Websites incIuded in OSINT products are subject to monitoring by U.S.

and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

TitIe: Ìran Cyber Attack - Stuxnet and Flame
AnaIyst: TS
Ref#: 20120605-468 CÌP
ICOD: 20120605
Country/Topic: Ìran, Ìsrael, US / Military, Political

AnaIyst Comment:
A body of open source reporting from 28 May through 5 June 2012 revealed Iran was attacked by another
computer virus called the "Flame," Israel hinted they conducted the attack, while other headlines stated
US President Obama authorized the attack and transitioned to saying the attack was a joint US/Israeli
effort and both countries had admitted it.

Open source reporting from 28 May revealed Iranian government computer systems were infected
with the "Flame" virus as part of a cyber warfare attack. On 29 May, the New York Times highlighted
Iran's Computer Emergency Response Team Coordination Center acknowledged damage from a virus
on their website. This was followed by Israel's Deputy Prime Minister Moshe Ya'alon being quoted by
the Jerusalem post saying, "whoever sees the Iranian threat as a serious threat would be likely to take
different steps, including these, in order to hurt them" and "these achievements of ours open up all kinds
of possibilities for us," insinuating Israel conducted the attack.

On 30 May, Iran's Fars News declared they had produced an anti-virus program against the "Flame,"
and in a statement Iran's National Computer Emergency Response Team said, "It seems there is a
close relation to the Stuxnet and Duqu targeted attacks" adding the malware's "propagation methods,
complexity level, precise targeting and superb functionality" were reminiscent of the Stuxnet and Duqu
attacks.

On 01 June, The New York Times (NYT) posted an article indicating US President Obama authorized and
sped up cyber attacks against Iran initiated by the Bush Administration. UAE's Gulf News reflected the
general activity of the cyber attacks and quoted Western think tanks indicating the US should be prepared
for cyber retaliation from Iran.

The Jerusalem Post reported Israeli Defense Force (IDF) acknowledged using cyberspace to gather
intelligence, attack enemies, and conduct various military operations on its official website on 03 June.
Open sources indicate this is the first official admission of the IDF using cyberspace to conduct offensive
military operations. Another article highlighted this revelation coincided within a few days of the NYT
article and may be intended to spook Iran. The NYT article is an adapted extract of the book "Confront
and Conceal: Obama's Secret Wars and Surprising Use of American Power" by David E. Sanger due for
release on 05 June.

On 05 June, the Strategy Page headlined "Israel and U.S. Admit Joint Cyber War Effort" reporting
American and Israeli officials confirmed Stuxnet, Duqu, and Flame used against Iran were joint U.S.-
Israel operations. The article did not identify any US or Israeli officials, nor did it attribute the information
to "officials wishing to remain unnamed." No articles were observed indicating any acknowledgement by
any nation or its officials for the cyber attacks on Iran.

HeadIines in Summary:

Mystery Virus Sought To Steal 'Designs From Ìran': Russian Firm
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Ìsrael And U.S. Admit Joint Cyber War Effort
Mystery Virus Sought 'Designs From Ìran': Russian Firm
Why Are Ìsrael And America Suddenly Speaking So Openly About Cyber Warfare?
Ìsraeli Army Stresses On Cyber Warfare
Obama Ordered Cyber Attack On Ìran: NY Times
"Flame" Malware Was Signed By Rogue Microsoft Certificate
ÌT Official: 30 Countries Ask Ìran For Help To Combat 'Flame'
Microsoft Ìssues Update To Protect Businesses From Flame Malware
Report: US, Ìsrael Using All Capabilities Ìn Cyber War On Ìran
Leader's Military Aide Warns US Of Ìran's Tough Response To Military Attack
Legal Action Must Be Taken Against US Over Cyber Attacks: Analyst
ÌDF Admits To Using Cyber Space To Attack Enemies
US Senator Accuses Obama
Ìran Vows 'Proportionate' Response To Any Strike
Cyber-Attacks "Bought Us Time" On Ìran - U.S. Sources
Obama Govt. Leaked Details Of Anti-Ìran Operation: Mccain
US, Ìran Dig Ìn For Long Cyber War
The Flame Cyber Attack: How One Worm Changed The Discourse On An Ìran Strike
Obama Ordered Stuxnet Cyber Attack On Ìran: Report
Obama Order Sped Up Wave Of Cyberattacks Against Ìran
Cyber Attacks On Ìran ÷ Stuxnet And Flame
US Ìs Losing Regional Bases
U.N. Agency Plans Major Warning On 'Flame' Virus Risk; Ìsrael On Alert
Zionist Regime Hints Ìt Created Flame Malware
Ìran Successfully Combats Flame Spyware
Ìran Slams Enemy Cyber Attack
Ìran Shows Prompt Response To Ìsrael's Cyber War
Ìran Under Cyber-Attack By Data-Mining Virus
ÌRGC: US, Ìsrael Losing Bases Ìn Region
PM: Ìsrael Ìncreasing Ìts Cyber-Defense Capabilities
Ìran Confirms Attack By Virus That Collects Ìnformation
Ya'alon Hints At Ìsraeli Role Ìn 'Flame' Virus
Ìsrael Admits To Waging Cyber War On Ìran
Ìsrael, Ìran, Lebanon hit by "Flame" super-virus
The 'Flame' Computer Virus Strikes Ìran, 'Worse Than Stuxnet'

Supporting Documentation:


05 Jun 12
AI Arabiya
Mystery Virus Sought To SteaI 'Designs From Iran': Russian Firm
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) This undated screen grab released by the Kaspersky Lab site shows a program of the computer virus
known as Flame. (AFP, 05 Jun 12)

A mystery computer virus discovered last month and deployed in a massive cyberattack chiefly against
Ìran sought to steal designs and PDF files from its victims, a Russian firm said.

Kaspersky Lab, one of the world's biggest producers of anti-virus software, announced last month the
discovery of the Flame virus, which it described as the biggest and most sophisticated malware ever
seen.

Ìn the latest update on Kaspersky's analysis of the virus, released late Monday, the firm's chief security
expert, Alexander Gostev, said the malware's creators had focused on file formats such as PDF and
AutoCAD, a software for computer design and drawing.

"The attackers seem to have a high interest in AutoCAD drawings,¨ Gostev said in a statement.

The malware also "goes through PDF and text files and other documents and makes short text
summaries,¨ he added.

"Ìt also hunts for e-mails and many different kinds of other 'interesting' (high-value) files that are specified
in the malware configuration.¨

He confirmed that Ìran was by far the biggest target with a count of 185 infections, followed by 95 in Ìsrael
and the Palestinian Territories, 32 in Sudan and 29 in Syria.

The discovery of Flame immediately sparked speculation that it had been created by U.S. and Ìsraeli
security services to steal information about Ìran's controversial nuclear drive.

Ìntriguingly, Kaspersky said that hours after the existence of the virus was first announced on May
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

28, "The Flame command-and-control infrastructure, which had been operating for years, went dark.¨

Ìt gave no further information over the possible perpetrators of the mystery attack, though it identified
about 80 domains that appear to belong to the Flame infrastructure, in locations from Hong Kong to
Switzerland.

Kaspersky said it had used a procedure known as sinkholing -- which allows Ìnternet security experts to
gain control of a malicious server -- to analyze the operation.

During the sinkholing it found that on three computers in Lebanon, Ìraq and Ìran the Flame versions
changed, suggesting Flame upgraded itself in the process.

The New York Times reported last week that President Barack Obama has accelerated cyberattacks
on Ìran's nuclear program in an operation codenamed "Olympic Games¨ that uses a malicious code
developed with Ìsrael.
Flame exploits Windows bug

Meanwhile, Microsoft Corp warned that a bug in Windows allowed PCs across the Middle East to become
infected with Flame and released a software fix to fight the espionage tool that surfaced last week.

Security experts said they were both surprised and impressed by the approach that the attackers had
used, which was to disguise Flame as a legitimate program built by Microsoft.

Experts described the method as "elegant¨ and they believed it had likely been used to deliver other cyber
weapons yet to be identified.

"Ìt would be logical to assume that they would have used it somewhere else at the same time,¨ Mikko
Hypponen, chief research officer for security software maker F-Secure, said.

Ìf other types of cyber weapons were indeed delivered to victim PCs using the same approach as Flame,
then they will likely be exposed very quickly now that Microsoft has identified the problem, said Adam
Meyers, director of intelligence for security firm CrowdStrike.

Cyber weapons that bear the fake Microsoft code will either stop working or lose some of their
camouflage, said Ryan Smith, chief research scientist with security firm Accuvant.

A spokeswoman for Microsoft declined to comment on whether other viruses had exploited the same flaw
in Windows or if the company's security team was looking for similar bugs in the operating system.

News of the Flame virus, which surfaced a week ago, generated headlines around the world as
researchers said that technical evidence suggests it was built on behalf of the same nation or nations
that commissioned the Stuxnet worm that attacked Ìran's nuclear program in 2010. Researchers are still
gathering information about the virus.


