Flame Virus Had Massive Impact on Iran, Says Israeli Security Firm

The massive, complex virus, has been found to be infecting and stealing information from computers in Iran and Mideast countries.

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail

The Flame computer virus not only stole large quantities of information from various Iranian government agencies, but apparently even disrupted its oil exports by shutting down oil terminals, information security firm Symantec Israel said yesterday.

The massive, complex virus, has been found to be infecting and stealing information from computers in Iran and Mideast countries.

Symantec, which, along with Russian Internet security firm Kaspersky Lab, was among the first to report about Flame, said there was evidence that it had erased information from computer hard disks in Iran, and that this is what caused the shutdown at the oil terminals.

Iran's national computer emergency team, known as Maher, admitted the information theft yesterday, though not the terminal shutdowns. Maher said that Flame had managed to evade detection by 43 different anti-virus programs, despite its enormous size - 20 megabytes. By comparison, the Stuxnet computer worm that attacked Iran's nuclear program two years ago was only about one megabyte.

Maher said it has now managed to develop tools for protection against Flame.

Maher, like Symantec and Kaspersky Lab, said that Flame was similar in sophistication to Stuxnet and the Duqu computer worm. Kaspersky said Flame uses a method of penetration previously used only by Stuxnet. The security experts also said the virus had other similarities to Stuxnet and Duqu. Iran has accused the United States and Israel of being behind both of those viruses.

Various information security firms said that Flame appears to have been in operation for at least two years. The Laboratory of Cryptography and System Security (CrySyS ) at Budapest University of Technology and Economics said it may have been active for as long as five to eight years.

Flame's capabilities include capturing screen shots and other information stored on computers. It can also eavesdrop on conversations via the infected computer's sound system.

In an interview with Army Radio yesterday morning, Vice Prime Minister Moshe Ya'alon said the effort to halt Iran's nuclear program justifies the use of all means, including sophisticated computer viruses. This statement was interpreted by many people in both Iran and other countries as an admission that Israel was behind Flame.

Yesterday afternoon, however, Ya'alon put out a statement on his Twitter account noting that Israel is far from the only country that both views Iran's nuclear program as a threat and has the capability to engage in cyber warfare.

Information security companies say they are convinced Flame was the work of a national government, inter alia because of its sophistication. Moreover, Kaspersky noted, most cyberattacks by ordinary criminals are aimed at either stealing money or, in the case of activist hackers, bringing down websites.

Shay Zalalichin, chief technology officer of the information security firm Comsec Consulting, told Haaretz that most viruses are designed to be small, to help them evade notice. Thus Flame's size might indicate that its makers were careless. On the other hand, it seems to have been much better controlled than Stuxnet, which spread to many computers well beyond its targets. Flame, in contrast, spread to only about 1,000 targets, which helped it to evade detection.

CrySyS added that the Flame's unusual size might even have been an advantage, because most anti-virus programs are not designed to look for a virus of that size. But now that Flame has been discovered, Zalalichin warned, the code is likely to be obtained by other countries that could never have developed anything so sophisticated on their own.

A man walks by computer network servers in California. Credit: Bloomberg