jump to navigation

Israel Blamed for Fueling Flame Cyber Weapon in Middle East May 29, 2012

Posted by Paolo Passeri in Information Security.
Tags: , , , , , , , , , , ,
add a comment

The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict cooperation coproduction between CIA and Mossad.

Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.

Consequently it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).

Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?

If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @paulsparrows on Twitter for the latest updates.

Related Articles

“Flame” malware infiltrating Middle East computers: the most complex Cyber Weapon, ever! May 28, 2012

Posted by Paolo Passeri in Information Security.
Tags: , , , , ,
add a comment

Irony of fate: not even a day after the publication of a provocative article on the role of Cyber Warfare for maintaining peace, a new cyber threat appears, which is destined to leave an indelible mark on the cyber weapons’ landscape.

Today is one of those days that the Infosec Community will remember for a long time. It looks like the mystery of the malware targeting the Iranian Oil business a month ago has come to a solution, and it is not that kind of conclusion we would have hoped and expected.

Nearly in contemporary Kaspersky Lab, CrySyS Lab and the Iranian Computer Emergency Response Team Coordination Center have unleashed details of what has been defined (arguably) the most complex malware ever found.

The malware, which has been dubbed Flame (Kaspersky), or sKyWIper (CrySyS Lab), or also Flamer (CERTCC), has some unprecedented features that make it one of the most complex threats ever discovered:

  • The Cyber Weapon Malware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
  • According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
  • Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
  • Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
  • The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
  • Flame includes a piece of code (about 3,000 lines) written in LUA, a not so common occurrence for malware;
  • Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
  • Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
  • Flame may also replicate via local networks using the following:
    1. The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI;
    2. Remote jobs tasks.
    3. When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.

    So far

  • So far no 0-day vulnerabilities have been found, despite the fact that some fully-patched Windows 7 installations have been compromised, might indicate the presence of high-risk 0-days.

With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage. Besides the resounding features of the malware, I found particularly interesting the same infection mechanism used by Stuxnet, that make me think of (another) possible double agent implanting the first infection.

This (legitimate) suspicion is also reinforced by the disarming conclusions issued by CrySyS Lab:

The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.

[Originally posted on Hackmageddon.com: http://hackmageddon.com/2012/05/28/a-flame-on-the-cyberwarfare-horizon/]

If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @paulsparrows on Twitter for the latest updates.

Related articles

Stealth Yanshuf: the Israeli top secret radar-evading chopper used to drop spies in Iran May 17, 2012

Posted by David Cenciotti in Stealth Black Hawk.
Tags: , , , , , , , , , , , ,
add a comment

According to F. Michael Maloof, a former Pentagon senior policy analyst the Israeli Air Force is equipped with the same Stealth Black Hawk helicopter used by the U.S. Navy SEALs to kill Osama Bin Laden last year.

Believed to be an exclusive U.S. “black project”, the radar-evading chopper (most probably a quiet one, rather than an actual helicopter invisible to radars), such helos would be used by the IAF to drop Iranian dissidents into Iran to gather intelligence on the Tehran’s nuclear program, according to a report written by Maloof for G2 bulletin, a global intelligence newsletter.

This is the first time someone reports about radar-evading choppers in the hands of Israel.

Even if it’s quite unlikely that the Washington shared the secrets of its most advanced helicopter with Jerusalem, considered that the American Stealth Hawk is probably based on 1978 study freely available on the Internet, we can’t rule out the possibility that the Israeli industry has found a way to modify the IAF Black Hawks (nicknamed “Yanshuf”, English for “Owl”) to make them stealthy.

Provided a Stealth Yanshuf really exists, this is what it would look like in two updated versions of the renderings I conceived with AviationGraphic.com‘s Ugo Crisponi: above, the famous highly modified version with retractable landing gear MH-X (please remember this is not the actual designation), whose shape reminds the one of an S-76; below, the more likely slightly-modified Stealth Black Hawk (described here).

Related articles

“Operation Delawor”: when an entire U.S. Army airborne brigade, two F-100 squadrons deployed to Iran for an exercise May 14, 2012

Posted by David Cenciotti in Iran, Military History.
Tags: , , , , , ,
add a comment

“Operation Delawor” is an episode of The Big Picture, a series of films produced by the U.S. Army and ran on the ABC-TV from 1951 to 1964. The television program featured exercises, battles, weaponry and famous soldiers’ biographies.

