The clear hero of this past week is, without a doubt, the Flame computer virus — a cyber-espionage tool that hit the Middle East and disappeared, leaving behind only a few fingerprints and a lot of anxiety and mystery. It also drew quite a bit of admiration from computer experts, who were quick to crown it the world's most sophisticated espionage virus to date.
These various superlatives were echoed by anyone who deals with software, both in Israel and around the world. Everyone was "shocked" or "helpless" or "slack-jawed" in the face of this virus that seemingly defied logic: Compared to other viruses, this was an enormous program — 20 megabytes — that despite its size and the many tasks it had performed went undetected.
Where did it come from? Where did it go? What data did it collect? These are only some of the questions that remain unanswered, even at the culmination of a week during which the Iranians fully admitted to sustaining a devastating hit that will have repercussions for years.
The immediate reaction in Iran, and elsewhere, was to blame Israel. After all, Israel — which is currently waging a war against Iran's nuclear ambitions and views Iran as a strategic, existential threat — would obviously want to spy on, collect data from, and sabotage anything that even smells like it was made in Iran. All it took was a (completely pointless) one-sentence remark made by Israel's Strategic Affairs Minister Moshe (Bogie) Ya'alon (who implied that Israel had the means to develop such a virus) for Tehran to conclude the Israel was responsible for the virus and that "Israel will pay."
Twenty-four hours later, unnamed sources from within the American administration leaked to U.S. media that such a project was several sizes too big to be Israel's doing, and that only the U.S. could be behind it.
Without making declarations one way or the other on this debate (which resembles the discussion from two years ago, when the Stuxnet virus attacked and shut down the centrifuges at Iran's Natanz nuclear facility), it is safe to assume one thing: Only a country with advanced cyber capabilities could have orchestrated such a project. That leaves us, ostensibly, with four obvious suspects — the world leaders in the field: China, Russia, the U.S. and Israel. If we rule out China, which would likely spy on Washington or Jerusalem before Tehran, and Russia, which maintains commerce with Iran (selling them anti-virus defense systems, among other things), we are left with only the U.S. and Israel.
From here, all we can do is speculate, though there are certainly partners in crime who know the truth. But it doesn't really matter: Considering the close cooperation between Israel and the U.S. on all strategic matters (like, say, nuclear programs), it can be safely assumed that whatever data is collected by one will be reported to the other, and vice versa.
The methods the virus employed to collect data, though they are of lesser significance, are undoubtedly sexy. If the electronic date stamps collected from the virus upon its discovery are to be believed, this cyberweapon has been active since 2007. That means that five years ago, someone (or, more likely, a team of more than 100 people) developed a secret program that is capable of traveling long distances, attaching itself to specific targets, making itself at home and using its target (or another computer in the target's vicinity) to carry out or mediate any desired action: video or audio documentation of events; monitoring of actions or commands; and copying documents from the computer disk or in the computer's vicinity. All this data was diligently collected by some anonymous spy and faithfully relayed to remote handlers.
The virus was apparently inserted manually by means of a USB flash drive. It was then able to circulate and operate selectively, infecting only computers that it was interested in while skipping others. That is one of the reasons it took so long to detect — anti-virus programs usually work from a list of markers, identifying suspicious behavior from any computer program that might indicate infection. The first suspicious marker is the prevalence of the "suspect" program, and the spread of this particular virus, as mentioned, was very limited. The fact that Flame, unlike its predecessor Stuxnet, did not possess a specific electronic signature also made it difficult to detect. But most mystifying was the fact that Flame operated within the realm of intranet (the closed network within certain organizations that is not linked to the World Wide Web), which is still considered immune to the virus threats of the outside world.
Where they are today
It took the Russian company Kaspersky Lab, one of the world's leaders in information technology security, two years and dozens of experts to crack the Flame virus. The program defied all logic. It was different than any cyber-espionage software encountered before. Kaspersky Lab experts admitted that deciphering the Flame virus was the biggest challenge they had faced in recent years.
The fact that experts were impressed by the virus' estimated creation date was not insignificant: If the people who developed Flame were this advanced five years ago, there is no telling how incredibly advanced they are today. If they knew enough five years ago to write a program that took this long to partially crack and is considered the world's most sophisticated program, one can only imagine how many generations they are ahead of the curve, and what they are currently working on.
Incidentally, cyberexperts have also come up with conspiracy theories surrounding the date of creation: There are those who argue that whoever created such an advanced program could not possibly have "forgotten" to erase electronic date stamps. The theory is that they were intentionally left behind, either as a means of disinformation or as a deterrence, prompting the target to carry out actions based on a certain logic that would, in practice, trip up the target and make the virus appear elsewhere.
Either way, Iran took a hit — that is a fact — and has once again found itself at a disadvantage in this shadow war, which aims to disrupt Iran's conduct, especially in the nuclear realm, while granting its opponents the breathing room to undertake other courses of action. This in turn obviates a more overt offensive, with actual weapons, that could spark a response and an all-out regional war.
Unlike the Stuxnet virus, which sabotaged the enrichment of uranium in Natanz for an extended period of time, Flame did not attack. It only collected information. A lot of information. Like Stuxnet, it put Iran in a tailspin and raised concerns: What delicate or incriminating information has been exposed? Where is the leak? What other vulnerabilities are there?
These days Iran is busy manipulating the West and maneuvering between nuclear talks with the P5+1 and the U.N. International Atomic Energy Agency. A so-called smoking gun — new and incriminating evidence that can be put on the table — bears critical significance. It can further expose the Iranian lie and force the world to take a much tougher stance in the face of the ayatollahs.
The spy exposed
Will the world take a tougher stance? We should hope so. But currently the signs seem to indicate otherwise. The Americans are busy with their elections, the Euro (the bloc and the currency) is collapsing and China and Russia are still staying out of the game. This obligates those who are committed — did someone say Israel? — to continue acting covertly, to strike and to collect, as part of a long-term multifaceted effort to curb Iran's nuclear ambitions.
In today's world, cyberwarfare is playing a central role — so much so that it is threatening the status of old-fashioned conventional warfare.
We were all shocked this week because, for the first time, on center stage, we saw a spy, fully exposed, demonstrating all that it can do. Like in science fiction movies, this spy was not human — it was a computer, and its weapon was a virus. But the science isn't so fictional anymore. It is far more realistic than it may appear. We can only hope that, like in the movies, this spy will be able to vanquish, or at least delay, the bad guys. The Flame virus has bequeathed this mission to its successors.