When the history of cyber-warfare comes to be written, its first sentence may go something like this: “Israel gave the United States an ultimatum.” For a number of years, intelligence reports intermittently indicated that Iran was getting closer to building a nuclear bomb, which the Israeli leadership views as an existential threat. In 2004, Israel gave Washington a wish list of weapons and other capabilities it wanted to acquire. The list—for various kinds of hardware but also for items such as aerial transmission codes, so that Israeli jets could overfly Iraq without having to worry about being shot down by U.S. warplanes—left little doubt that Israel was planning a military attack to stop Iran’s nuclear progress. President George W. Bush regarded such action as unacceptable, while acknowledging that diplomacy and economic sanctions had failed to change Iran’s mind.
Intelligence and defense officials offered him a possible third way—a program of cyber-operations, mounted with the help of Israel and perhaps other allies, that would attack Iran’s nuclear program surreptitiously and at the very least buy some time. As with the drone program, the Obama administration inherited this plan, embraced it, and has followed through in a major way. Significant cyber-operations have been launched against Iran, and the Iranians have certainly noticed. It may be that these operations will eventually change minds in Tehran. But the aramco attack suggests that, for the moment, the target may be more interested in shooting back, and with weapons of a similar kind.
Cyberspace is now a battlespace. But it’s a battlespace you cannot see, and whose engagements are rarely deduced or described publicly until long after the fact, like events in distant galaxies. Knowledge of cyber-warfare is intensely restricted: almost all information about these events becomes classified as soon as it is discovered. The commanding generals of the war have little to say. Michael Hayden, who was director of the C.I.A. when some of the U.S. cyber-attacks on Iran reportedly occurred, declined an interview request with a one-line e-mail: “Don’t know what I would have to say beyond what I read in the papers.” But with the help of highly placed hackers in the private sector, and of current and former officials in the military and intelligence establishments and the White House, it is possible to describe the outbreak of the world’s first known cyber-war and some of the key battles fought so far.
II. Flame, Mahdi, Gauss
‘I needed to come up with something cool for self-promotion at conferences,” Wes Brown recalls. The year was 2005, and Brown, a hacker who is deaf and has cerebral palsy, started a business called Ephemeral Security with a colleague named Scott Dunlop. Banks and other corporations hired Ephemeral to hack their networks and steal information, then tell them how to keep bad guys from doing the same thing. So Brown and Dunlop spent a lot of time dreaming up ingenious break-ins. Sometimes they used those ideas to boost their street cred and advertise their business by making presentations at elite hacker conferences—elaborate festivals of one-upmanship involving some of the greatest technical minds in the world.
At a Dunkin’ Donuts coffee shop in Maine, Brown and Dunlop started brainstorming, and what they produced was a tool for attacking networks and gathering information in penetration tests—which also amounted to a revolutionary model for espionage. By July of that year, the two men completed writing a program called Mosquito. Not only did Mosquito hide the fact that it was stealing information, but its spy methods could be updated, switched out, and re-programmed remotely through an encrypted connection back to a command-and-control server—“the equivalent of in-flight drone repair,” Brown explains. In 2005 the unveiling of Mosquito was one of the most popular presentations at the prestigious hacker conference known as Def Con, in Las Vegas.
Many U.S. military and intelligence officials attend Def Con and have been doing so for years. As early as the 1990s, the U.S. government was openly discussing cyber-war. Reportedly, in 2003, during the second Gulf War, the Pentagon proposed freezing Saddam Hussein’s bank accounts, but the Treasury secretary, John W. Snow, vetoed the cyber-strike, arguing that it would set a dangerous precedent that could result in similar attacks on the U.S. and de-stabilize the world economy. (To this day, the Treasury Department participates in decisions concerning offensive cyber-warfare operations that could have an impact on U.S. financial institutions or the broader economy.) After 9/11, when counterterrorism efforts and intelligence became increasingly reliant on cyber-operations, the pressure to militarize those capabilities, and to keep them secret, increased. As Iran seemed to move closer to building a nuclear weapon, the pressure increased even more.
As Wes Brown recalls, none of the government types in the audience said a word to him after his Mosquito presentation at Def Con. “None that I could identify as government types, at least,” he adds, with a chuckle. But about two years later, probably in 2007, malware now known as Flame appeared in Europe and eventually spread to thousands of machines in the Middle East, mostly in Iran. Like Mosquito, Flame included modules that could, through an encrypted connection to a command-and-control server, be updated, switched out, and re-programmed remotely—just like in-flight drone repair. The Flame software offered a very full bag of tricks. One module secretly turned on the victim’s microphone and recorded everything it could hear. Another collected architectural plans and design schematics, looking for the inner workings of industrial installations. Still other Flame modules took screenshots of victims’ computers; logged keyboard activity, including passwords; recorded Skype conversations; and forced infected computers to connect via Bluetooth to any nearby Bluetooth-enabled devices, such as cell phones, and then vacuumed up their data as well.
To continue reading paste this link in to Internet Explorer for pages 2 thru 5.