Filmed in April 1964, “Operation Delawor” (from a Persian word meaning “courageous”) recounts of a 3-day exercise during which an entire U.S. Army airborne brigate was airlifted to Iran with all its heavy equipment to train with the local Imperial Armed Forces.

Along with 2,300 troops and 550 tons of material of the 101st Airborne Division from Ft. Campbell, Kentucky, even two F-100 squadrons from Cannon AFB, were deployed to Iran with the support of KC-135 tankers and C-130 cargos.

The exercise featured a combined air drop, an amphibious attack on Kharg Island involving also a U.S. dock landing ship, two destroyers and eight helicopters, and Close Air Support by the F-100s operating from Vahdati AFB with air cover provided by the Imperial Iranian Air Force F-86s.

Min. 23.00 has some interesting air-to-air and activity with Forward Air Controller footage.

In 1964, the U.S. and Iranian military “learned how to work together as a combined joint team involved in a common enterprise”. About 50 years (and a captured stealth drone) later, they could be called to fight each other any time.

Related articles

Photo: U.S. F-22 Raptors landing at Moron airbase, Spain, on their way to the Persian Gulf. May 1, 2012

Posted by David Cenciotti in Military Aviation.
Tags: , , , , , , , , ,
1 comment so far

The following pictures, taken by Antonio Muñiz, show the F-22 Raptors from Holloman landing at Moron airbase, in Spain, on Apr. 17, 2012.

As already explained with many exclusive details, the six 49FW F-22As were on the first leg of their scheduled deployment to the Gulf. The stealth fighters departed again for their final destination, Al Dhafra, in the UAE, on Apr. 20.

Even if the aircraft have not received the Block 3.1 upgrade (that makes the F-22 capable to perform air-to-ground missions), the deployment of the most advanced U.S. fighter in the region is believed to be a clear message to Iran amid concerns over Tehran’s nuclear ambitions and territorial disputes between the ayatollah regime and the United Arab Emirates over three islands in the Gulf.

In the meanwhile, in the last few hours, media outlets have been reporting the news that some of the American F-22 Raptor pilots have asked to be reassigned to other types of aircraft, because of the oxygen-deprivation problems with the fifth generation stealth fighter.

Image credit: Antonio Muñiz Zaragüeta

Related articles

Exclusive: What nobody else will tell you about the U.S. F-22 stealth fighters deployed near Iran April 30, 2012

Posted by David Cenciotti in Military Aviation.
Tags: , , , , , , , , ,
20 comments

Update May 2, 2012 16.05 GMT

The news that multiple F-22 stealth fighters were deployed “near Iran” has already been reported by the most important media outlets all around the world.

However, nobody has been able to provide some important details that could be useful to better understand the scope of this overseas deployment: when did the Raptors deploy? How many aircraft were deployed? Where?

And, above all, are those plane capable to perform strike missions in addition to the standard air-to-air sorties?

Thanks to the information provided by several sources, The Aviationist is able to fill the gaps, provide a more accurate view of the deployment and debunk some myths that fueled the media hype.

The six F-22 Raptors currently at Al Dhafra, UAE, belong to the 49th Fighter Wing, based at Holloman AFB, New Mexico. They flew as “Mazda 91″ to Moron, Spain, on Apr. 17 and departed again for their final destination on Apr. 20.

Since they spent some 4 days in Spain, during their stay, the stealthy planes were photographed by several local spotters that were able to provide the exact list of all the examples involved in the deployment:

#04-4078, #04-4081, #05-4093, #05-4094, #05-4098, #05-4099.

If they were not willing to let the world know of such deployment they would not make a stopover in Spain, during daylight.

They are all Block 3.0 (or Block 30) examples meaning that neither of them has received  the latest upgrade (Block 3.1) that has brought the capability to find and engage ground targets using the Synthetic Aperture Radar mapping and eight GBU-39 SDBs (Small Diameter Bombs) to the troubled stealthy fighter.

