The Iranian technicians went into panic mode late last month as a
virus surged through computers at the Ministry of Oil, wiping out hard
drives and crashing several websites. One by one, oil terminals in the
Persian Gulf were disconnected from the Internet to prevent further
damage and a crisis committee was formed to deal with the fallout. By
the time the virus had been contained some 24 hours later, computers and
websites from the National Iranian Oil Company, the National Gas
Company, the Ministry of Oil and several subsidiary companies had taken a
hit, according to reports in the Iranian media.
That cyber-attack was downplayed in reports from hardline,
government-linked news organizations. But it now appears that the damage
could have been done by Flame, a new type of virus that appears even
more sophisticated than the Stuxnet worm that wreaked havoc on Iran's
nuclear program. In fact, the coding for the Flame virus is roughly 20
times the size of Stuxnet, astonishing many cyber-experts. It has
infected more computers in Iran than anywhere else in the world. "This
malware can do nearly anything," says Boldizsar Bencsath, a senior
analyst at the Laboratory of Cryptography and Systems Security in
Budapest, which was one of the first institutions to dissect the virus.
"It could be linked to these attacks."
For the Iranian regime, constantly paranoid about external enemies, it's
clear that this is another attack in a cyber war that is escalating
month by month. Many officials blamed the United States and Israel for
the Stuxnet virus and the initial reaction from Tehran appears to point
the finger at the same culprits. "It's in the nature of some countries
or illegitimate regimes to produce viruses and hurt other countries. We
hope that these viruses are knocked out and no one gets hurt," Ramin
Mehmanparast, the foreign ministry's spokesman, said at a press
conference in Tehran on Tuesday. Israeli officials, for their part, did
little to dispel suspicion of their involvement. "For anyone who sees
the Iranian threat as significant, it is reasonable that he would take
different steps, including these, in order to hobble it," vice prime
minister Moshe Yaalon said cryptically on Tuesday.
The Iranian government has long anticipated this digital conflict and
has tried to assess both external and internal threats. As part of its
readiness for this kind of conflict, Tehran has reportedly spent $1
billion to boost its cyber-defense and offense capabilities in recent
months. That has included the purchase of sophisticated monitoring
software from ZTE, a Chinese telecom company, as well as filling the
ranks of the Iranian Cyber Army with tens of thousands of recruits,
according to some officials. The Cyber Army is believed to be linked to
the Revolutionary Guard.
The Cyber Army first gained notoriety — and some street cred from
hackers — when they took down Twitter in 2009. They have also hacked
many Iranian opposition websites and played a lead role in tracking down
activists. Last year, the Iranian government also announced the
creation of a cyber-police division to help track political dissent
online and fight what the regime sees as a "soft war" being waged by
anti-regime elements through social media and immoral websites. Just how
seriously the government takes the issue was apparent in March when
Supreme Leader Ayatollah Ali Khamenei ordered the creation of a Supreme
Council of Cyberspace, a governmental body that will include the
president, the head of the Revolutionary Guard, the head of the
judiciary and the speaker of parliament among other top officials.
Still, it's clear that the Iranian government was unprepared for an
attack as sophisticated as the Flame virus. In fact, few other
governments could have been. The virus had burrowed into Iranian
computer systems at least since 2010 and possibly earlier, sending out
data from infected computers. The virus enabled infected computers to
take screen shots, turn on attached microphones and record audio, change
computer settings, log instant messages and even scan for Bluetooth
enabled devices. Among the cyber-experts who have analyzed the virus,
there is little doubt that the only group that would have the resources
and know-how to deploy such a sophisticated cyber-weapon would be a
governmental body. "This was made by some government agency," says
Bencsath in Budapest. "The evidence is that it's used for spying on a
specific area."
If the Flame virus was created by a governmental agency, it's a risky
gambit. The flip side of a cyber-attack is that the virus could be
analyzed and repurposed for future attacks. "Unlike a traditional weapon
like a bomb, which explodes and disappears, cyber-weapons stay in the
system," says Vitaly Kamluk, the chief malware expert for Kaspersky Lab,
a Russian IT security company that has done extensive work on the Flame
virus. "If someone has the resources to reverse engineer, it can be
reprogrammed and used against the enemy. That's a risk."
In a Congressional hearing in late April, a handful of experts testified
that Iran is beefing up its cyber-offense capabilities and could be
preparing for an attack. The U.S. power grid, in particular, could be a
relatively easy target. "What the Iranians lack in capability they make
up in intent. Cyber levels the playing field," says Frank Cilluffo,
director of the Homeland Security Policy Institute at George Washington
University, who testified before Congress during the hearing. "If you
look at our own infrastructure, we are quite vulnerable and
susceptible."
The Iranian government has been a top suspect in some relatively
sophisticated cyber attacks. Last August, a Dutch company called
DigiNotar was hacked and a number of SSL certificates, which are used
for the encryption of information on the Internet, were stolen. A large
number of fraudulent certificates soon appeared on Iranian Internet
service providers and were used to track individuals' activities on
sites linked to Google and Yahoo among others. This wasn't a cyber
smoking gun but it was close: opposition activists suspect that the
Iranian government had taken the digital certificates in order to
monitor dissident activity in the country. "You can't be 100 percent
sure but there's enough circumstantial evidence that it was the Iranian
government," says Mehdi Yahyanejad, one of the founders of Balatarin, a
community website in Farsi that has become a favorite of the Iranian
opposition and has been hacked several times.
Is the Iranian government planning any revenge attacks against the U.S.
or Israel for the damage done by Stuxnet or the Flame virus? An
editorial that ran last year in the conservative daily
Kayhan,
whose editor is close to Supreme Leader Khamenei, struck an ominous
tone. "Skilled players have appeared who can, in a short period of time,
do astonishing and unbelievable damage to American infrastructure," the
editorial read. "All they need is a connected computer and knowledge
that is no longer under the exclusive control of Western countries." It
looks like the cyber-war may be just beginning.
