are coming out, but the Islamic Republic seems less concerned with the details than with its desire to claim to have discovered the worm before the Russian lab that first announced its existence.
The worm, known as Flame, is thought to be the most sophisticated one yet to attack Iran’s sensitive computer systems. A leading Internet security company, the Russian-based Kaspersky Lab, was the first to reveal the worm, which it said infected computers mostly in Iran but also in Syria, Lebanon, Sudan, Egypt, Saudi Arabia, Israel and the Palestinian territories.
But Gholam-Reza Jalali, head of the Pasdaran’s unit in charge of fighting sabotage, claimed Iranian experts detected and neutralized Flame first. He also said the Oil Ministry was the only government body seriously affected by the virus, but that all files that had been lost have since been recovered.
“This virus penetrated some fields. One of them was the oil sector. Fortunately, we detected and controlled this single incident,” Jalali said. “We could also retrieve information that was lost.”
Iran’s Deputy Minister of Communications and Information Technology Ali-Hakim Javadi said the country’s IT experts have produced an anti-virus that could locate and remove Flame.
The Computer Center “has produced an anti-virus capable of detecting and removing Flame for the first time in the world,” Javadi said. “The anti-virus software was delivered to selected organizations in early May,” a few weeks before the Kaspersky Lab spoke out.
Officials said Iran was ready to assist other countries in combating the virus. “After Iran announced readiness to help countries targeted by the Flame virus, requests from 40 countries – including Australia, the Netherlands, Malaysia and even countries that do not have relations with Iran – have been forwarded to the Computer Center, to help with cleaning out the virus from their systems,” said a report on a state television.
Iranian officials also said the virus had been in the system since about 2010 but the Kaspersky Lab, which detected the virus in late May, said it had been around about five years.
“It was designed in such a way that it was nearly impossible to track down,” said Roel Schouwenberg, a security researcher at Kaspersky.
Flame was also different from other computer malware because it tried to determine which anti-virus was installed on a host computer and then disguise itself as a harmless computer file in order to escape detection.
On three computers in Iran, Lebanon and Iraq, Flame was seen to have even upgraded itself to a newer version, according to Kaspersky researchers. Perhaps owing to its sophistication, Flame is an unusually large antivirus and measures 20 megabytes; most viruses are a couple hundred kilobytes. Experts say that it is all the more remarkable that Flame was able to operate undetected for five years given its size.
During its active years, Flame targeted PDF documents and design files in the AutoCAD format, indicating the worm developers were interested in stealing infrastructure designs.
Flame “goes through PDF and text files and other documents and makes short summaries,” said Alexander Gotsev, Kaspersky’s chief security expert.
“It also hunts for e-mails and many different kinds of other ‘interesting’ files that are specified in the malware configuration,” he added. In addition, Flame monitors keystrokes, records instant messaging chats, turns on microphones remotely and captures screenshots of the infected computer. Flame may also be capable of wiping out data from its host machines, although this capability has not been confirmed. Flame spread through Bluetooth-enabled computers and hopped from one computer to the next on the same network.
Kaspersky said that Flame was commissioned by a “large entity,” alluding to the possible involvement of states, but not naming any countries.
However, Iranian officials say they traced the virus to the United States through two Internet Service Provider (ISP) addresses used to launch the Flame attacks.
“The nature of the attack and the identity of the attackers have been discovered, but we cannot publicize it since we are still working on the case,” Deputy Oil Minister Hamdollah Mohammad-nejad told Fars.
But computer experts said anyone trying to direct Flame into Iran would likely push the worm through intermediary ISPs in order to hide its origins. “If Iran traced it to US ISPs, that would suggest Flame didn’t come from the United States,” said one. “On the other hand, Iran may well have just made up that story about tracing it to American ISPs.”
Flame is the latest computer worm to have attacked Iranian computers. Two previous worms – Stuxnet and Duqu – hit critical Iranian infrastructure, including its nuclear enrichment plant at Natanz. Kaspersky said the two worms were likely developed by the same group of programmers.
During its analysis, Kaspersky also discovered that certain sections of the codes had been written during normal working hours in Israel and programmers took off days that coincided with the Jewish Sabbath and high holy days.
A new book released by New York Times journalist Robert E. Sanger claims that Stuxnet was initiated under President George W. Bush and put into high gear by President Obama. The point of Stuxnet was not to destroy Iranian centrifuges, as many have assumed, but instead to cause constant vexing problems so the Islamic Republic would slow its enrichment program in an effort to find out what was wrong and assume that its design was bad. The idea was to fool Iran for years and constantly send technicians chasing what they would assume to be a new problem.
Sanger said Stuxnet was developed by three US agencies – the CIA, the National Security Agency and the Idaho National Lab – in conjunction with Israel, which the book says was included for political reasons because the US wanted to show the Israeli government that it was expending a huge effort to stop Iran’s nuclear program and thus discourage Israel from taking unilateral military action.
Sanger’s book, “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power,” details how Obama was personally involved in the cyberattacks: Obama received regular updates about the activities of the worm and personally approved cyber-attacks on Iranian nuclear facilities.
The revelations in Sanger’s book come at a time when the Obama White House is under political pressure for other leaks, including stories about expanded US drone strikes in Yemen, articles about Obama’s secret “kill list” of terrorist operatives in Pakistan and allegations that the White House gave critical information to filmmakers who made a documentary about the US Navy SEAL team that killed Osama Bin Laden. Republicans are accusing Obama of leaking details to highlight national security accomplishments as part of his presidential campaign.
A few congressmen are saying that Obama sidestepped constitutional restrictions by effectively starting a war, which only Congress may declare.
Obama’s erstwhile presidential election rival, Senator John McCain, said the leaks were “an intentional breach of the most highly classified operations that the United States is carrying out, and, therefore, compromise our security.”
Obama has vigorously denied allegations that he has been using the reports to bolster his national security credentials. “The notion that my White House would purposely release classified national security information is offensive,” he said. “It’s wrong. And, you know, people I think need to have a better sense of how I approach this office and how the people around me here approach this office.”