Whenever a high-ranking Iranian politician has sent or received an email in the past two years, a computer virus nicknamed Flame has most likely copied that email and secretly shipped it to an outside computer network.
When a user of an infected Iranian computer typed a password, Flame stole it. When the user opened a sensitive document or instant-messaged a friend or video-chatted with a colleague, Flame nabbed that, too.
Flame, which reportedly has infected hundreds of computers across Iran and the Middle East, is probably the most sophisticated computer virus ever detected, say the experts who discovered it this week.
Flame's sheer size and the information it seeks — it's taking data, not money — probably makes it the handiwork of a government or group of governments, say the experts at Kaspersky, the respected Russian lab that identified the virus.
And Flame may well be the latest weapon in a series of cyberskirmishes that have exploded in size and sophistication in recent years, say local and national computer security experts interviewed by The World-Herald.
In this largely hidden fight, the Chinese and Russian governments are believed to have used computer worms and viruses to steal American government secrets, as well as staggering amounts of proprietary information from U.S. companies.
And the United States and Israel are suspected of collaborating on an earlier computer worm known as Stuxnet, which famously crippled the Iranian nuclear program in 2010.
Flame, by contrast, appears to be spying, not seeking to destroy Iranian computer systems.
“It actually looks a lot like traditional espionage, but how it gets done has changed,” said Robin Gandhi, a University of Nebraska at Omaha computer security expert and professor affiliated with the Peter Kiewit Institute. “This isn't your typical virus. ... The whole point of (Flame) is to be sneaky and stealthy and gather data as you go about your business, never noticing.”
The Iranian government has noticed.
Iranian leaders confirmed that Flame had infected computers inside the country — including those of high-ranking officials and those affiliated with the Iranian oil industry — after the Kaspersky lab first posted evidence of the virus Tuesday. It's unclear how long Flame has been stealing information from selected targets in Iran and the Middle East; Kaspersky experts think it's been active at least two years, while other experts say that's a conservative estimate.
Iran also wasted little time assigning blame — Iranian leaders blasted Israel for being behind the cyberattack. Israeli officials haven't directly confirmed or denied the allegation.
“Anyone who sees the Iranian threat as a significant threat ... it's reasonable that he will take various steps, including these, to harm it,” Moshe Yaalon, Israeli's vice prime minister, said on Israeli government radio.
Computer experts caution that it's far too soon to attribute the cyberattack to any one group or country. It took nearly a year, for example, before research and intelligence leaks pointed to Israel and the United States as the chief suspects in the Stuxnet attack.
In that 2010 attack, the Stuxnet worm burrowed into the computers that control Iran's nuclear centrifuges and made them spin wildly. Experts think that nearly a fifth of the centrifuges spun themselves to pieces, destruction that probably slowed Iran's effort to enrich uranium and potentially build a bomb.
Experts say the Flame worm is fascinating, but for different reasons.
A lot of what Flame does has been done before — malware is readily available that steals emails, takes screen captures and even activates a computer's microphone so it can record audio, said Dr. Herbert Lin, the chief scientist on the Computer Science and Telecommunications Board of the National Academies.
But Flame is exponentially larger than other computer worms. It has the ability to change on the fly, making it harder for targets to defend their computer systems against the ever-morphing virus. And it evidently managed to run undetected for at least two years, an eternity in the computer security world.
“The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date,” Kaspersky said in a release announcing the existence of Flame.
What also surprises computer experts is that the public would be at all shocked by Flame's existence.
After all, the computer security company McAfee has estimated that the United States loses $1 trillion annually in intellectual property and other proprietary information taken by either foreign spies or unaffiliated hackers.
Tech stalwarts such as Google and giant defense contractors such as Lockheed Martin and Booz Allen Hamilton have lost staggering amounts of data to hackers, said Gen. Keith Alexander, head of the National Security Agency, in a speech in Omaha last year.
And U.S. military leaders, including those at the Cyber Command overseen by Bellevue-based U.S. Strategic Command, have publicly expressed a desire to improve the military's cyberattack capability.
“We can't just defend,” Alexander said bluntly in his Omaha speech last year, delivered as part of a cybersymposium organized by StratCom.
The U.S. government is backing up this talk with money, funneling millions more into government programs and university research focused on cyberoffense. Foreign governments are doing likewise.
“It would be entirely surprising to me if other governments didn't have their cyberhooks into the United States, trying to understand everything they could about our inner workings,” said Lin, the chief computer scientist at the National Academies. “We've been issuing reports on the risk to the nation for 20 years. ... We've been saying this stuff forever.”
Contact the writer: