The Smoke Over Flame: Who Is Behind Super Cyber Spy Tool?
Mystery cyber spy program may have been watching Iranian computers for years.
May 30, 2012 — -- Cyber security experts around the world are racing to dissect Flame, the largest cyber espionage program ever discovered, as clues in the code and vague statements from Western officials fueled speculation as to whether the U.S. or Israel may be behind what researchers are calling a potential game-changer in the burgeoning arena of cyber warfare.
The existence of Flame, an unprecedented intelligence-gathering program designed to track and record basically everything an infected computer does, was disclosed Monday by two international cyber security firms as well as the Iranian government, which said Flame had been discovered on its networks.
One of the firms, Kaspersky Labs, reported the malware had been discovered in several countries in the Middle East, mostly in Iran, and had been operating for at least two years. Kaspersky Labs, along with a Hungarian cryptology lab called Crysys that also analyzed Flame, said that because of the expertise, time and funding required to create such a large and sophisticated program, it was likely some government agency had created the malicious code, rather than a group of cyber criminals or rogue hackers.
Clues in the code, such as the names of processes like "Beetlejuice" and "Platypus," led some experts to believe it could have been written by native English-speakers, but others pointed out that English is a common coding language in many countries.
Roel Schouwenberg, a senior researcher at Kasperky Labs, told ABC News today some monikers used in coding mean nothing at all or are just inside jokes among the programmers.
"We are talking about a very high stakes operation here, covert cyber ops, but that doesn't mean these guys aren't just having fun sometimes," he said.
Another possible clue in the code, Schouwenberg said, is that even though the program's structure and capabilities are very different, Flame shares some sophisticated techniques and geographical targets with another infamous cyber weapon, Stuxnet. Stuxnet was an offensive cyber weapon that was only discovered in 2010 after it had reportedly infected and caused physical damage to an Iranian nuclear facility.
Schouwenberg said Kaspersky Labs is operating under the theory that Stuxnet and Flame were created by different development teams but likely under the direction from the same backer and with access to each other's work. A researcher with the U.S.-based cyber firm Symantec told ABC News that scenario was a "definite" possibility and in its report Crysys said it could not be ruled out.
After Stuxnet's discovery, a Congressional report in December 2010 put the U.S. and Israel on a short list of countries believed to be capable of carrying out that attack -- a list that also included Russia, China, the U.K. and France. A month later, The New York Times reported Stuxnet may have been the result of a joint U.S., Israeli project to undermine Iran's nuclear program.
Publicly, U.S. officials repeatedly denied involvement in Stuxnet, while Israeli officials declined to comment.