Not unlike the fictional Mr. Phelps of “Mission Impossible,” real-life spies today direct their computer cyberespionage programs to self destruct — delete themselves — after use. Bare scraps of digital code can be pretty thin evidence for investigators.
Even so, digital forensic sleuths at two antivirus companies – Kaspersky Labs and Symantec – on Monday announced new discoveries from piecing together the cyber shards of a program called Flame, which further reveal an extensive cyberespionage operation apparently directed at Iran.
Already, media reports have claimed that the US andIsrael launched Stuxnet – the world’s first cyberweapon — to slow Iran’s nuclear program, and that three other cyberespionage programs, including Flame, were part of the same effort. Now, the new analysis reveals traces of at least three more malicious programs targeting Iran, suggesting there are still a significant number of programs yet to be discovered spying on Iranian computers.
There are fresh signs, too, that the harvest has been vast.
“Flame’s creators are good at covering their tracks,” Alexander Gostev, chief security expert at Kaspersky Lab said in a statement. “But one mistake of the attackers helped us to discover more data….”
The evidence was found on two European servers made to evade detection from hosting providers through their benign name, “Newsforyou.” A programming mistake left behind one encrypted file and a data log. An analysis of the data showed that the servers were able to receive data from infected machines using four different protocols; Flame was only one of them.
The existence of three additional protocols not used by Flame “provides proof that at least three other Flame-related malicious programs were created,” Kaspersky said.
The discovery hints at a cyberespionage operation vast in scope, with more than five gigabytes of data uploaded from more than 5,000 infected machines to just one of the two command and control servers in Europe each week. Most of the infected computers were in Iran, some inSudan, and a handful in other countries.
“This is certainly an example of cyber espionage conducted on a massive scale,” Mr. Gostev said.
The onion-like layers of this operation have been peeled back since the discovery of Stuxnet, which was discovered to be targeted at Iran’s nuclear fuel-refining system in June 2010. After that, a cyberespionage program dubbed Duqu was unearthed in September 2011, followed by Flame in May, and then Gauss in July.
Sifting their program code, investigators found critical links among them — enough to call Stuxnet at least a first-cousin to Duqu, Flame, and Gauss. Though built by different teams, the programs had key software that showed the authors were linked in an overarching effort.
In June, the New York Times reported that Stuxnet was part of Operation Olympic Games, a joint project of the US and Israel. By their link to Stuxnet, the other three programs appear to be part of a larger program, too.
“The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another example of a sophisticated nation-state sponsored cyber operation,” the Kaspersky report said.
It added that the development of Flame’s command and control platform started as early as December 2006 — much earlier that previously thought.
“What these cyberoperations do is allow America to put digital boots on the ground in a foreign country, sparing American lives in the short term,” says John Bumgarner, research director for theUS Cyber Consequences Unit, a nonprofit security think tank that advises government and industry. “The CIA doesn’t need to embed a spy inside Iran, and the US military doesn’t need to send a stealth fighter to bomb something.”
In the long term, it is not clear whether cyberspying and digital missiles like Stuxnet will be enough to prevent a military conflict, he notes. And the bits and bytes are starting to pile up.
“Despite all these discoveries, there is still a lot of plausible deniability afforded by these digital weapons and espionage tools,” he says. “Most of bread crumbs haven’t been traced directly back to NSA or CIA. But the traces do, at the very least, suggest such agencies ran these operations.”