Former military officer says every Middle Eastern country now has Stuxnet-like malware
Pete Warren guardian.co.uk, Thursday 30 August 2012 06.54 EDT
At least four government-sponsored programmes to deploy cyber-espionage software like the Flame, Duqu and Stuxnet software – the latter used against computers in Iran – are in progress around the world, according to sources in the intelligence and computer communities.
Computer security experts say privately that the number of projects deployed is actually much higher, and that the systems have been under development since at least 1996, when the internet had barely begun its transition from a US government and academic network to an international and public one.
“There are a lot of countries that now have these systems. Every Middle Eastern country and all the states now known as the ‘Stans’ [Pakistan and the former satellite states of the Soviet Union] have them”, said another expert with close links to the UK intelligence agencies and who is actively engaged in combating the software.
A former military officer based in London, he declined to be named on security grounds. “Every nation now has an armoury; whether well-stocked or not depends on their resources,” he said. “They have a suite of weapons and another for intelligence gathering. Most of them are big players and their suites of tools all have different functions. Some are crude and blunt, some are very stealthy. Some have the ability to attack and they are built for that purpose,” the expert said.
In the past year the discovery of the Stuxnet virus – and subsequently of the Flame, Duqu and most recently Gauss malware – has brought the issue of state-sponsored cyberwarfare into sharp focus. Stuxnet was written jointly by the US and Israel and tested in Israel, according to authoritative reports, and performed the equivalent of a precision cyber attack to disrupt Iran’s uranium refining systems – an attack which would have been impossible by conventional means.
Suspicions that intelligence agencies have been developing such a capability for a long time were confirmed by a computer expert who has worked with a western intelligence agency.
“Work was done in 1996 on pixel call-back software,” he said. “It was used to infect websites and then track where people were coming from and then infect their machines and pass information back about them.” The software worked by including a single pixel which linked to a web address controlled by the agency in an otherwise innocuous web page. If access by a target computer was detected, the agency could send malware to infect the machine.
“It was the basis of the work that we are seeing now,” said the expert, adding that the mechanisms developed then found their way into the advertising industry — where “web bugs” became infamous as means of tracking users.
“They were a sort of cookie before people had even thought of them,” said the man, who worked to develop the bugging programs to combat online criminals and potential terrorists. He says many of the programs now used by the advertising industry can be reverse-engineered to serve a similar function.
The discovery of the Flame virus caused a furore among the technology community when it was found that the 20-megabyte program – unusually large for a virus – had been specifically designed as a highly targeted industrial espionage tool.
Flame, which was first found by Kaspersky Labs, was specifically targeted at the Middle East and had been deliberately built to work for a limited amount of time in a specific geographical area. The virus works by turning over control of a computer to the system controlling it, and become both a remote listening device and information forwarding mechanism.
The Kaspersky researchers say that the Flame virus shared similar components and telltale programming to the Stuxnet virus, which the Iranian government has blamed for the damage caused to its nuclear enrichment facility at Nantanz. That caused the facility’s centrifuges to behave erratically and effectively sabotaged the Iranian nuclear programme, according to some experts, for between five and 10 years.
Computer security companies working on both viruses have suggested that Flame was possibly an earlier system designed to collect data for the Stuxnet attack.
Using parts of the same software for both made sense as Flame would have already penetrated part of the target to obtain the information needed, and so the payload could be guaranteed a way through.
In the beginning of July, Indian officials announced that the headquarters of the Indian naval command had been penetrated by Chinese hackers who had used infected USB keys to smuggle an espionage virus onto its computers. This had occured at the same time as the Indian Navy’s first nuclear submarine, INS Arihant, was undergoing trials at the facility.
The Stuxnet virus also deployed infected USB keys as part of the method used to penetrate the Nantanz facility, and many similarities have been drawn between the attack on the Indian naval headquarters and Stuxnet.
“I am not surprised that we are seeing this,” says Professor Andrew Blyth, head of the University of Glamorgan’s Information Security Research Group, one of the GCHQ accredited centres of excellence.
“It takes around £1m to develop a good piece of malware like this. We don’t talk about that because it’s so highly classified. I am surprised why, post-Stuxnet, people seem to be so shocked. We are in an information age and that has disrupted our world. There’s an irony to that it’s taken 60 years for Iran to try to develop a [nuclear] bomb, and two years for so many people to develop a cyber weapon.”
One reason, according to a former police officer now working in the computer forensics industry, is because the new espionage tools are being developed relatively easily out of innocent components. Like the anonymous expert, he says internet advertising components have provided convenient covers for espionage tools.
“We have seen three programs that are like the Transformers film franchise. They look to all intents and purposes like a genuine computer program but will develop other functions the moment that they get to where they are meant to be.
“We have also seen another program which is a TCP/IP worm that breaks into a number of different pieces like the melting alloy robot in Terminator. It attaches itself to TCP/IP packets so that it can get through the security systems and then reassembles itself on the other side.”
But according to Commodore Patrick Tyrrell, who wrote the first paper warning the UK Government of the threat of an information war in 1996, the rapid development of cyber weaponry was an inevitability.
“There is now the ability for a lot of countries to do this. Once the genie was out of the bottle with Stuxnet then it was always going to be a case of we must have our own variant or we will get left behind.
“I think what people are missing is military theory. Sun Tzu, the ancient Chinese military general, said that ‘to subdue the enemy without fighting is the essence of skill’, and [Carl von] Clausewitz said ‘war is the continuation of policy by other means’, and cyberspace is perfect for those ideas. It allows you to do something better with another tool,” said Tyrrell, adding that the new developments meant that these weapons offer the opportunity for a different conflict over information assets.
That point is underlined by Graham Wright, a former RAF Jaguar pilot, who until recently worked as the deputy head of cyber at the Cabinet Office. “I think that people are badly obscuring this debate by using the word ‘war’,” he comments. “There is a difference between warfare and war and I think people need to subject this to the test of does it look and feel like war? The only time you are at war is when you can see the intent of the individual.
“I think that we may be getting closer to the boundaries and the development of capability is something that we need to counter, but talking of war is exaggerated.”
It’s a distinction many agree with, pointing to the Cabinet Office-sponsored report into intellectual property theft which claimed the UK is losing £27bn a year to foreign powers – a figure some observers say errs on the low side.
“A new industry has been generated in information theft that was not there a year ago. These are not tanks they are scouting systems and they are collecting information,” said Mark Raeburn, CEO of Context, a company specialising in protecting against cyber espionage. It all depends on what use you put that information to.”
• Pete Warren is chairman and founder of the Cyber Research Security Institute