers where the Iranians start to look for it. And just because it disappears doesn't meant it can't come back. Here's the key part:
Stuxnet/flame puts USA in same position as when US was only one with atom bomb, MAD NOT APPLICABLE, first strike can take out everything, leaving enemy nothing to retaliate WITH.
Stuxnet is so deeply embedded in Iran their counterstrike plans are already known.
This powerful weapon is so comprehensive it is a deterrent in and of its self, You don't slap someone who has you by the balls like stuxnet has Iran.
The flip side of the suicide function, as the press calls it, isn't suicide at all. Its artificial intelligence, if you start looking for Flame it knows and disappears. Flip side is its so easy to penetrate PCs dumping all traces of its self isn't a problem it will revisit later.
Confirmed: Flame and Stuxnet developed by related groups
Based on similarities in their code, the Russian Kaspersky Labs, which discovered Flame, confirms that Flame and Stuxnet were developed by groups that worked together. Flame was actually developed first. Flame has been used to gather intelligence from computer systems, particularly in Iran, while Stuxnet was used to force Iranian nuclear centrifuges to destroy themselves. As noted on this blog on Sunday, while the Obama administration has attempted to take credit for developing Stuxnet to enhance the President's reelection bid, Stuxnet was likely developed by the Mossad, possibly in coordination with the IDF's unit 8200. It would therefore follow that Flame was a Mossad and/or IDF project.
There were two independent developer teams, with Flame development preceding Stuxnet and each team developing its own code platform since 2007-2008 at the latest, the researchers said. Both projects were state-sponsored, and Stuxnet was specifically designed to sabotage Iran's nuclear program, experts believe.
In addition, a previously undiscovered elevation-of-privilege Windows exploit is in Stuxnet.A, an early variant of the malware, Roel Schouwenberg, senior researcher at Kaspersky Lab, said in a Web conference with reporters.
"We have a new old Zero-Day," he said, referring to an attack that exploits a previously unknown and unpatched vulnerability. "It was a Zero-Day at the time of creation and most likely at the time of deployment." That brings to five the number of Zero-Day exploits Stuxnet used. The exploit, created in February 2009, is "strikingly similar" to one that was patched by Microsoft in June 2009, researchers said.
Stuxnet.A, which dates to about June 2009, contains a module known as "Resource 207, which is an encrypted dynamic-link library file that has an executable file that Kaspersky researchers say shares code with Flame. Resource 207 was not in Stuxnet.B, which came out in 2010. The primary functionality of the code in Stuxnet is to distribute the infection from one machine to another via removable USB drives and exploit the vulnerability in Windows kernel to obtain escalation of privileges within the system, according to a Kaspersky news release. The code responsible for distributing malware via USB drives is completely identical to the one used in Flame, the researchers said. They both use the Autorun function in Windows.
Initially, Kaspersky researchers speculated that the projects were parallel but were hesitant to say they were developed or commissioned by the same party. Now a more definite link has been established and a timeline is more clear.
"We firmly believe the Flame platform predates the Stuxnet platform. It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going," Schouwenberg said. "The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now we are 100 percent sure that the Stuxnet and Flame groups worked together."
Despite the fact that Stuxnet has been the subject of in-depth analysis by numerous companies and experts and lots has been written about its structure, for some reason, the mysterious “resource 207” from 2009 has gone largely unnoticed. But it turns out that this is the missing link between Flame and Stuxnet, two seemingly completely unrelated projects.
...
In October 2010, our automatic system received a sample from the wild. It analyzed the file thoroughly and classified it as a new Stuxnet variant, Worm.Win32.Stuxnet.s.
With Stuxnet being such a big thing, we looked at the sample to see what it was! Sadly, it didn’t look like Stuxnet at all, it was quite different. So we decided to rename it to Tocy.a and thought “silly automatic systems!”.
When Flame was discovered in 2012, we started looking for older samples that we might have received. Between samples that looked almost identical to Flame, we found Tocy.a.
Going through the sample processing system logs, we noticed it was originally classified as Stuxnet. We thought, how was it possible? Why did the system think that this Flame sample was related to Stuxnet? Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to “resource 207” from Stuxnet. It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection.
Going back to the story, this is how we discovered the incredible link between Flame and Stuxnet.
After Stuxnet's discovery, a Congressional report in December 2010 put the U.S. and Israel on a short list of countries believed to be capable of carrying out that attack -- a list that also included Russia, China, the U.K. and France. A month later, The New York Times reported Stuxnet may have been the result of a joint U.S., Israeli project to undermine Iran's nuclear program.
Five different U.S. government agencies declined to comment to ABC News about allegations they were involved in Flame and the Israeli government has reportedly denied any link to the virus.
News of the new connection between the two programs came just days after a U.S.-based cyber security firm, Symantec, reported Flame appears to have been given a "suicide" command that would wipe any trace of it from an infected computer.
I don't believe that Israeli denial for a minute. Our government just doesn't like to look guilty so it wouldn't say 'no comment' like the Americans. For example, to this day, Israel has never officially admitted that it destroyed the Syrian nuclear plant in 2007. And we've never told anyone whether we have nuclear weapons, even though I'm sure you all think that we do.
But don't tell Forbes that. They think the CIA did it. Heh.
Krauthammer: Outrageous Obama leaking cyberwar details to boost reelection bid
Charles Krauthammer thinks the same I said last week: That the Obama administration is purposely leaking details of the United States' cyber war in order to boost the President's chances for reelection in November.
We need to get into the mood for this, so let's go to the videotape.
YNet comments on the use of the LUA programming language for the computer virus Flame. Lua is a language that is a favorite of game programmers, including those who programmed the Angry Birds.
The "Flame" computer virus, which wreaked havoc on several major Iranian computer systems, is related to none other than the "Angry Birds" game, Fox News reported Thursday.
According to the report, "Flame" – dubbed "the most sophisticated cyber-weapon ever" – was written in LUA computer language, which the incredibly popular game was written in.
Fox quoted cyber experts as saying Flame's complexity indicates that it contains some 250,000 lines of code or more, yet it was constructed using LUA, which is favored by game programmers due to its ease of use.
"The people who developed the malware found an ingenious way to use a code not part and parcel of a hacker's normal arsenal, and that made it harder to detect," Cedric Leighton, a former Air Force Intelligence officer told the American news network.
I am an Orthodox Jew - some would even call me 'ultra-Orthodox.' Born in Boston, I was a corporate and securities attorney in New York City for seven years before making aliya to Israel in 1991 (I don't look it but I really am that old :-). I have been happily married to the same woman for thirty-five years, and we have eight children (bli ayin hara) ranging in age from 13 to 33 years and nine grandchildren. Four of our children are married! Before I started blogging I was a heavy contributor on a number of email lists and ran an email list called the Matzav from 2000-2004. You can contact me at: IsraelMatzav at gmail dot com