05 Jun 12
Strategy Page
IsraeI And U.S. Admit Joint Cyber War Effort
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

American and Ìsraeli officials have finally confirmed that the industrial grade Cyber War weapons
(Stuxnet, Duqu and Flame) used against Ìran in the last few years were indeed joint U.S.-Ìsrael
operations. No other details were released, although many more rumors are now circulating. The U.S.
and Ìsrael were long suspected of being responsible for these "weapons grade" computer worms. Both
nations had the motive to use, means to build and opportunity to unleash these powerful Cyber War
weapons against Ìran and other that support terrorism.

The U.S. Department of Defense had long asked for permission to go on the offensive using Cyber War
weapons. But the U.S. government regularly and publicly declined to retaliate against constant attack
from China, mainly because there were fears that there could be legal repercussions and that weapons
used might get out of control and cause lots of damage to innocent parties.

Ìran turned out to be another matter. Although not a serious Cyber War threat to the United States, Ìran
was trying to build nuclear weapons and apparently Ìsrael had already been looking into using a Cyber
War weapon to interfere with that. Given the nature of these weapons, which work best if the enemy
doesn't even know they exist, don't expect many details to be released about this Cyber War program.
What is known is that the Cyber War weapons unleashed on Ìran were designed to concentrate only on
very specific targets. So far, only three weapons that we know of have been used. One (Stuxnet) was
designed to do damage to one specific facility, the plant where Ìran produced nuclear fuel for power
plants, and atomic weapons. That one worked. The other two (Duqu and Flame) were intelligence
collection programs. They also apparently succeeded, remaining hidden for years and having lots of
opportunity to collect enormous quantities of valuable data.

Ìt was only in the last month that the latest of these Cyber War "super weapons" was uncovered. The
new one is called Flame, and was designed to stay hidden and collect information from computers it got
into. Ìt apparently did both, for up to five years (or more), in Ìran, Lebanon, the Palestinian West Bank,
and, to a lesser extent, other Moslem countries in the region. Like the earlier Stuxnet (2009) and Duqu
(2011), Flame has all the signs of being designed and created by professional programmers and software
engineers. Most malware (hacker software) is created by talented and often undisciplined amateurs
and often displays a lack of discipline and organization. Professional programmers create more capable
and reliable software. That describes Stuxnet, Duqu, and Flame. The U.S. and Ìsrael spent big bucks
to craft these Cyber War weapons and get them to their targets. Both nations have access to the best
programming talent on the planet, and already have organizations that can recruit and supervise highly
secret software development.

As researchers continue studying these three software packages, they find ever more surprising features.
Until the appearance of Flame, the most formidable Cyber War weapon encountered was Stuxnet, a
computer worm (a computer program that constantly tries to copy itself to other computers) that showed
up two years ago. Ìt was designed as a weapons grade cyber weapon and was designed to damage
Ìran's nuclear weapons manufacturing facilities. Ìt succeeded. A year after Stuxnet was discovered (in
2010), security experts uncovered Duqu. Like Flame, Duqu was collecting information on large computer
networks and apparently preparing for an even broader attack on industrial targets.

Ìt appeared that Stuxnet and Duqu were but two of five or more Cyber War weapons developed (up to
five years ago) from the same platform. Flame was not apparently related to Stuxnet and Duqu. The
basic Flame platform appears to have been built to accept numerous additional software modules, giving
each variant different capabilities. Some of the modules made use of specific computer features, like a
microphone, wireless communication, or the camera. Flame appears to be a very different design from
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Stuxnet and Duqu but also spreads via a USB memory stick or the Ìnternet.

Some infected PCs were found to contain a large number of Flame modules, amounting to up to 20
megabytes of code and data. Flame hides its presence very well and has a very effective self-destruct
feature that erases all evidence of its presence. Ìn the at least five years Flame has been around, it has
gotten into a few thousand PCs and collected large quantities of data.

Ìn contrast, Duqu was being used to probe industrial computer systems and send information back about
how these systems are built and operate. When Duqu was first discovered, the server it was sending its
data to was eventually found in Ìndia and disabled. Duqu appeared to shut down last December. No one
knows if this is because Duqu had finished its work or was feeling cramped by all the attention. Flame is
still operating.

For over two years now, hundreds of capable programmers have been taking Stuxnet and Duqu apart
and openly discussing the results. While these programs are "government property", once they are turned
loose they belong to everyone. The public discussion on the Ìnternet has provided a bonanza of useful
criticism of how the programs were put together, often describing in detail how flaws could be fixed or
features improved. But even when such details were not provided, the programmers picking apart these
programs usually mentioned what tools or techniques were needed to make the code more effective.

On the down side, this public autopsy of this stuff makes the inner workings of the software, and all the
improvements, available to anyone. Then again, security professionals now have a much clearer idea of
how this kind of weapon works and this can make future attempts to use similar weapons more difficult.

Flame is much larger and more complex than Stuxnet or Duqu and will keep researchers busy for years.
But now that three of these professionally crafted Cyber War weapons have appeared in the last three
years, it seems likely that more will show up.

Weapons like Stuxnet and Duqu are nothing new; for nearly a decade Cyber War and criminal hackers
have planted programs ("malware") in computer networks belonging to corporations or government
agencies. These programs (called "Trojan horses" or "zombies") are under the control of the people who
plant them and can later be used to steal, modify, destroy data, or shut down the computer systems
the zombies are on. You infect new PCs and turn them into zombies by using freshly discovered and
exploitable defects in software that runs on the Ìnternet. These flaws enable a hacker to get into other
people's networks. Called "Zero Day Exploits" (ZDEs), in the right hands these flaws can enable criminals
to pull off a large online heist or simply maintain secret control over someone's computer. Flame was
apparently using high-quality (and very expensive) ZDEs and possibly receiving new ones as well.

Stuxnet contained four ZDEs, two of them unknown, indicating that whoever built Stuxnet had
considerable resources. ZDEs are difficult to find and can be sold on the black market for over $250,000.
The fact that Stuxnet was built to sabotage an industrial facility spotlights another growing problem - the
vulnerability of industrial facilities. The developers of systems control software have been warned about
the increased attempts to penetrate their defenses. Ìn addition to terrorists, there is the threat of criminals
trying to extort money from utilities or factories with compromised systems, or simply sniff around and
sell data on vulnerabilities to Cyber War organizations. But in the case of Stuxnet, the target was Ìran's
nuclear weapons operation, although some hackers dissecting Stuxnet could now build software for use
in blackmail schemes.

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Stuxnet was designed to shut down a key part of Ìran's nuclear weapons program, by damaging the gas
centrifuges used to enrich uranium to weapons grade material. Ìran eventually admitted that this damage
occurred and recent Western estimates of how soon Ìran would have a nuclear weapon have been
extended by several years. So, one can presume that Stuxnet was a success.

Duqu appears to be exploiting the success of Stuxnet in spreading to so many industrial sites and is
designed to sniff out details of places it ends up in and send the data to whoever is planning on building
Stuxnet 2.0. Several different versions of Duqu have been found so far, and all of them have been
programmed to erase themselves after they have been in a computer for 36 days.

Stuxnet was believed to have been released in late 2009, and thousands of computers were infected
as the worm sought out its Ìranian target. Ìnitial dissection of Stuxnet indicated that it was designed to
interrupt the operation of the control software used in various types of industrial and utility (power, water,
sanitation) plants. Eventually, further analysis revealed that Stuxnet was programmed to subtly disrupt the
operation of gas centrifuges.

The Stuxnet "malware" was designed to hide itself in the control software of an industrial plant, making it
very difficult to be sure you have cleaned all the malware out. This is the scariest aspect of Stuxnet and is
making Ìranian officials nervous about other Stuxnet-type attacks having been made on them. Although
Ìran eventually admitted that Stuxnet did damage, they would not reveal details of when Stuxnet got to
the centrifuges nor how long the malware was doing its thing before it was discovered and removed. But
all this accounts for the unexplained slowdown in Ìran getting new centrifuges working. Whoever created
Stuxnet probably knows the extent of the damage because Stuxnet also had a "call home" capability.

The U.S. and Ìsrael have been successful with "software attacks" in the past. This stuff doesn't get
reported much in the general media, partly because it's so geeky and because there are no visuals. Ìt is
computer code and arcane geekery that gets it to its target. The earlier attacks, especially Stuxnet, Duqu
and Flame, spread in a very controlled fashion, sometimes via agents who got an infected USB memory
stick into an enemy facility. Even if some copies of these programs get out onto Ìnternet connected PCs,
they do not spread far. Worms and viruses designed to spread can go worldwide and infest millions of
PCs within hours.

Despite all the secrecy this stuff is very real, and the pros are impressed by Stuxnet, Duqu, and Flame,
even if the rest of us have not got much of a clue. The demonstrated capabilities of these Cyber War
weapons usher in a new age in Ìnternet based warfare. Amateur hour is over and the big dogs are
in play. Actually, the Cyber War offensive by the U.S. and Ìsrael appears to have been underway for
years, using their stealth to remain hidden. There are probably more than three of these stealthy Cyber
War applications in use, and most of us will never hear about it until, and if, other such programs are
discovered and their presence made public.


