Iran Confirms Attack by New Data Virus

NYTimes.com — The computers of high-ranking Iranian officials appear to have been penetrated by a data mining virus called Flame, in what may be the most destructive cyber attack on Iran since the notorious Stuxnet virus, an Iranian cyber defense organization confirmed on Tuesday.

In a message posted on its Web site, Iran’s Computer Emergency Response Team Coordination Centre warned that the virus is potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran’s nuclear enrichment program. In contrast to Stuxnet, the newly identified virus is designed not to do damage but to secretly collect information from a wide variety of sources.

Flame, which experts say could be as much as five years old, was discovered by Iranian cyber experts and described by Kaspersky Lab, a Russian producer of anti-virus software, which published a description on its Web site on Tuesday saying “the complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date.”

The virus bears special encryption hallmarks that an Iranian cyber defense official said bear strong similarities to previous Israeli malware. “Its encryption has a special pattern which you only see coming from Israel,” he said. “Unfortunately, they are very powerful in the field of I.T.”

While Israel never comments officially on such matters, its involvement was hinted at by a top official there. “Anyone who sees the Iranian threat as a significant threat — it’s reasonable that he will take various steps, including these, to harm it,” said the vice prime minister and strategic affairs minister, Moshe Yaalon, in a widely quoted interview with Army Radio on Tuesday. “Israel was blessed as being a country rich with high-tech, these tools that we take pride in open up all kinds of opportunities for us.”

The Iranian official, Kamran Napelian, said that Flame seems designed to mine data from personal computers and is distributed through USB sticks rather than the Internet, meaning that the USB has to be inserted manually into at least one computer in a network.

“This virus copies what you enter on your keyboard, it monitors what you see on your computer screen,” Mr. Napeliansaid in a telephone interview. That includes collecting passwords, recording sounds if the computer is connected to a microphone, scanning disks for specific files and monitoring Skype. .

“Those controlling the virus can direct it from a distance,” Mr. Napelian said. “Flame is no ordinary product. This was designed to monitor selected computers.”

Mr. Napelian said he was not authorized to disclose how much damage Flame had caused, but guessed the virus had been active for the past six months and was responsible for a “massive” data loss. Iran says it has developed anti-virus software to combat Flame, something that international anti-virus companies have yet to do, since they have just become aware of its existence.

“One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals,” Alexander Gostev, chief security expert at Kaspersky Lab said in a statement on the Russian company’s Web site.

In April, Iran disconnected its main oil terminals from the Internet, after a cyber attack began erasing information on hard disks in the Oil Ministry’s computers. Iranian cyber defense officials labeled that program Wiper.

Two years ago, the Stuxnet computer worm disabled an unknown number of centrifuges used for enriching uranium in Iran’s nuclear program. While initially silent on the Stuxnet sabotage, President Mahmoud Ahmadinejad eventually acknowledged that “enemies” had been successful in “making problems” by installing computer malware in industrial switches used to control the centrifuges, making them spin out of control at high speed.

No one ever claimed responsibility for Stuxnet, but Israeli officials openly expressed glee over the attack. The United States has denied any involvement.

The increasing number of cyber attacks on Iran, now numbering four, runs parallel to a series of mysterious explosions and assassinations of nuclear scientists ed incidents and underscores growing feelings among officials and normal Iranians that the country is increasingly targeted by covert operations, organized by the United States and Israel.

“I am no virus expert, and my computer seems to be working” said Sadollah Zarei, a columnist for the state Kayhan newspaper, “but I know this is covert warfare, aimed at weakening us.”

Others made a link between the virus and an upcoming third round of nuclear talks between world powers and Iran, scheduled for June 18 in Moscow.

“The Zionists want to destroy any possibility of a positive outcome of such talks,” said Mojtaba Bigdeli, a businessman and former hard line political activist, said using Iran’s ideological label of Israel. “We will see more of such attempts by them in the coming weeks.”