Archive for the ‘Middle East’ Category

Iran targeted by ‘Flame’ espionage virus

Source: The Telegraph

Iranian computer networks have been targeted by a cyber espionage virus many   times more complicated than any malicious software ever seen before,   security experts have said.

The virus, named Flame or Skywiper, could only have been created by a state,   according to analysts who have investigated it and the pattern of infection.

The results of our technical analysis support the hypotheses that Skywiper was   developed by a government agency of a nation state with significant budget   and effort, and it may be related to cyber warfare activities,” said Crysys   Lab, a unit that investigates computer viruses at Budapest University.

The discover of the Flame/Skywiper, which may have been in circulation for   more than five years, offers further confirmation of the secret battle being   waged by intelligence agencies online.

Although its purpose is to steal information rather than cause physical   damage, Flame/Skywiper is said to be a much more complicated piece of   malicious software than Stuxnet, the groundbreaking virus designed to   cripple Iranian uranium enrichment.

“Information gathering from a large network of infected computers was   never crafted as carefully,” Crysys Lab said.

“It covers all major possibilities to gather intelligence, including   keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB   and system processes.”

In their preliminary   technical report, the investiagtors describe unprecedented layers of   software, designed to allow Flame/Skywiper to penetrate computer networks   undetected. The 20MB file, which infects Microsoft Windows computers, has   five encryption algorithms, exotic data storage formats and the ability to   steal documents, spy on computer users and more.

Various components of Flame/Skywiper enable those behind it, who use a network   of rapidly-shifting “command and control” servers to direct the virus, to   turn microphone into listening devices, siphon off documents and log   keystrokes.

Eugene Kaspersky, the founder of the Russian anti-virus firm Kaspersky Lab,   which has also analysed the virus, noted that “it took us 6 months to   analyze Stuxnet. [This] is 20 times more complicated”.

Iran’s Computer Emergency Response Team, Maher, today issued a statement   claiming Flame/Skywiper was “a close relation” of Stuxnet, which   has itself been linked to Duqu, another complicated information-stealing   virus is believed to be the work of state intelligence. Many experts suspect   Stuxnet was created by the United States and Israel.

Crysys Lab said the technical evidence for a link between Flame/Skywiper and   Stuxnet or Duqu was inconclusive, however. While they shared many common   components, the newly-discovered virus bears little resemblance; for   instance Flame/Skywiper does not spread itself automatically but only when   hidden controllers allow it.

In its statement, published online, Maher said selected organisations had been   given software to detect and remove the newly-discovered virus at the   beginning of May.

As well as Iran, Flame/Skywiper infections have been detected in the West   Bank, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.


Stuxnet planted by Iranian double agent for Israel

By Kevin McCaney

An Iranian double agent working for Israel used a memory stick to plant the Stuxnet virus that disrupted Iran’s nuclear program, according to a published report quoting current and former U.S. intelligence officials.

Richard Sale, writing for ISSSource, said the agent, probably a member of an Iranian dissident group, used a corrupt memory stick.32 to implant the virus at the Natanz nuclear facility, according to the sources.

Iranian proxies, dissidents acting as double agents, also have been involved in assassinating Iran’s nuclear scientists, the sources reportedly told Sale.

Stuxnet, likely the first example of weaponized malware, was already known to have spread via memory sticks, or key drives. Introduced in late 2009, it spread quickly to systems around the world, although it was designed for only one purpose: to attack a specific version of a Siemens programmable logic controller (PLC) that was used in centrifuges for uranium enrichment at Iran’s nuclear facilities.

The worm, which used four zero-day exploits in its attacks, disrupted the rotational frequency of the centrifuges, and ultimately damaged Iran’s nuclear program, according to an International Atomic Energy Agency report.

Uranium enrichment at the Natanz plant was shut down for seven days in November 2010. Reuters reported in February that engineers had finally succeeded in scrubbing Stuxnet from their systems.

Because of its complexity and its specific target, Stuxnet has been thought to be the work of a nation-state, and the United States and Israel have often been mentioned as possibly being behind it. ISSSource — or Industrial Safety and Security Source, a site that reports on manufacturing security and safety issues — has reported that Stuxnet was part of a joint U.S.-Israeli effort aimed at Iran. (The sources who told Sale about the assassination of Iranian scientists said, however, that the United States was unaware of those operations.)

