Kaspersky Labs announced today that it had discovered a new cyber-virus it’s calling mini-Flame, used to hack computer systems in the Middle East. The code, a variant of the Flame and Stuxnet computer worms, which have previously been attributed to joint Israeli and U.S. development, penetrated computers in Lebanon, Sudan, Iran, Saudi Arabia, Qatar, and Palestine. It appears, from the precision of the attack and the small number of victims, that those who created it did so as part of a comprehensive cyber-espionage program. With Stuxnet, they cast their net as wide as possible, seeking massive amounts of data from a wide number of computers. They then harvested the data and honed the code so that it went after a smaller, but much higher value set of targets. The report calls mini-Flame a “high precision surgical attack tool.”
The questions that remains unanswered are: precisely whom is it attacking and what specific information it seeks?
Among other things mini-Flame does is to take a “screenshot” of the computers it infects. It sends this image back to the home servers where the hackers can then explore the harvested data.
The list of targeted nations immediately calls Israel to mind as the likely author of the code. It already has a massive covert ops program in place against Iran. Lebanon and Sudan are natural targets because Hezbollah is an Iranian ally and Hamas has reportedly imported arms from Iran via Sudan. Israel has also used its drones to attack reputed Iranian arms convoys headed for Gaza through Sudan.
Qatar is reputed to be a possible future home of Hamas’s government in exile, which was forced to abandon Syria during the civil war. The Gulf state is also a major supporter (along with Saudi Arabia) of the Syrian rebel forces. Israel would certainly have great interest in monitoring developments on all these fronts since the outcome in Syria is of extreme interest to it.
Speaking of regional developments, events in Syria are taking an ominous turn. Media reports say that Islamist forces are playing an increasing role in the uprising.
Knowing what we know about Israel’s national security and intelligence apparatus, it has to be tremendously active in ensuring an outcome in Syria that is favorable to Israel. A quiescent government there that plays nicely and doesn’t rock the boat as far as Israel is concerned would be worth its weight in gold.
Iran and Hezbollah too have to have a huge interest in the outcome in Syria since they use the latter as a transhipment corridor for weapons and other valuable items between Iran and Lebanon, which are then used in the fight against Israel. These erstwhile Assad allies have to realize that his days are numbered and that a new regime will end up in control.
Turkey, as Syria’s most powerful neighbor, will certainly have interests in this outcome that diverge from those of Israel and Iran. It will be interesting to find out which horses each of these parties are betting on and if those horses perform according to their handicaps.
Keep your eyes out for Syria’s Chalabi. This will be the horse Israel and the U.S. will want to bet on. He’s out there for sure among the Syria resistance.
Richard, which are more dangerous, drone attacks (and drone surveillance) or cyber attacks (or surveillance)?
They both cross international “boundaries” without permission, and both are hard to establish responsibility for. Does KASPERSKY really not know where the mini-Flame is coming from? Wow! If that can be hidden, all one can do is surmise from the character of the code that it is a national source (rather than corporate (?) or small-group or personal). If it is surveillance code, aren’t data being sent SOMEWHERE? Where?
The Kaspersky article mentions they found 92 Command & Control servers associated with miniFlame. The article mentions that miniFlame shares the same C&C server platform with the original Flame architecture. Kaspersky has written two papers on this, footnoted at the bottom of the article Richard cited here. One provides details of the hardware/software platform of the servers, and where (and to whom) they were registered:
https://www.securelist.com/en/blog/208193540/The_Roof_Is_on_Fire_Tackling_Flames_C_C_Servers
Kaspersky doesn’t attribute attacks to specific countries even if they did know. They try to preserve political neutrality. But they honestly told me the origin of the code is unknown at this time.
I think the problem is that the data is being sent back to the C&C servers. But from there they can’t track where it’s sent. That’s my understanding but I’m not technically proficient in this stuff.