05 Jun 12
Hurriyet
Mystery Virus Sought 'Designs From Iran': Russian Firm
A mystery computer virus discovered last month and deployed in a massive cyberattack chiefly against
Ìran sought to steal designs and PDF files from its victims, a Russian firm said.
Kaspersky Lab, one of the world's biggest producers of anti-virus software, announced last month the
discovery of the Flame virus, which it described as the biggest and most sophisticated malware ever
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

seen.
Ìn the latest update on Kaspersky's analysis of the virus, released late Monday, the firm's chief security
expert, Alexander Gostev, said the malware's creators had focussed on file formats such as PDF and
AutoCAD, a software for computer design and drawing.
"The attackers seem to have a high interest in AutoCAD drawings," Gostev said in a statement.
The malware also "goes through PDF and text files and other documents and makes short text
summaries," he added.
"Ìt also hunts for e-mails and many different kinds of other 'interesting' (high-value) files that are specified
in the malware configuration." He confirmed that Ìran was by far the biggest target with a count of 185
infections, followed by 95 in Ìsrael and the Palestinian Territories, 32 in Sudan and 29 in Syria.
The discovery of Flame immediately sparked speculation that it had been created by US and Ìsraeli
security services to steal information about Ìran's controversial nuclear drive.
Ìntriguingly, Kaspersky said that hours after the existence of the virus was first announced on May
28, "The Flame command-and-control infrastructure, which had been operating for years, went dark."
Ìt gave no further information over the possible perpetrators of the mystery attack, though it identified
about 80 domains that appear to belong to the Flame infrastructure, in locations from Hong Kong to
Switzerland.
Kaspersky said it had used a procedure known as sinkholing -- which allows Ìnternet security experts to
gain control of a malicious server -- to analyse the operation.
During the sinkholing it found that on three computers in Lebanon, Ìraq and Ìran the Flame versions
changed, suggesting Flame upgraded itself in the process.
The New York Times reported last week that President Barack Obama has accelerated cyberattacks
on Ìran's nuclear programme in an operation codenamed "Olympic Games" that uses a malicious code
developed with Ìsrael.


04 Jun 12
Haaretz
Why Are IsraeI And America SuddenIy Speaking So OpenIy About Cyber Warfare?
The ÌDF Spokesman's website is not usually in the business of breaking stories, so Sunday's report
on the Operations Department instructions defining the roles of cyber warfare in the ÌDF's operational
doctrine was unexpected and intriguing. According to the report:

Cyber space is to be handled similarly to other battlefields on ground, at sea, in the air and in space.
The ÌDF has been engaged in cyber activity consistently and relentlessly, gathering intelligence and
defending its own cyber space. Additionally if necessary the cyber space will be used to execute attacks
and intelligence operations.

There are many, diverse, operational cyber warfare goals, including thwarting and disrupting enemy
projects that attempt to limit operational freedom of both the ÌDF and the State of Ìsrael, as well as
incorporating cyber warfare activity in completing objectives at all fronts and in every kind of conflict.
Moreover, it will be used to maintain Ìsrael's quality and advantage over its enemies and prevent their
growth and military capabilities, while limiting their operation in this field.

Additional goals defined by the document published by the Operations Department include creation of
operational conditions that will assist in fulfilling ÌDF capabilities in combat as well as influence public
opinion and raise awareness by advocating in the cyber space.

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Overall cyber space will be used to improve the operational effectiveness of the ÌDF, both during war and
peace time. This will be done through clandestine activity, while maintaining confidentiality and expertise.

There are no actual operational details here, but the fact that the ÌDF has for the first time officially
admitted that it is using cyberspace for offensive purposes is significant.

Ìt is unthinkable that such a report could have been issued (both on the Hebrew and English ÌDF
websites) without authorization from the highest military and perhaps also political levels.

Ìn previous on-record briefings and interviews, officers and officials have been prepared only to
acknowledge work being done to protect vital computer and communications infrastructure and networks
from cyber attacks, never to specify attempts to use those same weapons to disrupt the enemies
infrastructure and to collect intelligence.

The timing is especially interesting, as it comes just a week after Flame, the mega-computer worm spying
on Ìranian and other Middle Eastern computer users was revealed. And it comes hot on the heels of the
interview last week in which Strategic Affairs Minister Moshe Ya'alon, said (regarding such cyber attacks)
that "anyone who sees the Ìranian threat as a significant threat - it's reasonable that he will take various
steps, including these, to harm it¨ and that "Ìsrael is blessed as being a country rich with high-tech, these
tools that we take pride in open up all kinds of opportunities for us.¨

Ya'alon a few hours later attempted to scale down his remarks tweeting that "plenty of advanced Western
countries, with apparent cyber-warfare capabilities, view Ìran and especially its nuclear program as real
threat,¨ but the message got through.

This uncharacteristic Ìsraeli openness coincides with a similar development across the Atlantic, where
American officials have also revealed for the first time the level of cooperation with Ìsrael in developing
and deploying cyber weapons against Ìran's nuclear program.

Few of the sources in the lengthy New York Times report are named, but for the first time we have
reliable details on the way the computer virus known as Stuxnet, was developed and used in a joint U.S.-
Ìsraeli operation to sabotage Ìran's uranium enrichment project. The cooperation between the American
National Security Agency and the ÌDF's Military Ìntelligence Unit 8200, waging electronic war together
on Ìran, is probably the closest the two nations have ever come together in the history of their strategic
relations.

The timing of the report by David E. Sanger could be coincidental. After all it is an adapted extract from
his book "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power,¨ which
will be published tomorrow in the U.S.

But the confluence of all these events, the emergence of Flame - which has been lurking in Ìranian
computers, unconcealed, for a few years now and may have been revealed intentionally to spook the
Ìranians, Ya'alon's unguarded comments, the ÌDF's report on its cyber warfare doctrine, and now the
detailed statements from senior U.S. officials to Sanger, can hardly be a coincidence. Ìt raises a number
of key questions:

First, were these revelations part of a coordinated decision between Washington and Jerusalem to
momentarily lift the cloak of darkness over their joint cyber efforts? Or are organizations and individuals in
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

either country just trying to grab some of the credit for their own purposes?

Second, if the openness is intentional, who is all this information aimed at? Ìs their purpose to create
more pressure on Ìran, where researchers, officers and ordinary citizens are afraid to use their computers
and the leaders have to take into account that further attempts to hide nuclear development are bound
to fail? Or is this the Obama Administration trying to convince public opinion in the U.S and Ìsrael and
of course the Netanyahu government that the intelligence and electronic war on Ìran is sufficient, and
that there is no need for military strikes? And are certain elements in Ìsrael's security and political
establishment helping the Americans do this?

Third, is this just an aberration or are we going to see in the near future an acceptance by governments
that cyber warfare is an accepted extension of diplomacy by other means? And how will Ìran and other
countries targeted in this way respond?


04 Jun 12
Economic Times - India
IsraeIi Army Stresses On Cyber Warfare
Ìsraeli army has conceded that it is using cyber-warfare to defend the country, an admission which comes
close on the heels of an unprecedented "cyber espionage worm" attack on Ìran's nuclear installations.

"Cyber space is to be handled similarly to other battlefields on ground, at sea, in the air and in space. The
ÌDF ( Ìsrael Defence Forces) has been engaged in cyber activity consistently and relentlessly, gathering
intelligence and defending its own cyber space.

"Additionally if necessary the cyber space will be used to execute attacks and intelligence operations", a
statement by the Ìsraeli army released on its website said.

ÌDF Operations Department is said to have recently defined the essence of ÌDF cyber warfare, putting
together instructions that define the military's operational methods in cyber space and clarifies its goals in
facing potential enemies.
"There are many, diverse, operational cyber warfare goals, including thwarting and disrupting enemy
projects that attempt to limit operational freedom of both the ÌDF and the State of Ìsrael, as well as
incorporating cyber warfare activity in completing objectives at all fronts and in every kind of conflict.

"Moreover, it will be used to maintain Ìsrael's quality and advantage over its enemies and prevent their
growth and military capabilities, while limiting their operation in this field", the report stressed.

Additional goals defined by the document include creation of operational conditions that will assist in
fulfilling ÌDF capabilities in combat as well as influence public opinion and raise awareness by advocating
in the cyber space.

"Overall cyber space will be used to improve the operational effectiveness of the ÌDF, both during war and
peace time. This will be done through clandestine activity, while maintaining confidentiality and expertise",
it added.

Ìranian authorities last week admitted that the malicious software dubbed "Flame" has attacked it
computer systems and instructed to run an urgent inspection of all cyber systems in the country.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


Ìranian experts said that Flame was able to overcome 43 different anti-virus programmes.

Ìnternational media reports had attributed Ìsrael as responsible for the stuxnet attack on Ìran's nuclear
cyber infrastructure.

The Jewish state has dubbed Tehran's nuclear programme an existential threat, vowing to foil the same
by "all options on the table".


04 Jun 12
Mehr News / Tehran Times
Obama Ordered Cyber Attack On Iran: NY Times
A cyber attack against Ìran's nuclear program was the work of U.S. and Ìsraeli experts and proceeded
under the secret orders of President Barack Obama, say current and former U.S. officials

The origins of the cyber weapon have long been debated, with most experts concluding that the United
States and Ìsrael probably collaborated. The current and former U.S. officials confirmed that long-
standing suspicion Friday, after a New York Times report.

