Information Warfare: The Cyber War Against Iran

Archives

May 31, 2012:  For the third year in a row, a Cyber War "super weapon" has turned up in Iranian and other Middle Eastern computers. The new one is called Flame, and it was designed to stay hidden and collect information. It apparently did both, for up to five years (or more), in Iran, Lebanon, the Palestinian West Bank, and, to a lesser extent, other Moslem countries in the region. Like the earlier Stuxnet (2009) and Duqu (2011), Flame has all the signs of being designed and created by professional programmers and software engineers. Most malware (hacker software) is created by talented and often undisciplined amateurs and often displays a lack of discipline and organization. Professional programmers create more capable and reliable software. That describes Stuxnet, Duqu, and Flame. Someone is spending big bucks to craft major Cyber War weapons and turn them loose.

As researchers continue studying these three software packages, they find ever more surprising features. Until the appearance of Flame, the most formidable Cyber War weapon encountered was Stuxnet, a computer worm (a computer program that constantly tries to copy itself to other computers) that showed up two years ago. It was designed as a weapons grade cyber weapon and was designed to damage Iran's nuclear weapons manufacturing facilities. It succeeded. A year after Stuxnet was discovered (in 2010), security experts uncovered Duqu. Like Flame, Duqu was collecting information on large computer networks and apparently preparing for an even broader attack on industrial targets.

It appeared that Stuxnet and Duqu were but two of five or more Cyber War weapons developed (up to five years ago) from the same platform. Flame was not apparently related to Stuxnet and Duqu. The basic Flame platform appears to have been built to accept various additional software modules, giving each variant different capabilities. Some of the modules made use of specific computer features, like a microphone, wireless communication, or the camera. Flame appears to be a very different design from Stuxnet and Duqu but also spreads via a USB memory stick.

Some infected PCs were found to contain a large number of Flame modules, amounting to up to 20 megabytes of code and data. Flame hides its presence very well and has a very effect self-destruct feature that erases all evidence of its presence if it is detected. In the at least five years Flame has been around, it has gotten into a few thousand PCs and collected large quantities of data.

In contrast, Duqu was being used to probe industrial computer systems and send information about how these systems are built and operate, to someone. When Duqu was first discovered, the server it was sending its data to was eventually found in India and disabled. Duqu appeared to shut down last December. No one knows if this is because Duqu had finished its work or was feeling cramped by all the attention. Flame is still operating.

For over two years now, hundreds of capable programmers have been taking Stuxnet and Duqu apart and openly discussing the results. While all three of these programs were probably created as a highly classified government project (Israel and the U.S., in a joint effort, are the most likely suspects), no one has taken credit for it. Thus these programs belong to no one and everyone. The public discussion on the Internet has provided a bonanza of useful criticism of how the programs were put together, often describing in detail how flaws could be fixed or features improved. But even when such details were not provided, the programmers picking apart these programs usually mentioned what tools or techniques were needed to make the code more effective.

On the down side, this public autopsy of this stuff makes the inner workings of the software, and all the improvements, available to anyone. Then again, security professionals now have a much clearer idea of how this kind of weapon works and this can make future attempts to use similar weapons more difficult.

Duqu appears to be from the people who created Stuxnet, as it seems to have been created by someone with the Stuxnet source code. In theory, you could create something like that without having the actual source code, just by reverse-engineering Stuxnet. But that would be an enormous and expensive project. Duqu does not show tell-tale signs of reverse engineering. With Duqu and Stuxnet together it was possible to see how the modularity of the original master software was constructed and estimate that another three or more major variants are waiting to be released, or may have already been let loose.

Flame is much larger and more complex than Stuxnet or Duqu and will keep researchers busy for years. But now that three of these professionally crafted Cyber War weapons have appeared in the last year, it seems likely that more will show up.

Weapons like Stuxnet and Duqu are nothing new; for nearly a decade Cyber War and criminal hackers have planted programs ("malware") in computer networks belonging to corporations or government agencies. These programs (called "Trojan horses" or "zombies") are under the control of the people who plant them and can later be used to steal, modify, destroy data, or shut down the computer systems the zombies are on. You infect new PCs and turn them into zombies by using freshly discovered and exploitable defects in software that runs on the Internet. These flaws enable a hacker to get into other people's networks. Called "Zero Day Exploits" (ZDEs), in the right hands these flaws can enable criminals to pull off a large online heist or simply maintain secret control over someone's computer. Flame was apparently using high-quality (and very expensive) ZDEs and possibly receiving new ones as well.

Stuxnet contained four ZDEs, two of them unknown, indicating that whoever built Stuxnet had considerable resources. ZDEs are difficult to find and can be sold on the black market for over $10,000. The fact that Stuxnet was built to sabotage an industrial facility spotlights another growing problem - the vulnerability of industrial facilities. The developers of systems control software have been warned about the increased attempts to penetrate their defenses. In addition to terrorists, there is the threat of criminals trying to extort money from utilities or factories with compromised systems, or simply sniff around and sell data on vulnerabilities to Cyber War organizations. But in the case of Stuxnet, the target was Iran's nuclear weapons operation, although some hackers dissecting Stuxnet could now build software for use in blackmail schemes.

Stuxnet was designed to shut down a key part of Iran's nuclear weapons program, by damaging the gas centrifuges used to enrich uranium to weapons grade material. Iran eventually admitted that this damage occurred and recent Western estimates of how soon Iran would have a nuclear weapon have been extended by several years. So, one can presume that Stuxnet was a success.

Duqu appears to be exploiting the success of Stuxnet in spreading to so many industrial sites and is designed to sniff out details of places it ends up in and send the data to whoever is planning on building Stuxnet 2.0. Several different versions of Duqu have been found so far, and all of them have been programmed to erase themselves after they have been in a computer for 36 days.

Stuxnet was believed to have been released in late 2009, and thousands of computers were infected as the worm sought out its Iranian target. Initial dissection of Stuxnet indicated that it was designed to interrupt the operation of the control software used in various types of industrial and utility (power, water, sanitation) plants. Eventually, further analysis revealed that Stuxnet was programmed to subtly disrupt the operation of gas centrifuges.

The Stuxnet "malware" was designed to hide itself in the control software of an industrial plant, making it very difficult to be sure you have cleaned all the malware out. This is the scariest aspect of Stuxnet and is making Iranian officials nervous about other Stuxnet-type attacks having been made on them. Although Iran eventually admitted that Stuxnet did damage, they would not reveal details of when Stuxnet got to the centrifuges nor how long the malware was doing its thing before it was discovered. But all this accounts for the unexplained slowdown in Iran getting new centrifuges working. Whoever created Stuxnet probably knows the extent of the damage because Stuxnet also had a "call home" capability.

The U.S. and Israel have been successful with "software attacks" in the past. This stuff doesn't get reported much in the general media, partly because it's so geeky and because there are no visuals. It is computer code and arcane geekery that gets it to its target. But the stuff is real, and the pros are impressed by Stuxnet, Duqu, and Flame, even if the rest of us have not got much of a clue. But the capabilities of these Cyber War weapons usher in a new age in Internet based warfare. Amateur hour is over and the big dogs are in play. Actually, they appear to have been out there for years, using their stealth to remain hidden. There are probably more than three of these stealthy Cyber War applications in use.