Stuxnet’s success in disrupting nuclear processing in Iran has raised fears about what similarly designed malware could do if it attacked facilities in the United States and elsewhere.

In January, Kaspersky Labs said its researchers determined that Stuxnet and Duqu, a close variant that has been found gathering information on industrial systems in Europe, are likely part of a much larger family of malware, and that future Stuxnet-style attacks are likely.

That type of malware could be used to attack power grids, water processing plants and other critical infrastructure facilities. The Homeland Security Department in November confirmed earlier research showing that prisons, which use PLCs to control doors, video systems, alarms and intercoms, are vulnerable to a Stuxnet-like worm.

The fact that much of the infrastructure in the United States in privately owned, rather than government-owned as in Iran, also could complicate the response to such attacks.

Official Syrian sites hacked

Several government websites hacked by Anonymous, as crackdown on protests in Homs and elsewhere continues.

The official websites of seven major Syrian cities and several government departments have been hacked, as the country’s government continues an extensive crackdown on anti-government protesters in the province of Homs and elsewhere.

A London-based rights group reported the deaths of four people in the crackdown on Sunday. The websites for the cities of Homs, Aleppo, Latakia, Damascus, Tartous, Deir Ezzor and Palmyra were hacked by members of the Anonymous Operation Syria group on Sunday, with the home pages replaced by an interactive map of Syria showing data on those killed in the government’s crackdown.

The map showed the names, ages and dates of death of those killed since the uprising began in March, putting the death toll at 2,316.

The websites have since been reset by their administrators, with each now only displaying a generic page.

Several other websites, including those of the ministry of transportation and the department of antiquities and museums, were also hacked. The hacked versions of the webpages included a link to a site advising activists within Syria on how to maintain anonymity on the internet in order to evade government tracking.

Homs crackdown

Meanwhile, the Syrian government’s crackdown on the province of Homs continued on Sunday, with a major deployment of troops there. Security forces were also deployed to the Douma suburb of Damascus, activists said. Syrian tanks hit a strategic highway in the al-Rastan area in the early hours of Monday morning, apparently attempting to dislodge army defectors who had taken refuge there, activists and residents said.

Activists reported hearing heavy explosions.

The army defectors have been supporting the pro-democracy protesters in al-Rastan, which is located about 20km north of the city of Homs, along the main highway leading to Turkey.

Activists also said that military reinforcements had been sent to Quseir, a town on the border with Lebanon.

The Syrian army had been strengthening its presence in Quseir on Saturday after civilians had attempted to flee violence in the country.

The initial deployments came a day after activists reported that security forces had killed 12 civilians in the town, and one more in Hama.

The Syrian Observatory for Human Rights, a London-based organisation, said that 12 people had been killed in Quseir during raids by government security forces earlier.

The observatory said that security forces had opened fire on protesters in neighbourhoods of Homs, but did not provide any further details or information on possible casualties.

On Sunday, the observatory reported the deaths of four more people, including that of Hassan Eid, the head of the surgery department at the state-run hospital in Homs. Syrian state television said that Eid had been killed by “armed terrorist gangs”.

Three inhabitants of the area were injured when troops loyal to Bashar al-Assad, the Syrian president, used heavy machine guns mounted on tanks to fire upon the town, after having surrounded it earlier in the night.

The observatory also reported that 10 students had been arrrested by security forces in Dael, a city in Deraa province, on Sunday.

The office of the United Nations High Commissioner for Human Rights in Geneva has put the number of people killed in the crackdown at more than 2,700 since March 15.

The Syrian authorities say 700 police and army personnel have been killed by “terrorists” and “mutineers”.

Damascus deployment

Also on Sunday, additional security forces were deployed to the Damascus suburb of Douma, which has seen several protests against Assad’s rule, activists said.

Syria has been gripped by almost daily anti-government protests since March 15. While the demonstrations initially called for democratic reform, the protesters’ stance has hardened in the face of a crackdown.

Damascus says that the protesters are not indicative of popular sentiment, and has blamed “armed gangs” and “terrorists” for the violence.