Therefore they are hardly involved in any build-up process in the region, since their role in case of war on Iran would be limited to the air-to-air arena: mainly fighter sweep (missions with the aim to seek out and destroy enemy aircraft prior to the arrival of the strike package), HVAA (High Value Air Asset) escort and DCA (Defensive Counter Air).

Image credit: U.S. Air Force

Considered the limited effectiveness of the Iranian Air Force, it is much more likely that the F-22s involved in any kind of attack on Iran would be those of the 3rd Fighter Wing, based at Joint Base Elmendorf-Richardson, in Alaska, that was the first U.S. Air Force unit to receive the Block 3.1 planes and has already started training in the air-to-surface role.

Furthermore, the deployment is among those scheduled several month in advance and this is not the first time the F-22 deploys in the United Arab Emirates. In November 2009, some 1st Fighter Wing’s Raptors from Langley AFB, flew to Al Dhafra, to train with the French Air Force Rafales and the RAF Typhoons during exercise ATLC 2009. The episode is quite famous because in late December of the same year the French Ministry of Defense released the captures taken by the Rafale’s OSF (Optronique Secteur Frontal) showing an F-22 in aerial combat. In fact, although the U.S. Air Force pilots told that their plane was undefeated during the exercise, the French were killed once in six 1 vs 1 WVR (Within Visual Range) engagements versus the F-22 (the other 5 ended with a “draw”) and one Raptor was claimed as killed by a UAE Mirage 2000 during a mock engagement.

Here’s the famous capture released at the time and published for the first time by Air & Cosmos magazine.

Image credit: French MoD via Air & Cosmos

Related articles

Middle East Cyber War: Revenge Of The Drones April 23, 2012

Posted by Paolo Passeri in Information Security.
Tags: , , , , , , , , , ,
3 comments

In the same hours in which I was publishing my post on Cyber Weapons, news agencies all around the world have begun to release (few) details about a new alleged Cyber Attack targeting the Iranian Oil Ministry, the National Iranian Oil Company and several other state-owned businesses.

The attack has been confirmed by a spokesman of the Iranian Oil Ministry, who also stressed that critical data have not been damaged or lost in the attack. Anyway, as a consequence of the Cyber Attack albeit as a precaution Internet access to several oil refineries has been cut off.

Of course Iran is not new to Cyber Attacks targeting Critical Infrastructures (do you remember Stuxnet and the possible hoax of Duqu Stars?), in any case it is too soon to draw any connection with Stuxnet or any other kind of State-Sponsored Attack, even because, according to the scant information available, only a server providing public information has been harmed.

Probably this malware has nothing to deal with cyber weapons but, just for fun, I cannot help but notice that this alleged Cyber Attack came in the same day in which, among many doubts, Iran has announced to have reverse-engineered the U.S. stealthy RQ-170 Sentinel drone captured by Iran in December 2011.

The revenge of the reverse-engineered drone?

Obviously it’s ironic, but what if the drone was actually a Trojan horse?

[Read also: Captured U.S. stealthy drone in Iran: the simplest solution solves the mystery]

The mysterious hatch possibly housing a recovery chute. Image courtesy: Dave Krakow

Related articles

Iran claims it has decoded the U.S. stealthy RQ-170 Drone Intel but provides unsubstantiated evidence to prove it. April 22, 2012

Posted by David Cenciotti in Captured Stealth Drone.
Tags: , , , , ,
4 comments

Iran has decoded the U.S. stealthy drone intel?
What? oh, umm…yeah…sure

According to a FARS News Agency article published on Apr. 22, Iran has just finished deconding the intelligence gathering sensors and the internal hard disks of the U.S. stealthy RQ-170 Sentinel drone that was captured by Iran in December 2011.

Speaking to FNA, Commander of the Islamic Revolution Guards Corps (IRGC) Aerospace Forces Brigadier General Amir Ali Hajizadeh revealed some data taken from the aircraft’s intelligence system to deny claims by the Pentagon according to which the Iranians would not succeed in decoding the spy drone’s memory and intelligence devices.

To provide four cues to let the US know how deep Iranian engineers could penetrate into the secrets of the drone Hajizadeh stated that

The drone parts had been transferred to California for technical works in October 2010, adding that the drone was later transferred to Kandahar, Afghanistan in November 2010 and had a flight in there.

