The Smoke Over Flame: Who Is Behind Super Cyber Spy Tool?

Mystery cyber spy program may have been watching Iranian computers for years.

May 30, 2012, 1:36 PM

May 30, 2012 — -- Cyber security experts around the world are racing to dissect Flame, the largest cyber espionage program ever discovered, as clues in the code and vague statements from Western officials fueled speculation as to whether the U.S. or Israel may be behind what researchers are calling a potential game-changer in the burgeoning arena of cyber warfare.

The existence of Flame, an unprecedented intelligence-gathering program designed to track and record basically everything an infected computer does, was disclosed Monday by two international cyber security firms as well as the Iranian government, which said Flame had been discovered on its networks.

One of the firms, Kaspersky Labs, reported the malware had been discovered in several countries in the Middle East, mostly in Iran, and had been operating for at least two years. Kaspersky Labs, along with a Hungarian cryptology lab called Crysys that also analyzed Flame, said that because of the expertise, time and funding required to create such a large and sophisticated program, it was likely some government agency had created the malicious code, rather than a group of cyber criminals or rogue hackers.

Clues in the code, such as the names of processes like "Beetlejuice" and "Platypus," led some experts to believe it could have been written by native English-speakers, but others pointed out that English is a common coding language in many countries.

Roel Schouwenberg, a senior researcher at Kasperky Labs, told ABC News today some monikers used in coding mean nothing at all or are just inside jokes among the programmers.

"We are talking about a very high stakes operation here, covert cyber ops, but that doesn't mean these guys aren't just having fun sometimes," he said.

READ MORE: What Is Flame?

Another possible clue in the code, Schouwenberg said, is that even though the program's structure and capabilities are very different, Flame shares some sophisticated techniques and geographical targets with another infamous cyber weapon, Stuxnet. Stuxnet was an offensive cyber weapon that was only discovered in 2010 after it had reportedly infected and caused physical damage to an Iranian nuclear facility.

Schouwenberg said Kaspersky Labs is operating under the theory that Stuxnet and Flame were created by different development teams but likely under the direction from the same backer and with access to each other's work. A researcher with the U.S.-based cyber firm Symantec told ABC News that scenario was a "definite" possibility and in its report Crysys said it could not be ruled out.

After Stuxnet's discovery, a Congressional report in December 2010 put the U.S. and Israel on a short list of countries believed to be capable of carrying out that attack -- a list that also included Russia, China, the U.K. and France. A month later, The New York Times reported Stuxnet may have been the result of a joint U.S., Israeli project to undermine Iran's nuclear program.

Publicly, U.S. officials repeatedly denied involvement in Stuxnet, while Israeli officials declined to comment.

Israeli Official Raises Eyebrows, U.S. Agencies Mum on Flame Origin

Within hours of Flame's public disclosure, a top Israeli official, vice prime minister Moshe Yaalon, sparked speculation when he hinted to an Israeli news outlet that his country may have been behind it all, as ABC News reported Tuesday.

"Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them," Yaalon told Israel's Army Radio, referring to the cyber attack. "Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us."

However, after those comments made headlines, Yaalon took to Twitter and said that "plenty of advanced Western countries, with apparent cyber-warfare capabilities, view Iran and especially its nuclear program as a real threat."

Later, NBC News reported that an unnamed U.S. official who acknowledged having no first-hand knowledge of the virus said, "It was us." And today the Israeli military magazine Israel Defense quoted its own unnamed Israeli officials who said they believe the virus came from the U.S.

For their part, the official spokespersons for an alphabet soup of American government agencies have stayed quiet on where exactly Flame came from.

In response to questions from ABC News today, the National Security Agency, Central Intelligence Agency, Department of Defense Cyber Operations and State Department either declined to comment or referred ABC News to the Department of Homeland Security. The DHS said in a statement it was analyzing Flame to determine its impact on the U.S. but refused to comment on whether the U.S. had a hand in its creation.

Though cyber security experts said it will be months, and possibly years, before Flame is completely analyzed, Schouwenberg said there is little chance much more information about the author will be gleaned from the code itself.

"What is proof in cyber? It's very tough. When you look at the remnants of a bomb, at least you know who made it," he said. "In cyber, you never know for sure."

ABC News' Dana Hughes and Colleen Curry contributed to this report.

Click here to return to The Blotter homepage.

ABC News Live

ABC News Live

24/7 coverage of breaking news and live events