Study of Flame malware used in Middle East and north Africa reveals programmers probably had national backing

The covert cyberwar being waged in the Middle East and north Africa – particularly against Iran and its allies – is even more sophisticated and widespread than had previously been understood, according to new research.

Two leading computer security laboratories – Kaspersky Lab and Symantec – have been studying a series of powerful cyberweapons used against targets including the Iranian nuclear programme and Lebanese banks accused of laundering money for Iran and its ally Hezbollah. They are now convinced that all were probably created by a national government or governments working together.

They have also identified key similarities in the weapons' computer coding suggesting some – if not all – were worked on at different times by the same or related groups of programmers.

Suspicion over the most likely culprit has centred on the US and Israel – not least after anonymous briefings to the Washington Post by an unnamed former senior US intelligence official this year.

In June the New York Times disclosed that one of the weapons identified in the last two years – Stuxnet, a sabotage program used to attack Iran's nuclear centrifuge in 2010 – was part of a joint US-Israel cyberwar plan, codenamed Olympic Games, targeting the Islamic republic, which suggests that the other cyber weapons could be part of the same wide operation.

The latest disclosures follow forensic analysis by Symantec and the Moscow-based Kaspersky Lab of two command and control servers used by a sophisticated espionage worm named Flame, which was discovered by Iran this year stealing data from its computers.

Analysts believe from studying fragments of Flame that it was only one of four similar weapons being used simultaneously, the other three of which have not been identified.

Equally intriguing was the discovery that Flame and Stuxnet are related, with an early version of Stuxnet appearing in Flame as a plug-in.

"The Flame malware, including all of its components, was very large and our ongoing investigation revealed more and more details since that time," Kaspersky Lab and Symantec said in a statement this week, after being commissioned by the International Telecommunication Union to study the new cyberweapon. "Flame was so advanced that only the world's top cryptographers could be able to implement it."

They added: "In June we definitively confirmed that Flame developers communicated with the Stuxnet development team, which was another convincing fact that Flame was developed with nation-state backing."

According to the researchers Flame itself was a huge operation.

Kaspersky Lab's Alexander Gostev said estimating the scale was problematic but researchers had been able to discover data intended to be kept by one of several command-and-control servers. "Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber-espionage conducted on a massive scale."

According to the researchers' analysis: "During a period of just one week (25 March-2 April) 5,377 unique IPs were seen connecting to the server, the vast majority in Iran: 3,702. What is also surprising is the large number of IPs from Sudan: 1,280.

"Our previous statistics did not show a large number of infections in Sudan, so this must have been a dedicated campaign targeting systems in Iran and Sudan.

"If just one server handled 5,000-plus victims during a one-week period and given several servers were available, we can estimate the total number of victims for Flame is probably higher than previously estimated, exceeding 10,000."

Flame is the latest to be identified in a series of related cyberweapons targeting Iran since June 2010, when the existence of Stuxnet was disclosed – including Duqu, an espionage program first detected last year, and Flame and Gauss this summer.

Vitaly Kamluk, chief malware expert at Kaspersky Lab, said that it had considered three possible sources of such programs.

"It is not the sort of cyberweapon you see developed by criminals looking to access bank accounts nor is it the sort of weapon used by activists to make a political point. Those often use very available tools to write the programs."

Last week's report said the data stolen by Flame was encrypted "in such a way that only the attackers can read it through strong public key cryptography. These features are not normally found in malware created by everyday cybercriminals, reaffirming our initial conclusions that Flame is a nation-state sponsored attack."

Kamluk added: "Flame was massive and complex and we have identified the nicknames of at least four individuals involved in developing it."

He said considerable effort had been put into disguising the program, not least in how it had been designed to attack a small and specific set of targets rather than spread rapidly across the internet.

"The discovery of Stuxnet, Duqu, Gauss and Flame is changing our entire view of cyberwarfare."

Nor does it seem likely that – even with the new discoveries – the cyberwar plan has been slowed. There is evidence that some aspects of the latest cyberweapons have yet to be launched, recalling the claim to the Washington Post this summer by its anonymous former intelligence source.

"This is about preparing the battlefield for another type of covert action," the source said then. "Cyber-collection against the Iranian programme is way further down the road than this."