The officials, speaking on the condition of anonymity to describe the classified effort code-named Olympic
Games, said it was first developed during the George W. Bush administration and was geared toward
damaging Ìran's nuclear capability gradually while sowing confusion among Ìranian scientists about the
cause of mishaps at a nuclear plant.

The use of the cyberweapon -- malware designed to infiltrate and damage systems run by computers -
- was supposed to make the Ìranians think that their engineers were incapable of running an enrichment
facility.

"The idea was to string it out as long as possible," said one participant in the operation. "Ìf you had
wholesale destruction right away, then they generally can figure out what happened, and it doesn't look
like incompetence."

Even after software security companies discovered Stuxnet loose on the Ìnternet in 2010, causing
concern among U.S. officials, Obama secretly ordered the operation continued and authorized the use of
several variations of the computer virus.

The National Security Agency developed the cyber weapon with the help of Ìsrael.

As a signatory to the nuclear Non-Proliferation Treaty, Ìran has legal right to develop nuclear technology
for peaceful purposes.

Ìran has described the cyber-attacks as part of a "terrorist" campaign backed by Ìsrael and the United
States.

White House spokesman Josh Earnest declined comment on the substance of the New York Times
article, but denied "in the strongest possible terms" that it was an authorized leak of classified information.

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


04 Jun 12
Ars Technica
"FIame" MaIware Was Signed By Rogue Microsoft Certificate
Emergency Windows update nukes credentials minted by Terminal Services bug.

Microsoft released an emergency Windows update on Sunday after revealing that one of its trusted digital
signatures was being abused to certify the validity of the Flame malware that has infected computers in
Ìran and other Middle Eastern Countries.

(U) Microsoft has pushed out a new patch for Windows. (Ars Technica, 04 Jun 12)

The compromise exploited weaknesses in Terminal Server, a service many enterprises use to provide
remote access to end-user computers. By targeting an undisclosed encryption algorithm Microsoft used
to issue licenses for the service, attackers were able to create rogue intermediate certificate authorities
that contained the imprimatur of Microsoft's own root authority certificate÷an extremely sensitive
cryptographic seal. Rogue intermediate certificate authorities that contained the stamp were then able to
trick administrators and end users into trusting various Flame components by falsely certifying they were
produced by Microsoft.

"We have discovered through our analysis that some components of the malware have been signed by
certificates that allow software to appear as if it was produced by Microsoft," Microsoft Security Response
Center Senior Director Mike Reavey wrote in a blog post published Sunday night. "We identified that an
older cryptography algorithm could be exploited and then be used to sign code as if it originated from
Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize
Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the
ability to sign code, thus permitting code to be signed as if it came from Microsoft."

The exploit, which abused a series of intermediate authorities that were ultimately signed by Microsoft's
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

root authority, is the latest coup for Flame, a highly sophisticated piece of espionage malware that came
to light last Monday. Flame's 20-megabyte size, it's extensive menu of sophisticated spying capabilities,
and its focus on computers in Ìran have led researchers from Kaspersky Lab, Symantec, and other
security firms to conclude it was sponsored by a wealthy nation-state. Microsoft's disclosure follows
Friday's revelation that the George W. Bush and Obama administrations developed and deployed
Stuxnet, the highly advanced software used to set back the Ìranian nuclear program by sabotaging
uranium centrifuges at Ìran's Natanz refining facility.

The emergency update released by Microsoft blacklists three intermediate certificate authorities tied to
Microsoft's root authority. All versions of Windows that have not applied the new patch can be tricked
by the Flame attackers into displaying cryptographically generated assurances that the malicious wares
were produced by Microsoft.

Microsoft engineers have also stopped issuing certificates that can be used for code signing with the
Terminal Services activation and licensing process. The ability of the licensing mechanism to sign
untrusted code that linked Microsoft's root authority is a mistake of breathtaking proportions. None of
Microsoft's Sunday night blog posts explained why such design was ever allowed to be put in place. A
description of the Terminal Services License Server Activation refers to a "limited-use digital certificate
that validates server ownership and identity." Based on Microsoft's description of the attack, it would
appear the capabilities of these certificates weren't as limited as company engineers had intended.

"This is a pretty big goof," Marsh Ray, a software developer for two-factor authentication company
PhoneFactor, told Ars. "Ì don't think anyone realized that this enabled the sub CA that was present on the
licensing server to have the full authority of the trusted root CA itself."

Microsoft's mention of an older cryptography algorithm that could be exploited and used to sign code
as if it originated from Microsoft evoked memories of an attack from 2008 to mint a rogue certificate
authority that could be trusted by all major browsers. The attack in part relied on weaknesses in the MD5
cryptographic hash function that made it susceptible to "collisions," in which two or more different plaintext
messages generated the same cryptographic hash. By unleashing 200 PlayStation 3 game consoles
to essentially find a collision, the attackers could become a certificate authority that could spawn SSL
(secure sockets layer) credentials trusted by major browsers and operating systems.

Based on the language in Microsoft's blog posts, it's impossible to rule out the possibility that at least
one of the certificates revoked in the update was also created using MD5 weaknesses. Ìndeed, two of
the underlying credentials used MD5, while the third used the more advanced SHA-1 algorithm. Ìn a
Frequently Asked Questions section of Microsoft Security Advisory (2718704), Microsoft's security team
also said: "During our investigation, a third Certificate Authority has been found to have issued certificates
with weak ciphers." The advisory didn't elaborate.

Ìt's also unclear if those with control of one of the rogue Microsoft certificates could sign Windows
software updates. Such a feat would allow attackers with control over a victim network to hijack
Microsoft's update mechanism by using the credentials to pass off their malicious wares as official
patches. Microsoft representatives didn't respond to an e-mail seeking comment on that possibility. This
article will be updated if an answer arrives later.

Two of the rogue certificates were chained to a Microsoft Enforced Licensing Ìntermediate PCA. A third
was chained to a Microsoft Enforced Licensing Registration Authority CA, and ultimately to the company's
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

root authority. Ìn addition to potential exploits from the actors behind Flame, unrelated attackers could
also use the certificates to apply Microsoft's signature to malicious pieces of software.

A third Microsoft advisory pointed out that Flame so far has been found only on the machines of highly
targeted victims, so the "vast majority of customers are not at risk."

"That said, our investigation has discovered some techniques used by this malware that could also
be leveraged by less sophisticated attackers to launch more widespread attacks," Jonathan Ness, of
Microsoft's Security Response Center, continued. "Therefore, to help protect both targeted customers and
those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk
to customers."


04 Jun 12
Trend Az
IT OfficiaI: 30 Countries Ask Iran For HeIp To Combat 'FIame'
Ìran says 30 countries have asked it for help in fighting Flame, a computer programme designed to steal
data.

Australia, the Netherlands, Ìndia and Malaysia are among the countries that have contacted Ìran's Maher
Centre to ask for the anti-virus programme that detects and destroys Flame, Fars news agency reports.

The Maher Centre (Maher means 'expert' in Persian) is part of the Ìnformation Technology Company
(ÌTC).

The ÌTC discovered Flame over a month ago and has been working on an anti-virus programme since
then said Esmail Radkani the organisation's deputy director.

"Detecting and writing a programme to wipe out Flame was especially complex," said Mr. Radkani.

Flame is the third programme to have targeted Ìran for the purpose of gathering information, or attacking
a specific system.

Ìn 2010, Ìran's industrial and nuclear computer systems were attacked by the Stuxnet worm. The worm
was a malware designed to infect computers using Siemens Supervisory Control and Data Acquisition
(SCADA), a control system favoured by industries that manage water supplies, oil rigs and power plants.

Stuxnet was followed by Duqu, a virus designed to gather data for future cyber-attacks. Ìran announced
the discovery of Duqu in November 2011.

Flame seems to have been created with the express purpose of gathering information. Experts believe it
could have been running for as long as five years before it was discovered.


04 Jun 12
IT Business
Microsoft Issues Update To Protect Businesses From FIame MaIware
The software giant is advising businesses to install the update so they won't be infected with the Flame
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

malware that targeted computers in Iran.

Microsoft issues update to protect businesses from Flame malware Businesses should install a Microsoft
security update to avoid being duped by exploited certificates that were used as part of the Flame
malware attack against targeted Ìranian computer networks.
The update fixes a vulnerability in Microsoft's Terminal Server Licensing Service that allowed signing of
software with certificates as if it were code originating from Microsoft, the company said in a blog post.

The post, written by Mike Reavey, the senior director of Microsoft Trustworthy Computing, says an older
cryptography algorithm proved exploitable and could be used to sign malicious code to certify that it came
from Microsoft.

Terminal Services Licensing Service provided certificates that were permitted to sign code as if it came
from Microsoft, the blog says. The certificates were intended to authorize Remote Desktop services
securely.

The company issued a security advisory about how to correct the problem, and recommends that
customers apply the update using update management software or Microsoft Update service.

