WASHINGTON — The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected critical intelligence in preparation for cyber-sabotage attacks aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.
The massive piece of malware was designed to secretly map Iran’s computer networks and monitor the computers of Iranian officials, sending back a steady stream of intelligence used to enable an ongoing cyberwarfare campaign, according to the officials.
The effort, involving the National Security Agency (NSA), the CIA and Israel’s military, has included the use of destructive software such as the so-called Stuxnet virus to cause malfunctions in Iran’s nuclear enrichment equipment.
The emerging details about Flame provide new clues about what is believed to be the first sustained campaign of cyber-sabotage against an adversary of the United States.
“This is about preparing the battlefield for another type of covert action,” said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber collection against the Iranian program is way further down the road than this.”
Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its U.S. partners off guard, according to several U.S. and Western officials, speaking on the condition of anonymity.
There had been speculation that the United States had a role in developing Flame, but the collaboration on the virus between Washington and Israel has not been previously confirmed. Commercial security researchers last week reported that Flame contained some of the same code as Stuxnet. Experts described the overlap as DNA-like evidence that the two sets of malware were parallel projects run by the same entity.
Spokespersons for the CIA, the NSA and the Office of the Director of National Intelligence, as well as the Israeli Embassy in Washington, declined to comment.
The virus is among the most sophisticated and subversive pieces of malware exposed to date. Experts said the program was designed to replicate across even highly secure networks, then control everyday computer functions to send a flow of secrets back to its creators. The code could activate computer microphones and cameras, log keyboard strokes, take computer screen shots, extract geolocation data from images and send and receive commands and data through Bluetooth wireless technology.
Flame was designed to do all this while masquerading as a routine Microsoft software update, evading detection for several years by using a sophisticated program to crack an encryption algorithm.
“This is not something that most security researchers have the skills or resources to do,” said Tom Parker, chief technology officer for Fusion X, a security firm specializing in simulating state-sponsored cyberattacks, who does not know who was behind the virus. “You’d expect that of only the most advanced cryptomathematicians, such as those working at NSA.”
Flame was developed at least five years ago as part of a classified effort code-named Olympic Games, according to officials familiar with U.S. cyber operations and experts who have scrutinized its code. The U.S.-Israeli collaboration was intended to slow Iran’s nuclear program, reduce the pressure for a conventional military attack and extend the timetable for diplomacy and sanctions.
The cyberattacks augmented conventional sabotage efforts by both countries, which included inserting flawed centrifuge parts and other components in Iran’s nuclear supply chain.
The best-known cyberweapon set loose on Iran was Stuxnet, a name coined by researchers in the antivirus industry who discovered the virus two years ago. It infected a specific type of industrial controller at Iran’s uranium enrichment plant in Natanz, causing almost 1,000 centrifuges to spin out of control. The damage occurred gradually, over months, and Iranian officials initially thought it was the result of incompetence.
The scale of the espionage and sabotage effort “is proportionate to the problem that’s trying to be resolved,” the former intelligence official said, referring to the Iranian nuclear program. Although Stuxnet and Flame infections can be countered, “it doesn’t mean that other tools aren’t in play or performing effectively,” he said.
To develop these tools, the United States relies on two of its elite spy agencies. The NSA, known mainly for its electronic eavesdropping and code-breaking capabilities, has extensive expertise in developing malicious code that can be aimed at U.S. adversaries, including Iran. The CIA lacks the NSA’s level of sophistication in building malware, but is deeply involved in the cyber campaign.
The agency’s Information Operations Center is second only to the CIA’s Counterterrorism Center in size. The IOC, as it is known, performs an array of espionage functions, including extracting data from laptops seized in counterterrorism raids. But the center specializes in computer penetrations that require closer contact with the target, such as using spies or unwitting contractors to spread a contagion on a thumb drive.
Both agencies analyze the intelligence obtained through malware such as Flame, and have continued to develop new weapons even as recent attacks have been exposed.
Flame’s discovery shows the important role of mapping networks and collecting intelligence on targets as the prelude to an attack, especially in closed computer networks. Officials say gaining and keeping access to a network is 99 percent of the challenge.
“It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage,” said Michael Hayden, a former NSA director and CIA director who left office in 2009. He declined to discuss any operations he was involved with during his time in government.
The effort to delay Iran’s nuclear program using cyber-techniques began in the mid-2000s, when President George W. Bush was in his second term. At that point it consisted mainly of intelligence gathering to identify potential targets and develop tools to disrupt them. In 2008, the program went operational and shifted from military to CIA control, former officials said.
Despite their collaboration on developing the malicious code, the United States and Israel have not always coordinated attacks. Israel’s April assaults on Iran’s Oil Ministry and oil export facilities caused only minor disruptions. The episode led Iran to investigate and ultimately discover Flame.
“The virus penetrated some fields — one of them was the oil sector,” Gholam Reza Jalali, an Iranian military cyber official, told Iranian state radio in May. “Fortunately, we detected and controlled this single incident.”
Some U.S. intelligence officials were dismayed that Israel’s unilateral incursion led to the discovery of the virus, prompting countermeasures.
The disruptions led Iran to ask a Russian security firm and a Hungarian cyber lab for help, according to U.S. and international officials familiar with the incident.
Last week, researchers with the Kaspersky Labs, the Russian security firm, reported their conclusion that Flame — a name they came up with — was created by the same group or groups that built Stuxnet. Kaspersky declined to comment on whether it was approached by Iran.
“We are now 100 percent sure that the Stuxnet and Flame groups worked together,” said Roel Schouwenberg, a Boston-based senior researcher with Kaspersky Labs.
Kaspersky also determined that the Flame malware predates Stuxnet. “It looks like the Flame platform was used as a kickstarter of sorts to get the Stuxnet project going,” Schouwenberg said.
Staff writer Joby Warrick contributed to this report.