English-Language Cyberwar Software Might Have Targeted Iran

Cyberwar software possibly used against Iran had English-language coding.

May 28, 2012, 4:20 PM

May 28, 2012— -- An act of "cyberwar" has been discovered by researchers who say that a malicious computer virus, written by English speakers and known as "Flame," has targeted Iran and the Middle East, and might have focused on oil and energy production, according to cybersecurity firm Symantec.

A cyber-attack launched against Iranian oil terminals and knocking them off line in April might have been caused by "Flame," a complicated software program that can steal all of the information on a computer and possibly work to erase its hard drive, according to Vikram Thakur, a manager at Symantec security systems.

Thakur told ABC News today that early analysis of the software shows that it is the most complicated malware ever written and deployed, and that it is has been stealing information from targeted users for at least two years.

While it is unknown who designed or launched Flame, the software uses code words like "Jimmy" that lead researches to believe its makers are native English speakers. Furthermore, the complexity of code and language are not something that "average hackers could come up with," Thakur said.

"We can't pinpoint who is actually behind it but we can narrow the list of potential actors," he said. "It's a project that's been out for years, and flown under the radar. It is extremely well funded."

The U.S. State Department had no comment on the matter when reached today, but expected to address it a news Tuesday morning.

Thakur said that because the malware has been around for years without notice or abandonment, it is likely that it successfully stole sensitive information from computers it infected.

"According to the data we have, all of the infections were very local to parts of the Middle East: Iran, United Arab Emirates, Hungary, and smaller countries as well, but we believe that the actual targets of this piece of malware was an even smaller set of countries, and possibly just Iran," Thakur said.

Flame might rise from the level of cyber-espionage to cyberwar because of its ability to wipe out a computer's hard drive, Thakur explained.

"So far we've put it in the espionage category, but there is a piece of code we are still analyzing that on first look points to the ability to wipe a computer's hard drive. It's sort of semantics, but the fact that it did something apart from just stealing information brings it to the next stage, cyberwar," he said.

The cyber-attack is the second such malware targeted against Iran. The Stuxnet computer virus attacked Iran's nuclear facilities and damaged centrifuges in 2010, delaying Iran's production of enriched uranium. More than half of Stuxnet-infected computers were located in Iran, and it was widely believed that the United States or Israel was involved in the attack.

The person or organization behind Stuxnet, or the other largest malware found to date, Duqu, could also be behind Flame, Thakur said.

"It's a definite possibility that it's the same person," he said. "While the code base behind Stuxnet and Duqu is very different and completely unrelated to Flame, it's possible that the actual perpetrators who funded the mission are indeed the same."

Thakur said it's possible that because all three are well-funded, one organization with different departments, mandates or resources could have separately funded the creation of the three viruses.

"That theory does hold water," he said.

Cyber-attacks and malware practiced at the macro level, by governments or large organizations, can affect citizens in myriad ways, Thakur said. If the Iranian oil terminals are knocked off line, for instance, it can affect oil prices around the world and at the neighborhood pump, he said. It can also affect political acts and situations.

"It's very possible that you and I have read about certain incidences in our lives that could be related to Flame," he said.

The software will not, however, affect the average computer user's online security. A highly complex software program used to steal information is typically targeted to specific individuals.

"For the average user, it does not make much of a difference," he said. "People behind such projects are not targeting the average user. That being said, it does raise the bar in the cybermalware world. These are techniques they could employ as well. The game will be upped by the average hacker in coming months and years."

As for whether cyberwar is about to break out, Thakur said that "we have long crossed that middle zone, debating whether or not this should be done. Governments are snooping on people's computers, governments are indeed meddling, waging cyberwar. Activities are indeed happening. "