Political pressure on Syria to stop its crackdown on protest was given new life on Saturday as new European Union sanctions went into effect, and Turkey said that it had intercepted an sea-bound arms shipment bound for Syria.








The Internet and Iran – ‘It Is Possible to Pull the Plug’

The regime of President Mahmoud Ahmadinejad has threatened to completely cut Iran off from the Internet. But activists in the country are well-versed in circumventing official censorship. In a conversation with SPIEGEL, Internet expert Philip Howard explains how they do it and says that complete digital isolation is virtually impossible.

SPIEGEL: Iran has announced its intention to completely cut itself off from the Internet. Is such a thing realistic?

Howard:The government in Tehran has already shown itself to be capable of such a thing. Following the controversial re-election of President Mahmoud Ahmadinejad in June 2009, the country was cut off for about 24 hours. But when a regime shuts down the Internet, it is usually also a last, desperate measure.

SPIEGEL: Even in 2009, the country wasn’t completely offline.

Howard: The Iranian government asked the three largest Internet service providers to shut down, but they didn’t bother with the smaller ones. What many states don’t understand is that digital networks are essentially networks. When you remove two or three important nodes, other nodes pick up the traffic. And there are always a few activists who are prepared and have their satellite phones ready. They set up connections to Internet service providers in Europe and they work out other ways of getting out a little bit of information.

SPIEGEL: Instead of using landlines, some Iranian bloggers have taken to using satellite dishes to access the Internet.

Howard: That, though, is relatively difficult from a technical point of view. It’s not easy to adapt the satellite dishes…

SPIEGEL: … which are increasingly being destroyed by special police units…

Howard: …and access the web via providers in Dubai or Cyprus. It is difficult to say if this route will remain open when the regime imposes its total boycott.

SPIEGEL: How else could a complete boycott be circumvented?

Howard: Universities often have their own distinct connections to one another. Major trading houses or major financial centers also sometimes have backup connections. They are electronic networks that may be distinct from what the regime shuts off.

SPIEGEL: There is no way for Tehran to go back to a time before the World Wide Web?

Howard: A complete partition is not possible. As long as there are a few lines open, activists will find a way to use them. The US is working on developing the ability to send digital packets that are invisible and are only interpretable for other machines that you set up on the network that know what to look for. It’s called a dark Web infrastructure and you can use it to take advantage of networks belonging to universities or companies that we don’t normally think of as being part of the Internet.

SPIEGEL: From a technical perspective, what would an attempt to cut a country off from the Internet look like?

Howard: You have to try to reconfigure things so that all of the Internet service providers go through one “Internet exchange point.” At the time of the unrest in Iran, there were a few Internet exchange points. Now, it looks as though the regime has found some of the smaller ones and shut them down and rerouted all of the traffic to one. Then it is possible to pull the plug on that one Internet exchange point.

SPIEGEL: Were Tehran to make such a move, the price would be high. The country would become even more isolated.

Howard: And the price wouldn’t just be political. Were Iran to disconnect its oil industries from global information flows, the impact on those industries’ ability to deliver what little they can sell would be enormous. When Hosni Mubarak shut off the Internet in Egypt during the protests there, the impact was disastrous. The five days offline cost the Egyptian economy an estimated €250 million.

SPIEGEL: President Ahmadinejad has indicated he wants to provide an alternative, a so-called intranet which will allow Iranians to communicate among themselves.

Howard: It is certainly possible. China has the best example of a national network that is relatively disconnected from the rest of the global information infrastructure. The Chinese have built software that basically mimics anything we develop in the West and embed surveillance algorithms deeply into them. But I’d be very surprised if the Iranians were able to launch all of this.

SPIEGEL: So all this talk about a gigantic intranet, it is just propaganda?

Howard: It is mostly a political threat. Their goal probably isn’t to totally disconnect. The idea is probably to slow down the Internet traffic so much that you can use a program to inspect each piece of information that comes and goes. It’s a very inefficient way of doing censorship, but it is the most effective.

SPIEGEL: Iran’s blogger scene is considered particularly adept at avoiding censorship.

Howard: There are not many Muslim countries which have a population as networked as that of Iran. Ten million Iranians are regular Internet users. Particularly the politically engaged youth know the web and know the tricks.

