Security experts said on Monday a highly sophisticated computer virus is infecting computers in Iran and other Middle East countries and may have been deployed at least five years ago to engage in state-sponsored cyberespionage.
Evidence suggest that the virus, dubbed Flame, may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010, according to Kaspersky Lab, the Russian cybersecurity software maker that took credit for discovering the infections.
Kaspersky researchers said they have yet to determine whether Flame had a specific mission like Stuxnet, and declined to say who they think built it.
Iran has accused the US and Israel of deploying Stuxnet.
Cybersecurity experts said the discovery publicly demonstrates what experts privy to classified information have long known: That nations have been using pieces of malicious computer code as weapons to promote their security interests for several years.
“This is one of many, many campaigns that happen all the time and never make it into the public domain,” said Alexander Klimburg, a security expert at the Austrian Institute for International Affairs.
A cybersecurity agency in Iran said on its English Web site that Flame bore a “close relation” to Stuxnet, the notorious computer worm that attacked that country’s nuclear program in 2010 and is the first publicly known example of a cyberweapon.
Iran’s National Computer Emergency Response Team also said Flame might be linked to recent cyberattacks that officials in Tehran have said were responsible for massive data losses on some Iranian computer systems.
Kaspersky Lab said it discovered Flame after a UN telecommunications agency asked it to analyze data on malicious software across the Middle East in search of the data-wiping virus reported by Iran.
Experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security who have spent weeks studying Flame said they have yet to find any evidence that it can attack infrastructure, delete data or inflict other physical damage.
Yet they said they are in the early stages of their investigations and that they may discover other purposes beyond data theft. It took researchers months to determine the key mysteries behind Stuxnet, including the purpose of modules used to attack a uranium enrichment facility at Natanz, Iran.
If Kaspersky’s findings are validated, Flame could go down in history as the third major cyberweapon uncovered after Stuxnet and its data-stealing cousin Duqu, named after the Star Wars villain.
Officials with Symantec Corp and Intel Corp McAfee security division, the top two makers of anti-virus software, said they were studying Flame.
Symantec Security Response manager Vikram Thakur said that his company’s experts believed there was a “high” probability that Flame was among the most complex pieces of malicious software ever discovered.
However, privately held Webroot said its automatic virus-scanning engines detected Flame in December 2007, but that it did not pay much attention because the code was not particularly menacing.
The virus contains about 20 times as much code as Stuxnet, which caused centrifuges to fail at the Iranian enrichment facility it attacked. It has about 100 times as much code as a typical virus designed to steal financial data, Kaspersky Lab senior researcher Roel Schouwenberg said.