The commander said that the drone had experienced some technical flaws in its Kandahar flight in November, but the US experts failed resolve the problems at the time.

Hajizadeh added that the RQ-170 was then sent back to an airfield near Los Angeles in December 2010 for tests on its censors and parts, adding that the drone had a number of test flights in there.

As a forth cue to prove Iran’s access to the drone’s hidden memory, the commander mentioned that the spy drone’s memory device has revealed that it had flown over Al-Qaeda Leader Osama bin Laden’s hideout in Pakistan two weeks before his death.

According to Haiizadeh,  “Had we not accessed the plane’s soft wares and hard discs, we wouldn’t have been able to achieve these facts”.

Although it is possible that the RQ-170′s internal memories were not successfully wiped out following the loss of satellite link with the drone giving the Iranians the chance to decypher some of the data collected by the drone the four “cues” provided by the Iranian General are not solid.

The same information could be retrieved, if not on the Internet (the fact that the “Beast of Kandahar” has tanken part to the Operation Neptune’s Spear to kill Osama Bin Laden was very well known since May 2011) with a little of OSINT (Open Source INTelligence) and some spying.

Aviation magazines have published pictures of the RQ-170 at Kandahar showing some modifications (obviously applied in the US) and by simply observing the drone at Kandahar before and after the new equipment was installed could be a sign of stateside work.

Hence, unless something more solid emerges, I think it’s quite unlikely that the internal memory contained useful information:  they were (probably) automatically erased as a consequence of the loss of control procedure and data will never been recovered. However, the circuitry, lenses, memories and sensors are still there and can be evaluated, tested and copied. And, maybe, improved, with the help of some interested third parties (Russia and China).

Related articles

Up-close and personal with Iran’s Air Force: rare insight into pilot’s traditions, procedures, equipment April 19, 2012

Posted by David Cenciotti in Iran.
Tags: , , , , ,
add a comment

An interesting behind the scene video was shot on Apr. 17, when Iran commemorated National Armed Forces Day with a military parade at Tehran.

It shows, Islamic Republic of Iran Air Force (IRIAF) pilots before, during and after the flybys providing some interesting details on their traditions, including kissing the Koran before their mission and kissing three times each time other at the end of the sortie; their flight gear (unit patches and flight helmets), and F-4, F-14 and Su-24 hardware.

Unfortunately, no subtitles are available for this documentary.

Related articles

Another day, another military parade: Iran celebrates Armed Forces Day April 17, 2012

Posted by David Cenciotti in Iran.
Tags: , , , ,
1 comment so far

Just a couple of days after North Korea displayed its military hardware in Pyongyang, during which North Korean leader Kim Jong Un delivered his first public televised speech since the failed rocket launch, a new military parade took place in one of world’s most hot places: Iran.

On Apr. 17, Iran commemorated National Armed Forces Day with a ceremony attended by President Mahmoud Ahmadinejad and several of high-ranking military officials.

According to the Mehr News Agency, thousands goose-stepping soldiers took part to the parade in which some military vehicles and equipment were displayed, including the new generation of the Zolfiqar tank, the Samsam tank, the Borragh personnel carrier, the Naze’at missile launcher, the Misaq 2 missile launcher, the Badr tank transporter, and advanced radar and missile systems.

Several planes attended the “show” as well, including IRIAF F-14s, and Su-24s (performing aerial refueling), even if, to be honest, nothing comparable to the 70 F-15Es launched yesterday by the U.S. Air Force from Seymour Johnson AFB.

If I were to choose between the IRIAF current fighters and the 70 F-15Es of the 4th FW, most probably I’d pick the Strike Eagles.

Image credit: ATTA KENARE/AFP/Getty Images

Addressing the military personnel, Ahmadinejad said:

“Security in the Persian Gulf will be promoted with the participation of regional countries, and the interference of foreigners will bring nothing but insecurity,” he said.

A message to Israel, U.S. and some regional allies, in anticipation of a possible (imminent?) attack on Tehran’s nuclear program.

Image credits: AP Photo/Vahid Salemi and ATTA KENARE/AFP/Getty Images

Related articles