The Washington Post is enjoying another one of those sneaky-leaky moments thanks to willing sources in the Obama administration who both sought to reinforce U.S. involvement with anti-Iran cyberwarfare, and distinguish between it and the meshuga Israelis who are using the weapons in indiscreet ways. The Post reports, as just about every cyber-security expert worth his or her salt already knew, that the computer mega-virus, Flame, was another joint product of Israeli and U.S. cyberwarriors:
There has been speculation that Washington had a role in developing Flame, but the collaboration on the virus between the United States and Israel has not been previously confirmed.
On the Israeli side it was undoubtedly cooked up by the IDF’s Unit 8200 and on the U.S. side by the National Security Agency.
Though some aspects of this story were either already known or surmised, I’d never heard about this aspect of Flame’s capabilities:
Experts said the program was designed to replicate across even highly secure networks…
In other words, though the initial infection may’ve been caused by an indiscretion or infected USB stick, once inside the code was so deftly designed that it could conceal itself from any detection and spread to other computers and systems which were supposedly equally secure.
Here’s another new piece of data:
Flame masquerad[ed] as a routine Microsoft software update…[and] evaded detection for several years by using a sophisticated program to crack an encryption algorithm.
One interesting phenomenon of such warfare which I learned from this article is that if successful, the victim doesn’t even know his computer has been compromised. In that sense, you want to break into a system and patiently explore all the parameters of the network to learn all you can. In other words, you’re not looking for a quick fix. You’re looking for slow, incremental intelligence gains that bear fruit over the long-term.
That’s where Israeli and U.S. security world views diverge. Israel is all about the quick fix and short-term, which is why it surprised the U.S. when it allowed Flame to disable several Iranian oil depots. This episode exposed Flame and put the Iranians on to the whole operation. Thus five years of intelligence work evaporated (Flame was first created in 2007 and has presumably been operatives since around that time).
Not to worry though, because another purpose of this leak is to play mind games with Iran by telling it that we have yet more worms and viruses likely infecting their systems:
“This is about preparing the battlefield for another type of covert action,” said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber-collection against the Iranian program is way further down the road than this.”
…Although Stuxnet and Flame infections can be countered, “it doesn’t mean that other tools aren’t in play or performing effectively,” he said.
What I “love” about the hubris of statements like this is that the speaker appears to believe his own PR, thinking that he has some deft surprises in store for the Iranians. But unless Israel or the U.S. is willing to fully commit to knocking Iran out of the nuclear game, they simply won’t be able to do so with cyber-sabotage. It’s a screw that gets stuck in the cogs of the machine. But the machine can be fixed and brought back online and bring Iran to whatever its ultimate goal might be. To believe otherwise, as some in the U.S. and Israel appear to do, is a neat bit of self-deception.
Flame, according to this account, was meant as a cyber-scout:
Flame…shows the importance of mapping networks and collecting intelligence on targets as the prelude to an attack, especially in closed computer networks. Officials say gaining and keeping access to a network is 99 percent of the challenge.
“It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage,” said Michael V. Hayden, a former NSA director and CIA director…
It infected particular computers of individuals in the Iranian nuclear hierarchy and from there scoped out the entire Iranian network to find out how it was structured and to identify weaknesses to be exploited. Flame, in that sense, served as the precursor to Stuxnet, which infected the industrial control systems of Iran’s Natanz and Bushehr plants. The latter sabotaged 1,000 centrifuges (20% of the total), which were enriching uranium presumably for Iran’s nuclear program.
In this instance as well, the Israelis erred in allowing Stuxnet to migrate out of the Iranian system, where it infected computers around the world. In this case, Israeli indiscretion alerted the Iranians to their vulnerability. Instead of running around like chickens with their heads cut off trying to figure out why their centrifuges were self-destructing as they had previously, the Iranians could lay blame squarely where it belonged, on the U.S. and Israelis, who’d embraced a new, potentially lethal form of warfare.
A few days ago, Antiwar Radio interviewed me about Stuxnet, Flame and cyberwarfare. Here’s the audio. One of the issues I advocated was an international treaty to monitor and regulate cyberwarfare. Happily, Bruce Schneier, the noted cyber-security specialist, wrote a piece about this that’s well worth reading. Here are some of his main arguments:
…It [Stuxnet and Flame] damaged the U.S.’s credibility as a fair arbiter and force for peace in cyberspace. Its effects will be felt as other countries ramp up their offensive cyberspace capabilities in response. For that reason, Stuxnet was a destabilizing and dangerous course of action.
Here Schneier distinguishes between cyber-intelligence that is defensive in nature (eavesdropping, etc.) and more acceptable, and activity that is offensive in nature and which should be impermissible:
There is a fundamental difference between passive eavesdropping attacks and more active attacks that delete or overwrite data.
This is one of the most cogent arguments I’ve read on the importance of an international cyberwar treaty:
As to arms control agreements, I think it is vital for both society and cyberspace that we begin these discussions now. We’re in the early years of a cyberwar arms race, an arms race that will be expensive, destabilizing, and dangerously damaging. It will lead to the militarization of cyberspace, and the transformation of the Internet into something much less free and open. Perhaps it’s too late to reverse this trend — certainly you can argue that military grade cyberweapons like Stuxnet and Flame have already destroyed the U.S.’s credibility as a leader for a free and open Internet — but the only chance we have are cyberweapons treaties.