"The update revokes the trust of the following intermediate [certificate authority] certificates: Microsoft
Enforced Licensing Ìntermediate PCA (2 certificates), Microsoft Enforced Licensing Registration Authority
CA (SHA1)," the advisory says.

An intermediate CA is a certificate authority that doesn't have the trust of the device it is connecting
to, but it does have the trust of a root CA that the device does trust. Chains of intermediate CAs can
lead back to a trusted root CA, and devices attempt to follow those chains to establish authenticity of
certificates.

Weaknesses in this chain-of-trust system have were exploited repeatedly last year against SSL
certificates used by browsers to authenticate websites. This led to repeated calls for a new authentication
system.


04 Jun 12
Fars News
Report: US, IsraeI Using AII CapabiIities In Cyber War On Iran
Unclassified

The United States and Ìsrael have mobilized all their capabilities and best hi-tech centers in a cyber war
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

against Ìran, reports said.

The US is pursuing a wide-ranging, high-tech campaign against Ìran's nuclear program that includes the
cybersabotage project known as Stuxnet, which was developed by the Central Ìntelligence Agency in
conjunction with Ìdaho National Laboratory, the Ìsraeli government, and other US agencies, according to
people familiar with the efforts.

"Ìt's part of a larger campaign," said a former US official familiar with the efforts. "Ìt's a preferable
alternative to airstrikes."

Through the administrations of President Barack Obama and his predecessor, George W. Bush, the US
has pursued a cyber campaign, code-named "Olympic Games," to attack the Ìranian program, former US
officials said.

The existence of Stuxnet and the presumption of US and Ìsraeli involvement have been widely reported,
even though US officials have never confirmed the government's role. The code name and scope of the
project and other details of the effort were reported on Friday by the New York Times in an adaptation
from a coming book.

Ìn 2010, it was the United States who launched Stuxnet, a seek-and-destroy cyber missile against Ìran's
nuclear infrastructure, according to the report. The virus was, in fact, created jointly by the United States
and Ìsrael, it said.

Ìn his first months in office, Obama covertly ordered sophisticated attacks on the computers that ran Ìran's
nuclear facilities, upping US use of cyber weaponry in a sustained attack, the newspaper said.

But after a programming error, the worm whooshed around the world on the Ìnternet.

The paper said the US continued using the worm although it knew that the malware would damage
centers and facilities around the globe.

"Should we shut this thing down?" Obama asked members of his national security team who were in the
room told the paper.

Only recently has the US government acknowledged developing cyber-weapons.

Now efforts are underway to decipher the origins of another malicious program experts believe is part of
government-sponsored cyber warfare and intelligence gathering. Again, Ìran is the target, said the report.

As the Los Angeles Times' Sergei L. Loiko wrote earlier this week, computer virus experts at Russia's
Kaspersky Lab came across this malware while searching for a villain dubbed the Wiper.

"We entered a dark room in search of something and came out with something else in our hands,
something different, something huge and sinister," Vitaly Kamlyuk, a senior antivirus expert at Kaspersky
Lab, said in an interview.

Flame, as it's called, can copy and steal data and audio files, turn on a computer microphone and record
all the sounds nearby, take screen shots, read documents and emails, and capture passwords and logins.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


The program can communicate with other computers in its vicinity through the infected computer's
Bluetooth and locate them even without an Ìnternet connection, Kamlyuk said.
"Many people still think that cyber warfare is a myth and a fantasy, but as we reassemble and study one
by one the numerous components and modules of this unique program we see that it is a real weapon of
this undeclared war that is already going on."


04 Jun 12
Fars News
Leader's MiIitary Aide Warns US Of Iran's Tough Response To MiIitary Attack
A top military advisor of the Ìranian Supreme Leader warned the US and Ìsrael to avoid military moves
against Ìran, cautioning that any aggression against the country would be reciprocated with a crushing
blow to vulnerable enemy targets.

Major General Yahya Rahim Safavi warned that in case of a military attack, Ìran would strike back at its
enemies with equal force and with reciprocal levels of damage.

"We don't have direct access to the US territory, but Americans have a number of bases and interests
in the region. Americans have more than 20 bases and 100,000 forces in the region, they can all be
threatened by Ìran, and Americans know it very well," Rahim Safavi told FNA.

He further reiterated that the US forces in the Middle East "are very vulnerable".

Safavi, a former commander of Ìran's Ìslamic Revolutionary Guards Corps (ÌRGC), said that in the case of
a military strike against Ìran by Ìsrael, Ìran's reprisal would be even harsher.

"We don't have any limitations...and our long-range missiles can confront Ìsrael effectively. There is no
place in Ìsrael that is not within the range of our missiles," Safavi said.

He also said that if Ìsrael launched strikes against Ìran, in the first two weeks, 1 million Jews would flee
from Ìsrael.

However, Major General Safavi said that he believed Ìran does not face a "significant military threat" in
the current year. He said that the economic situation in the United States and Ìsrael was the reason why
those countries wouldn't start a new war in the region. Ìf the United States and Ìsrael did launch a war,
Safavi said that its end would not be under their control but in the hands of the Ìslamic Republic.

Safavi also accused Ìran's "enemies" of trying to promote the idea that the country is under the threat of
an imminent military attack.

Ìn March, the Supreme Leader said that in the face of aggression Ìran would retaliate on the same level.
Khamenei also said that Ìran did not have nuclear weapons and had no intention of producing them.

Safavi praised the Supreme Leader for what he described as his "brilliant" fatwas against nuclear and
chemical weapons, in which he declared weapons of mass destruction "haram" (religiously banned).

On Sunday, the Supreme Leader also warned the US and Ìsrael against military action against Ìran, and
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

said enemies' threats to Ìran indicate that they are deeply fearful of the country's power.

Addressing tens of thousands of people who had gathered at Ìmam Khomeini's mausoleum to mark the
23rd anniversary of the demise of the Late founder of the Ìslamic Republic, Ayatollah Khamenei said that
the Zionist regime's military threats against Ìran are due to its fear and frustration.

"The leaders of the Zionist regime are well aware that they are more vulnerable today than any other time
and that every misstep and every inappropriate move will strike them like a thunderbolt."

The Supreme Leader of the Ìslamic Revolution referred to the conditions of the West and America, and
added, "Today because of their economic, financial and social problems, western governments are
helpless against their own people and they are just trying to maintain appearances."

Ayatollah Khamenei said that the collapse of certain allies of America in Europe and the increasing hatred
of nations towards America show that there is a serious crisis in the West.

He reiterated that America is trying to divert attention towards Asia, Africa and the Middle East region by
creating conflicts.

"Today the Americans have turned to the experience and expertise of the British in creating religious and
ethnic conflicts. For this reason, all nations, all religious scholars and all academic elites in the region -
both Shiite and Sunni - should take care not to contribute to the enemy's plots."

The Supreme Leader of the Ìslamic Revolution described the actions of the West and the Americans as
dim-witted and stressed, "Ìn order to cover up their problems and divert attention from the crisis they are
involved in, they magnify the nuclear issue of Ìran and put it at the top of global issues and they deceitfully
speak about nuclear weapons."

Ayatollah Khamenei said that the efforts by the West and America will not produce any results.

His Eminence said that the enemies of the Ìslamic Revolution are afraid of the Ìranian nation because it
has made progress and turned into a role model for the nations of the region and the world.

"The efforts made by the political communities of the world to magnify the threat posed by a nuclear Ìran
are based on nothing but a lie because they are afraid of an Ìslamic Ìran, not a nuclear Ìran."

Ayatollah Khamenei stressed that the Ìranian nation has shaken the foundations of the arrogant powers
by proving that it is possible to achieve progress without relying on America and other global powers.

"America and other global powers are trying to convince nations and political elite that progress is
impossible without America's support, but the Ìranian nation has proven the opposite and this is a great
lesson for the nations of the world."


03 Jun 12
Press TV
LegaI Action Must Be Taken Against US Over Cyber Attacks: AnaIyst
By Hassan Beheshtipour ÷ about the author: a researcher, documentary producer, and a frequent
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

contributor to Press TV, Hassan Beheshtipour was born on June 22, 1961 in the Iranian capital. He
received his BA in Trade Economics from the prestigious Tehran University. His research topics span
from US and Russian foreign policy to the Ukrainian Orange Revolution. The Iranian analyst is currently
busy with research on the 1979 US embassy takeover in Tehran.

Unclassified

Ìt seems that in addition to defending itself against this undeclared cyberwar which targets its national
interests, Ìran must launch such initiatives as filing a lawsuit with international legal authorities on the
US cyberwar against Ìran. Of course, due to the nature of the "cyberwar,¨ international laws on this
phenomenon are not clear-cut yet. However, since this is the United States' first experience in foreign
cyberwar, as admitted by the New York Times, it can also be Ìran's first experience in using legal defense
against the US "cyber-aggression.¨

Hassan Beheshtipour
Ìn an article published on Friday June 1, 2012, The New York Times revealed that in the first months of
his presidency, US President Barack Obama had secretly ordered a cyber attack with the Stuxnet virus
against Ìran.