SPIEGEL: Tricks to get around having to use the government-controlled servers, you mean?

Howard: Proxy servers are one of the things that activists have put to work for themselves. So when the state tries to shut down the Internet or when you learn that an authoritarian regime is watching particular sites or trying to disable YouTube or Twitter, proxy servers are very helpful as ways of getting around those. They open doors where other doors have been shut. I’ve also heard that gaming consoles such as PlayStation or Xboxes can be turned into devices for sending out information without having to go through Internet exchange points.

SPIEGEL: But the regime too has a fair amount of know-how.

Howard: We know that the Iranians possess high-grade censorship programs. Some of the systems come from companies such as Nokia-Siemens. And the best commercial grade censorship software comes out of Silicon Valley. The same software that we might use to prevent our children from looking at porn on the Internet is basically the same software that is sold to regimes, but instead of entering pornography-related terms, you put in terms like student union, protest or democratization.

SPIEGEL: The US government has approved around $70 million to set up so-called shadow networks to help dissidents communicate independent of the official Internet.

Howard: I don’t think you can read this to say that the US is interested in supporting dissidents around the world. I think you can read it to suggest that the US likes to be able to control the software and maybe turn it off when necessary.

SPIEGEL: Still, even if the Iranians are Internet savvy, it didn’t seem to help them much. The Green Revolution was brutally put down.

Howard:But the mullahs are split in a way that they never have been before. And the world saw that Persians took to the streets and were willing to face tear gas and rubber bullets, just like in Egypt and Tunisia. The Internet was useful by enabling journalists to publish stories overseas that they couldn’t publish at home. We are seeing the same thing in Libya, Syria and Yemen, although I don’t think the Internet has the same logistical function in those countries as it did in Tunisia and Egypt.

SPIEGEL: And Iran, it would seem, had its chance but wasn’t quite able to pull it off.

Howard: I don’t think of it as a failed revolution. I think of it as the one that almost happened. The democratization efforts didn’t prevail, but the system of political communication in that country has so significantly changed that the next time they rig an election, it will be very difficult to pull off peacefully.

Interview conducted by Dieter Bednarz and Hilmar Schmundt

Mossad’s Miracle Weapon: Stuxnet Virus Opens New Era of Cyber War

By Holger Stark

The complex on a hill near an interchange on the highway from Tel Aviv to Haifa is known in Israel simply as “The Hill.” The site, as big as several soccer fields, is sealed off from the outside world with high walls and barbed wire — a modern fortress that symbolizes Israel’s fight for survival in the Middle East. As the headquarters of Israel’s foreign intelligence agency, the Mossad, this fortress is strictly off-limits to politicians and journalists alike. Ordinarily, it is the Mossad that makes house calls, and not the other way around.


The agency’s strict no-visitors policy was temporarily relaxed on a Thursday in early January, when a minibus with darkened windows pulled into a parking lot in front of a nearby movie theater. The journalists inside were asked to hand over their mobile phones and audio recorders. Meïr Dagan, the powerful head of the Mossad, had invited them to the facility. It was his last day in a position he had held for seven years. On that January day, the journalists were there to document his legacy: the Mossad’s fightagainst the Iranian nuclear program.

He spoke passionately about the risks of a possible military strike against Iran, saying that he believed that such an attack would lead to a conflagration in the region that would include a war with Hezbollah and Hamas, and possibly with Syria. And anyone who believed that a military strike could stop Tehran’s nuclear program was wrong, said Dagan. It could slow down the program, he added, but only temporarily. For this reason, the outgoing Mossad chief was against bombs — but in favor of anything that could set back the Iranian nuclear program without starting a conventional war.

Delay was the new magic word. And to that end, the Mossad head had created a miracle weapon that everyone in the room on that January day knew about, but which Dagan did not mention by name: Stuxnet.

Stuxnet, a computer virus that can infiltrate highly secure computers not connected to the Internet, a feat previously believed to be virtually impossible, entered the global political arena more than a year ago, in June 2010. The virus had attacked computers at Iran’s Natanz nuclear facility, where scientists are enriching uranium, and manipulated the centrifuges to make them self-destruct. The attack penetrated into the heart of the Iranian nuclear program.

