English-Language Cyberwar Software Might Have Targeted Iran

Cyberwar software possibly used against Iran had English-language coding.

ByABC News
May 28, 2012, 4:20 PM

May 28, 2012— -- An act of "cyberwar" has been discovered by researchers who say that a malicious computer virus, written by English speakers and known as "Flame," has targeted Iran and the Middle East, and might have focused on oil and energy production, according to cybersecurity firm Symantec.

A cyber-attack launched against Iranian oil terminals and knocking them off line in April might have been caused by "Flame," a complicated software program that can steal all of the information on a computer and possibly work to erase its hard drive, according to Vikram Thakur, a manager at Symantec security systems.

Thakur told ABC News today that early analysis of the software shows that it is the most complicated malware ever written and deployed, and that it is has been stealing information from targeted users for at least two years.

While it is unknown who designed or launched Flame, the software uses code words like "Jimmy" that lead researches to believe its makers are native English speakers. Furthermore, the complexity of code and language are not something that "average hackers could come up with," Thakur said.

"We can't pinpoint who is actually behind it but we can narrow the list of potential actors," he said. "It's a project that's been out for years, and flown under the radar. It is extremely well funded."

The U.S. State Department had no comment on the matter when reached today, but expected to address it a news Tuesday morning.

Thakur said that because the malware has been around for years without notice or abandonment, it is likely that it successfully stole sensitive information from computers it infected.

"According to the data we have, all of the infections were very local to parts of the Middle East: Iran, United Arab Emirates, Hungary, and smaller countries as well, but we believe that the actual targets of this piece of malware was an even smaller set of countries, and possibly just Iran," Thakur said.

Flame might rise from the level of cyber-espionage to cyberwar because of its ability to wipe out a computer's hard drive, Thakur explained.

"So far we've put it in the espionage category, but there is a piece of code we are still analyzing that on first look points to the ability to wipe a computer's hard drive. It's sort of semantics, but the fact that it did something apart from just stealing information brings it to the next stage, cyberwar," he said.

The cyber-attack is the second such malware targeted against Iran. The Stuxnet computer virus attacked Iran's nuclear facilities and damaged centrifuges in 2010, delaying Iran's production of enriched uranium. More than half of Stuxnet-infected computers were located in Iran, and it was widely believed that the United States or Israel was involved in the attack.

The person or organization behind Stuxnet, or the other largest malware found to date, Duqu, could also be behind Flame, Thakur said.

"It's a definite possibility that it's the same person," he said. "While the code base behind Stuxnet and Duqu is very different and completely unrelated to Flame, it's possible that the actual perpetrators who funded the mission are indeed the same."

Thakur said it's possible that because all three are well-funded, one organization with different departments, mandates or resources could have separately funded the creation of the three viruses.

"That theory does hold water," he said.