This important and revealing report was based on an 18-month research which included interviews with
former and current US, European, and Ìsraeli officials and selection from the book "Confront and Conceal:
Obama's Secret Wars and Surprising Use of American Power,¨ by David Sanger. The book is due to be
published on Tuesday, June 5.

This report, contrary to similar contents that are mostly based on scenarios devised by the US intelligence
and security apparatuses, is worth a comprehensive analysis, because for the first time, this "investigative
report¨ reveals that the cyber operation began in the era of the former US President George W. Bush
under the codename "Olympic Games¨. This operation, that was designed using destructive codes with
Ìsraeli cooperation, is in fact the first sustained US cyber attack against another country.

Ìn this respect, it is just like the 1953 coup d'état launched by the US Central Ìntelligence Agency (CÌA). Ìt,
too, was the agency's first overseas endeavor which led to the overthrow of the government of the Ìranian
Prime Minister Mohammad Mosaddeq and the imposition of the dependant rule of Mohammad Reza
Shah on the Ìranian nation.

The only difference being that at the time Britain's MÌ6, which had seen its interests compromised as a
result of the nationalization of the Ìranian oil, was complicit with the CÌA in the plot.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Background:

According to Western sources, the destructive Stuxnet virus was created by the US and Ìsrael and had
infiltrated Ìran's cyber network in 2010 with the cooperation of Germany's Siemens company. Ìranian
officials said they had managed to prevent it from successfully completing its mission. Ìn 2011, it was
also reported that the US had created the data-thieving Duqu virus to steal intelligence from Ìran's vital
industrial and oil and gas energy infrastructure.

On May 28, Kaspersky Lab security senior researcher Roel Schouwenberg told Reuters that a data-
stealing virus, called Flame, had been discovered. He said the virus had contaminated thousands of
computers in the Middle East.

This worm, he added, was part of the cyber war that has been waged in the region, but it was not clear
who had created the virus.

Kaspersky Lab discovered Flame while investigating reports that a virus dubbed Wiper had attacked
computers in Ìran.

According to Schouwenberg, Flame contains about 20 times as much code as Stuxnet and about 100
times as much code as a typical virus designed to steal financial information.

Analysis :

To fully grasp the importance of The New York Times article, it is necessary to take a look at the
comments of Senator John McCain, the 2008 Republican presidential candidate. While McCain, along
with the US Defense Secretary Leon Panetta, was on a visit to Singapore he told the reporters:

"Again we see these leaks to the media about ongoing operations, which is incredibly disturbing. Doesn't
this give some benefit to our adversaries?... We know the leaks have to come from the administration.
And so we're at the point where perhaps we need an investigation.¨

Ìt is clear that Mr. McCain is criticizing Obama who resorts to any means to win the election and even
discloses his country's secrets in order to get people's votes. Ìt seems that Obama helps the leak of such
news in order to prove that his plans against Ìran have not been a total failure. While helping the leak
of US secret policies, Obama knows what he is doing, but McCain apparently ignores that confirming
the New York Times report by him clearly proves that the US government, both under Republicans and
Democrats, spares no effort to achieve its expansionist goals.

By taking this position, Mr. McCain indirectly confirms the New York Times report to prove that the United
States and Ìsrael act in unison to control Ìran's peaceful nuclear energy program. Therefore, recent claims
about differences between Washington and Tel Aviv are a tactic to distract the world's public opinion from
US and Ìsrael's triple strategy against Ìran.

According to that triple strategy, the US, firstly, uses all its power to impose maximum sanctions beyond
the scope of UN resolutions against Ìran. Secondly, it employs all software possibilities to attack Ìran's
facilities and technology at all levels, including scientific and research centers in addition to oil, gas and
nuclear energy production centers. Thirdly, it will insist on continuation of negotiations with Ìran in order
to show, for propaganda purposes, that Washington advocates peaceful solutions. Such paradoxical
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

treatment creates practical conditions under which the world public opinion will be at loss for correct
understanding of US policies.

Explaining contradictory behavior of the US is only possible if US and Ìsrael's policies, goals and plans
with regard to Ìran have been carefully followed in the past 10 years in order to reveal the contradictory
nature of those policies, not only in words, but also in action.

Conclusion

Ìt seems that in addition to defending itself against this undeclared cyber war which targets its national
interests, Ìran must launch such initiatives as filing a lawsuit with international legal authorities on the
US cyberwar against Ìran. Of course, due to the nature of the "cyberwar,¨ international laws on this
phenomenon are not clear-cut yet. However, since this is the United States' first experience in foreign
cyberwar, as admitted by the New York Times, it can also be Ìran's first experience in using legal defense
against the US "cyber-aggression.¨ Some Ìranian officials have already proposed this, but the issue was
not seriously followed by the Ìranian Foreign Ministry.

All available evidence attest to the US and Ìsrael's "cyber-aggression¨ against legitimate right of the
Ìranian nation to peaceful technologies in all areas, including production of nuclear energy. Therefore,
there is no justification for not pursuing such a lawsuit with international bodies at a time that bullying
powers imagine that they can give legitimacy to any act of aggression under the cover of peace-seeking.


03 Jun 12
JerusaIem Post
IDF Admits To Using Cyber Space To Attack Enemies
Military reveals for first time that it uses cyber space to gather intelligence, conduct military operations.

The ÌDF uses cyberspace to gather intelligence, attack enemies and conduct various military operations,
the military revealed on Sunday in a posting on its official website.

The rare announcement was the first time the ÌDF officially admitted it engages in cyberwarfare for
offensive purposes. Ìt also came a week after a new virus was discovered to have attacked

The ÌDF's Operations Directorate recently drafted a document defining the purpose and use of
cyberwarfare for the Ìsraeli military.

According to the document, cyberspace is viewed by the army as another battlefield ÷ like land, sea and
airspace.

"Professionally speaking, the ÌDF is fighting consistently and relentlessly in cyberspace, is collecting
intelligence and protecting the ÌDF networks as well,¨ the army posting said. "When needed, cyberspace
is also used to execute attacks and other information operations.¨

The ÌDF said that the purpose of operations in cyberspace included " thwarting initiatives by Ìsrael's
enemies to undermine the ÌDF's and Ìsrael's operational freedom¨ in a wide variety of conflicts.
The timing of the publication of this information is interesting, as it comes just a week after the Flame
virus was discovered to have infected a significant number of computers in Ìran.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


Flame effectively turns every computer it infects into the ultimate spy. Ìt can turn on PC microphones to
record conversations occurring near computers, take screenshots, log instant message chats, gather data
files and remotely change settings.

The day it was discovered, Strategic Affairs Minister Moshe Ya'alon fueled speculation of Ìsraeli
involvement in developing Flame by praising Ìsraeli technological prowess in response to a radio
interview on the issue.

Ìsrael, he said, was blessed with superior technology: "These achievements of ours open all kinds of
possibilities for us,¨ he said.

Military Ìntelligence Unit 8200 ÷ the equivalent of the US National Security Agency and already the
supervisor of signal intelligence, eavesdropping on the enemy and code decryption ÷ is responsible for
the ÌDF's offensive cyber capabilities. Defending military networks is under the supervision of the C4Ì
Directorate.

The branches work closely together and rely heavily on each other's input and experience.

The C4Ì Directorate, for example, receives intelligence on enemy cyber capabilities from military
intelligence, and Unit 8200 looks to the directorate for technical guidance.

The C4Ì Directorate also recently established a cyber war room in the Kirya military headquarters where
officers can keep an eye on the army's various networks. Currently, the directorate is developing a new
command- and-control system that will enable it to oversee all of the main networks at once ÷ without
needing to look at each one individually.


03 Jun 12
The Nation - Pakistan
US Senator Accuses Obama
US Senator John McCain on Saturday accused President Barack Obama's administration of leaking
details of a reported cyber attack on Ìran and other secret operations to bolster the president's image in
an election year. "Again we see these leaks to the media about ongoing operations, which is incredibly
disturbing. Doesn't this give some benefit to our adversaries?¨

McCain told reporters in Singapore, where he was attending a summit on Asian security. McCain, who
was defeated by Obama in the 2008 presidential election, said there had been ill-advised leaks previously
that revealed details of the US raid last year that killed Al-Qaeda leader Osama bin Laden and other
operations.

"We know the leaks have to come from the administration. And so we're at the point where perhaps
we need an investigation,¨ said McCain, the most senior Republican on the Senate Armed Services
Committee.

"So this is kind of a pattern in order to hype the national security credentials of the president and every
administration does it. But Ì think this administration has taken it to a new level.¨

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

The New York Times reported Friday that Obama accelerated cyberattacks on Ìran's nuclear program
using the Stuxnet virus, and expanded the assault even after the virus accidentally made its way onto the
Ìnternet in 2010.


02 Jun 12
GuIf Times - Qatar
Iran Vows 'Proportionate' Response To Any Strike
Ìran will respond to any Ìsraeli or US attack against its nuclear sites with a "proportionate" reaction, the
military adviser to the country's supreme leader Ali Khamenei said on Saturday.

General Yahya Rahim Safavi, quoted by Fars news agency, said however that such an attack was
unlikely.