Stuxnet is the world’s first cyber-weapon of geopolitical significance. Frank Rieger of the legendary German hacker organization Chaos Computer Club calls it “a digital bunker buster.” The virus represents a fundamentally new addition to the arsenal of modern warfare. It enables a military attack using a computer program tailored to a specific target.

One year later, there is not an Internet security firm or government of a major country that is not addressing Stuxnet and its consequences, as well as taking action as a result. To learn more about Stuxnet and understand what is behind the virus, SPIEGEL traveled to Israel — the country where the cyber-weapon was invented.

Following the Trail

The Israeli branch of the US computer security firm Symantec is housed in a nondescript modern complex in Tel Aviv, a 15-minute drive from Ben Gurion International Airport. Sam Angel, the head of Symantec Israel, meets visitors in the underground garage and takes them to the conference room on the fourth floor. At the beginning of his PowerPoint presentation, Angel says: “Stuxnet is the most sophisticated attack we have ever seen. This sort of an attack, on a mature, isolated industrial system is completely unusual.” He projects a map onto the wall, showing the countries where such an attack has taken place: Iran, Indonesia, Malaysia and Belarus, where a man named Sergey Ulasen discovered Stuxnet.

Ulasen, who works in the research and development department at the VirusBlokAda security firm in Minsk, received what seemed to be a relatively mundane email on June 17, 2010. An Iranian firm was complaining that its computers were behaving strangely, shutting themselves down and then rebooting. Ulasen and a colleague spent a week examining the machines. Then they found Stuxnet. VirusBlokAda notified other companies in the industry, including Symantec.


When the engineers at Symantec got to work, they came across two computers that had directed the attacks. One of the servers was in Malaysia and the other was in Denmark, and they were reachable through the addresses and They had been registered, under a false name and with a forged credit card, through one of the world’s largest Internet registration companies, a firm based in the US state of Arizona. Symantec rerouted the incoming and outgoing communication at the two servers to its computer center in Dublin, which enabled it to monitor the activity of the virus. Whoever had launched Stuxnet had gotten away, but at least Symantec could follow the trail they had left behind.

The rerouting of communication made it possible to obtain an overview of the countries in which the virus was active. According to that analysis, Stuxnet had infected about 100,000 computers worldwide, including more than 60,000 in Iran, more than 10,000 in Indonesia and more than 5,000 in India. The inventors programmed Stuxnet so that the virus, as a first step, tells the two command-and-control servers if the infected computer is running Step 7, an industrial software program developed by the German engineering company Siemens. Step 7 is used to run the centrifuges at Iran’s Natanz facility.

The plant near Natanz, located in the desert 250 kilometers (156 miles) south of Tehran, is protected with military-level security. The aluminum centrifuges, which are housed in bunkers, are 1.8 meters (5 foot 10 inches) tall and 10 centimeters (four inches) in diameter. Their purpose is to gradually increase the proportion of uranium-235, the fissile isotope of uranium. There is a rotor inside the centrifuges that rotates at a speed of 1,000 times per second. In the process, uranium hexafluoride gas is centrifuged, so that uranium-235 accumulates in the center. The process is controlled by a Siemens system that runs on the Microsoft Windows operating system.

U.S. wants Lockerbie bomber deal

AMERICA wants Libyan rebels to capture the Lockerbie bomber two years after he was freed – so he can face justice in the States, it was claimed yesterday.

The secret deal between President Barack Obama and Libyan rebel leaders would see Abdelbaset al-Megrahi, 59, detained by opposition troops and then handed to US Special Forces.

Americans and families of the plane bomber’s victims were outraged after the Scottish Government freed him on “compassionate grounds”. He seemingly only had three months to live with cancer.

That decision sparked worldwide fury. Now Mr Obama wants Megrahi to face trial in the US in exchange for continued US support of Libyan rebel forces.

A White House insider yesterday said: “If he’s found guilty here, he faces life in jail without parole.”

Megrahi bombed a Heathrow to New York flight above Lockerbie in 1988, killing 270.

He is said to be living in good conditions in Tripoli.

Meanwhile, Libya’s rebel leader Mustafa Abdel Jalil – Colonel Gaddafi’s ex justice minister – said the Mad Dog could retire peacefully on Libyan soil if he quits and agrees to international supervision.