…I think there is enormous value in the treaty process — and in the treaties themselves. I think we need to proceed by starting the dialogue. We made a mistake with Stuxnet: We traded a small short-term gain for a large longer-term loss…
Changing the subject a bit, yesterday Israel announced that it had arrested an IDF non-commissioned officer working in military intelligence. He directed an IT unit that monitored and fixed computer glitches in the military computer network. This might’ve meant he worked in Unit 8200. There is a gag on the identity of the soldier who’s been charged. The gist of the story as being reported in the Israeli press is that when he moved jobs he took a hard drive from his secured computer containing top-secret data, and then transferred those files to his new work computer. He then took transferred some of these files outside his IDF facility (I presume this means he put them on his personal computer, though that’s not clear). It’s somewhat similar to speculation that Iran’s Natanz facility was compromised by a USB stick introduced into its computer system.
Because his computer in his first job used a secure military network and his new job used a civilian computer network, his actions allegedly compromised the entire IDF military network. They could’ve enabled an enemy accessing the civilian network to discover what programs were being used on the military network and how they were being used, in addition to exploiting weaknesses that would permit the same sort of penetration that allowed Stuxnet and Flame to sabotage the Iranian computer networks. Though he’s not under formal arrest, he is confined to his home (shades of Anat Kamm!).
Isn’t it a delicious irony that Israel, master of cyberweapons quakes in fear of the very compromises it exploited against Iran. Make no mistake, no matter how vigilant it is, someone somewhere will get the better of Israel despite all its brilliant minds working full tilt in Unit 8200. Then many in the world will say: “As ye have sown, so shall ye reap.”
I’m so happy that all this cyberwar-stuff will only be used against Iran and some other bad, bad, enemies of the US and Israel and never, never against civilians, companies, states and countries by commercial or financial reasons…
Thank you USA, thank you Israel!
Almabu, I am also very happy, just like you. We are so lucky to live in such a wonderful, fair world.
Ditto! Things are better resolved without bloodshed. In other news, congratulations on your format change, Richard! What prompted the move?
Concerning the format change.
The personal symbols – I forgot the name – on the right separated from the pen names seem out of place, probably a question of habit, and I guess there are some technical progress involved.
I’m going to miss the Israeli and the Palestinian boys from “Promises”, the Sarajavo Haggadah etc. David Grossman, not too much…
They’re not dead yet. I’m working on the slideshow & reincorporating it into the format in some way.
Yes, the two boys from “Promises” showed up when I opened your blog.
This is really a film that I hope everyone has seen or will see. Though I’m fed up with “peace-and-love”-films about the conflict, this one by BZ Goldberg is different. Particularly the Palestinian boy (the one in the slideshow) who’s very disappointed that he never had any news from the Israeli twins touched me.
http://topdocumentaryfilms.com/promises/
Amazing- DY and I agree on something on this blog…At least as far as regarding the format change. DY’s comment is exactly what I was thinking. Well, it’s one step closer between different viewpoints together. I also think RS’s tag line more accurately represents what he wants to do at this blog.
Also DY- thank you for the link to “Promises” I had not seen this doco. I only had time now to watch clips of it, but it looks a very good and important film to view-looks very powerful.
No doubt we will be at odds in future threads, but for now here’s to continued respect and understanding of being able to “agree to disagree”. (sorry it’s somewhat off topic).
Me too! Good to know that these will not be used on me or anyone else doing this blog. The US and Israel are both trustworthy custodians of lethal and dangerous weapons unlike some other states I could name. It’s all just part of the “values” we Americans “share” with Israel. (Did anyone pick up the story about the US Apple store guy who would not sell an iPad 2 to a woman because she spoke Farsi and trade with Iran is under embargo! Good Americans cannot be too vigilant in these difficult times.)
Although this virus is robust in that it can go anywhere, we find it amusing that it disguises itself as a Windows update. Windows iterations come stock when you purchase them through Microsoft channels, but people have taken them apart and even altered the base Kernel. Hence, at a consumer level, you have free versions of Windows out there (just Google “TinyXP”, for instance, to see the tip of the iceberg). Insofar as pirated versions of Microsoft products are concerned, the update modules of the software are specifically targeted. Without going into great detail as there exist more than one way to skin the cat, the idea is to basically trick the software into never communicating with Microsoft’s license verification servers (sometimes triggered by updates). The pirates have even made it so that you can still receive updates without the licensing servers being contacted as well. These are problems Microsoft cannot resolve in the present day (their best shot was literally turned into a play toy by hordes of people to customize as they pleased). Iran would be no exception. They would utilize quarantine other methods of global network management to prevent worst case scenarios from taking fruit.
This was about spying on Iran’s key communications, not their nuclear program, which Israel knows is not a threat to it whatsoever.
RT had a story about this (Russian outfit found that Flame had code in common with Stuxnet) something like a week before the Washington Post story. I didn’t notice any crediting to RT in that Washington Post story.