Despite warnings from Washington and Ìsrael that "all options are on the table" if negotiations between
Ìran and major powers on Tehran's controversial nuclear programme fail, conditions do not favour an
assault, he said.

"They may be able start one but they can not end it and it remains in Ìran's hands," the general said.

"The domestic political, economic and social conditions in America and the Zionist regime are not such as
to have a new war in the region," he said.

US President Barack "Obama wants to get re-elected (in November) ... the cabinet of Mr (Ìsraeli prime
minister Benjamin) Netanyahu is a fragile one," he said.

However, in case of an attack, "we will act against their military operation smartly, proportional to any
damage that they inflict on us ... meaning we will hurt them as much as they hurt us."

Rahim Safavi warned that the whole of Ìsrael was within range of the missiles of Hezbollah, Ìran's Shiite
militia allies in Lebanon, and that US forces in the region were vulnerable.

"They have thousands of missiles ... (Hezbollah chief) Hassan Nasrallah is a soldier of the supreme
leader ... All places in the Zionist entity are within missile range," he said.

And "the 20 American bases and more than 100,000 soldiers in the region all face Ìranian danger ... The
Americans know full well that all of their 60 warships in the Persian Gulf and Sea (Gulf) of Oman are
vulnerable," the general added.


02 Jun 12
Reuters
Cyber-Attacks "Bought Us Time" On Iran - U.S. Sources
The United States under former President George W. Bush began building a complex cyber-weapon to
try to prevent Tehran from completing suspected nuclear weapons work without resorting to risky military
strikes against Ìranian facilities, current and former U.S. officials familiar with the program said.

Barack Obama accelerated the efforts after succeeding Bush in 2009, according to the sources who
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

spoke on condition of anonymity because of the classified nature of the effort. The weapon, called
Stuxnet, was eventually used against Ìran's main uranium enrichment facilities.

The effort was intended to bridge the time of uncertainty between U.S. administrations after the 2008
presidential election in which Obama was elected, and allow more time for sanctions and diplomacy to
avert Ìranian nuclear weapon development, according to the current and former officials.

The sources gave rare insight into the U.S. development of its cyber-warfare capabilities and the intent
behind it.

One source familiar with the Bush administration's initial work on Stuxnet said it had stalled Ìran's nuclear
program by about five years.

"Ìt bought us time. First, it was to get across from one administration to the next without having the issue
blow up. And then it was to give Obama a little more time to come up with alternatives, through the
sanctions, et cetera," said the source.

Only in recent months have U.S. officials become more open about the work of the United States and
Ìsrael on Stuxnet, the sophisticated cyber-weapon directed against Ìran's Natanz nuclear enrichment
facility that was first detected in 2010.

The cyber-attacks provided the United States with an avenue to try to stop Ìran from producing a
suspected weapon without turning to military strikes against Ìranian facilities - all at a time when U.S.
forces already were fighting wars in Ìraq and Afghanistan, the sources said.

Ìn the end, senior U.S. officials agreed the benefit of stalling Ìran's nuclear program was greater than
the risks of the virus being harnessed by other countries or terrorist groups to attack U.S. facilities, one
source said.

HUNDREDS OF MÌLLÌONS OF DOLLARS

Two sources with direct knowledge of the U.S. program said it cost hundreds of millions of dollars to carry
out.

The United States for years has been developing - and using - offensive cyber-capabilities to interfere
with the computers of adversaries, including during the Battle of Falluja in Ìraq in 2004 and in finding
Osama bin Laden and other al Qaeda figures, the sources said.

Last year, the United States also explicitly stated for the first time that it reserved the right to retaliate with
military force against a cyber-attack.

The New York Times reported on Friday that from his first months in office, Obama secretly ordered
attacks of growing sophistication on the computer systems running the main Ìranian nuclear enrichment
facilities, greatly widening the first sustained U.S. use of cyber-weapons. The Times said the attacks were
code-named Olympic Games.

White House spokesman Josh Earnest declined comment on the substance of the New York Times
article, but denied "in the strongest possible terms" that it was an authorized leak of classified information.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Obama is seeking re-election on November 6 in part on the strength of his foreign policy achievements.

Reuters reported on May 29 that the United Nations agency charged with helping member nations secure
their national infrastructures plans to issue a sharp warning about the risk of the Flame computer virus
that was recently discovered in Ìran and other parts of the Middle East.

Stuxnet is one of many weapons in the U.S. cyber-arsenal, which some experts say also includes a data-
gathering tool known as Duqu that was deployed to cull information about Ìran's weapons programs.

Ìranian officials have described the cyber-attacks as part of a "terrorist" campaign backed by Ìsrael and
the United States.

Some current and former U.S. officials, who asked not to be named, criticized the Obama administration
for talking too freely to the media about classified operations.

Representative Peter King, the Republican chairman of the House of Representatives Committee on
Homeland Security, said, "Ì believe that no one, including the White House, should be discussing cyber-
attacks."

"The U.S. will now be blamed for any sophisticated, malicious software, even if it was the Chinese or just
criminals," added Jason Healey, who has worked on cyber-security for the Air Force, White House and
Goldman Sachs, and is now with the Atlantic Council research group.


02 Jun 12
IRIB
Obama Govt. Leaked DetaiIs Of Anti-Iran Operation: Mccain
Unclassified

US Senator John McCain has accused the White House of leaking details of a cyber attack and other
secret operations against Ìran in order to increase his chances in the upcoming elections.

"Again we see these leaks to the media about ongoing operations, which is incredibly disturbing. Doesn't
this give some benefit to our adversaries?" McCain told reporters in Singapore on Saturday.

The New York Times reported on Friday that Obama secretly ordered a cyber attack with the Stuxnet
computer virus against Ìran to sabotage the country's nuclear energy program "from his first months in
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

office.¨

"Mr. Obama decided to accelerate the attacks - begun in the Bush administration and code-named
Olympic Games - even after an element of the program accidentally became public in the summer of
2010 because of a programming error,¨ the report added.

"We know the leaks have to come from the administration. And so we're at the point where perhaps we
need an investigation," said McCain, who was defeated by Obama in the 2008 presidential election.

"So this is kind of a pattern in order to hype the national security credentials of the president and every
administration does it. But Ì think this administration has taken it to a new level.¨

Ìn July 2010, media reports claimed that Stuxnet had targeted industrial computers around the globe, with
Ìran being the main target of the attack. They said the country's Bushehr nuclear power plant was at the
center of the cyber attack.

However, Ìranian experts detected the virus in time, averting any damage to the country's industrial sites
and resources.


02 Jun 12
GuIf News
US, Iran Dig In For Long Cyber War
The United States and Ìran are locked in a long-running cyber war that appears to be escalating amid a
stalemate over Tehran's disputed nuclear programme.

The Flame virus that surfaced recently may be part of the face-off, but Washington probably has more
sophisticated tools at its disposal, security specialists say.

"Large nations with large spy agencies have been using these kinds of techniques for more than a
decade,¨ said James Lewis, a senior fellow who monitors technology at the Centre for Strategic and
Ìnternational Studies in Washington.

Lewis said cyber espionage is "not a weapon¨ but can be "very effective¨ as an intelligence tool and can
avoid some of the problems with traditional surveillance such as spy planes.

"Ìf you have to choose between this and a pilot being paraded through the streets of Tehran, this is much
preferable,¨ he said.

But Lewis noted that the Flame virus is more primitive than one would expect from US intelligence
services.

"Ì hope it wasn't the US that developed it because it isn't very sophisticated,¨ he told AFP.

He said Ìsrael has quite advanced capabilities as well, and that this probably means Flame was
developed in a "second-tier country.¨

Some analysts, however, consider Flame to be highly sophisticated.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


The Ìnternational Telecommunications Union said the virus is "a lot more complex than any other cyber-
threat ever seen before.¨

Rough version

Johannes Ullrich, a computer security specialist with the SANS Technology Ìnstitute, said Flame is a
rather "clumsy¨ tool compared to other types of malware, but that it may be a rough version or prototype
which can be wrapped into a "more polished¨ version.

"The technical part isn't that great, and Ì think it has been a bit hyped in some of the reports,¨ Ullrich said.

Exactly where the malware came from is impossible to know from the code, Ullrich said.

"Ìt doesn't look like one single individual,¨ he said. "Whether it is a government or some criminal group, it's
hard to tell.¨

Marcus Sachs, former director of the SANS Ìnstitute's Ìnternet Storm Centre, said Flame "could be written
by virtually anybody but it looks similar to targeted espionage from a country.¨

Sachs said Flame is not a sabotage tool like the Stuxnet virus that targeted control systems in Ìran, but
instead resembles spyware seeking "to gain intellectual property, but it could be surveillance by a foreign
government.¨

Neither the US nor the Ìsraeli government has openly acknowledged authoring Flame, though a top
Ìsraeli minister said use of the software to counter Ìran's nuclear plans would be "reasonable.¨

The US military has acknowledged working on both defensive and offensive cyber war systems.

The Pentagon's Defence Advanced Research Projects Agency (Darpa) has revealed few details about
its "Plan X,¨ which it calls a "foundational cyber warfare programme¨ that draws on expertise in the
academe, industry and the gaming community.

But a Darpa statement said the programme is "about building the platform needed for an effective cyber
offensive capability. Ìt is not developing cyber offensive effects.¨

Sachs said the US has been open about developing its cyber capabilities and that Darpa, which created
the internet, is looking at longer-term projects that may involve technologies not yet deployed.
On the surface, it might be harder for the US to maintain superiority in cyberspace as it does in the skies,
for example, because the costs for computer programming is far less than for fighter planes.

But experts say the US is investing in cyberspace through Darpa and other projects.

Still, Sachs said measuring the capabilities of another country are not as easy as counting missile silos.

"There's no way to measure what a country has,¨ he said.

The New York Times reported that President Barack Obama secretly ordered cyber warfare against Ìran
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

to be ramped up in 2010 after details leaked out about Stuxnet, which some say came from the US, Ìsrael
or both.

Capability boost

Ìlan Berman, an analyst at of the American Foreign Policy Council who follows Ìran, said that with cyber
war simmering, Tehran is boosting its defensive and offensive capabilities.

"They feel like there is a campaign against them and they are mobilising in response,¨ he said.

And the US should therefore be prepared for cyber retaliation from Ìran.

"Ì think a cyber attack by Ìran may not be as robust [as one from China or Russia], but politically it's more
likely,¨ he said.

Lewis said the US and Ìran have been engaged in struggles for the past decade, due to the nuclear issue
and suspected Ìran involvement with certain forces in Ìraq while US forces were deployed there.

But he said Flame and other cyber weapons are "not really warfare, it's primarily intelligence collection.¨

Lewis said he was not surprised that the discovery of the virus came from a Russian security firm,
Kaspersky, which worked with the ÌTU.

"Flame is a way to drive Russia's diplomatic agenda,¨ which includes bringing the internet under UN
control, Lewis said.


01 Jun 12
Haaretz
The FIame Cyber Attack: How One Worm Changed The Discourse On An Iran Strike
The revelation that a new malware virus has been targeting Iran's nuclear program has led to speculation
about Israel's involvement.

Retired generals, including some who had only the most tenuous connection to cyber warfare during
their service, stepped in front of media microphones this week to scatter hints about the Flame virus that
attacked computers in Ìran and Arab countries in the Middle East. This is the third such documented
attack in the past two years, all apparently aimed at the nuclear project of the ayatollahs' regime. The
sophistication of the assault, the widespread conjecture (which was not officially confirmed, of course)
about the involvement of Jewish genius in its development, and the ostensible proof that the Ìranian
nuclear threat can, after all, be removed without recourse to dangerous aerial bombing - all this focused
international interest on the latest computer bug.

Ìn fact, this is old news which has probably been known for some time to those who are engaged in this
realm or are following its developments close-up. Reporting Monday about Flame, Russia's Kaspersky
Lab, which deals in information security, was talking about a virus that was developed early in 2010. Ìn
September of that year, the Stuxnet malware virus caused considerable damage to computers used in
connection with Ìran's nuclear project.

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Stuxnet, which according to a New York Times investigative report was a joint American-Ìsraeli
development, was an offensive tool. For his part, Ìranian President Mahmoud Ahmadinejad admitted the
worm had caused damage to his country's centrifuges, though he tried to downplay its importance. This
time around, at least according to the report from Russia, the goal of the Flame virus was espionage, not
interdiction: Ìt is a means for extracting information from classified computers.

Somewhat perturbed

Former chief of staff Gabi Ashkenazi said Wednesday that the international strategy against Ìran should
be based on three elements: a secret campaign, supported by economic and diplomatic sanctions, and
with "the option of the use of credible and available military force hovering above everything." The secret
campaign, he added laconically, "buys time, no more than that."

This balance between clandestine sabotage, sanctions and a military assault - and by implication also
the situation of fierce tension between Ìsrael's senior political officials and some former top figures in
the defense establishment - was the theme of the Ìran discussion held on Wednesday at the annual
conference of the Ìnstitute for National Security Studies at Tel Aviv University.

Prime Minister Benjamin Netanyahu made fewer references to the Holocaust and issued fewer warnings
this time around. Ìt was Defense Minister Ehud Barak who, with obvious relish, assumed the task of
taking on the former defense luminaries.

Barak returned from a mid-May visit to Washington somewhat perturbed. The Ìsraeli military attache
to the United States, Maj. Gen. Gadi Shamni, told the defense minister that, against the backdrop of
the resumption of the talks between Ìran and the six world powers (the P5 +1), the assessment in the
American capital was that the danger of an Ìsraeli attack on Ìran before the November elections had
passed.

Barak immediately set out to correct this impression. "Gen. Shamni told me that an atmosphere of calm
now prevails here," he told his hosts. "Ì want to make it clear: Our position has not changed one iota, not
in regard to the talks and not in regard to the implications of the Ìranian project."

Barak's presentation at the Tel Aviv conference on Wednesday was apparently intended to uphold the
viability of the Ìsraeli military threat, though he went about it in a somewhat complex manner. On the
one hand, the minister sounded more committed than ever to the need to remove the nuclear threat - by
military means if necessary. On the other, he seemed to be a little less clear about the timing of an attack.
Publicly, Barak is not talking about 2012 as the year for a decision (in closed forums he explains that
he does not want to provide the Ìranians with advance information about Ìsrael's timetable). Some
six months ago, in an interview on CNN, Barak warned that Ìran was liable to complete its nuclear
consolidation in a "zone of immunity" to an Ìsraeli attack. "Ìt's true that it won't take three years, probably
three-quarters [of a year]," he said. At present, he is not going into that level of detail.

Absent this week was the outspoken personal dimension of discourse. For instance, former Shin Bet
security service head Yuval Diskin, who recently described Netanyahu and Barak as "messianic," did
not speak at the ÌNSS gathering. His friend, former Mossad chief Meir Dagan, showed restraint. Even
when Barak stated that the Ìranian threat does not allow anyone to sleep well, Dagan did not seize the
opportunity to point out that he is not sleeping well precisely because Netanyahu and Barak are making
the decisions.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


The director of ÌNSS, Maj. Gen. (ret.) Amos Yadlin, who was the director of Military Ìntelligence until about
a year and a half ago, is cautious when talking about Ìran. Ìt's clear he has some reservations about the
official line being taken by Netanyahu and Barak, but also that he is worried (far more than his colleagues
Dagan and Diskin ) that public criticism on his part could be detrimental to the Ìsraeli effort to establish a
substantial threat in regard to an attack on Ìran.

Ìn his talk, Yadlin presented conclusions that were drawn up by the institute's staff. They are
against "containing" the threat; warn that life in the shadow of an Ìranian bomb will be far more complex
than that during the Cold War; and are less concerned about the likely consequences that an attack on
Ìran will have for the Ìsraeli home front, if Ìsrael strikes first.

At the same time, the ÌNSS staff warns that an attack on Ìran is not a one-off event, and that afterward "it
is essential to ensure that the leading forces in the international community will be ready to mobilize for
continued obstruction of Ìran." The staff maintains that it is critical to "create legitimization" for measures
taken against Ìran - a posture shared by both Dagan and Ashkenazi in their remarks at the conference.
Barak also gave priority to preserving an international coalition, but argued that in the end Ìsrael will be
solely responsible for its own security and future.

At the present juncture, ahead of another round of P5 +1 talks with Ìran in Moscow in mid-June, and with
severe sanctions scheduled to take effect at the beginning of July, Yadlin's last point appears to be of
overriding importance: Ìf it is agreed that the campaign against Ìran is an ongoing one, which will not end
with a military attack but will require a significant international follow-up - Ìsrael will find it very difficult to
ensure this if it decides to attack before the November elections, in explicit contradiction to the desire of
the Obama administration.

The Syrian debacle

Ìn his remarks this week, Ehud Barak drew an analogy between the future handling of Ìran and the
world's attitude toward the massacres in Syria. President Bashar Assad lost no sleep over the withdrawal
of the Western ambassadors from Syria, Barak said. The defense minister agreed with what Zvi Bar'el
wrote in Haaretz on Wednesday: Ìf the international community is responding so slowly to events in Syria,
who will ensure that it will take timely action against Ìran, when it becomes clear that action is required?

Expectedly, Meir Dagan described Assad's plight as an opportunity. The West, he said, needs to step up
the threat against the Ìranian and Syrian regimes. Assad's fall, when it happens, will be "an extraordinary
opportunity to weaken Ìran's status in the region."

The horrific photographs of the bodies of the children who were massacred by Assad's forces in Houla
last weekend immediately catapulted the crisis in Syria back to the top of the international agenda. Even
though dozens of people are killed every day in Syria (there were some weeks in which an unbelievable
daily average of 120 to 140 killings was recorded), the unbearable sight of the bodies of slaughtered
children laid out in a row a few days ago made even the most indifferent of the media outlets take notice
of the unfolding events there.

Ìndeed, even before the Houla massacre, numerous testimonies spoke about the murder and rape
of minors during efforts by Assad's security forces to suppress the protest movement. But this time it
was United Nations inspectors based in Syria, and not opposition spokesmen, who announced that at
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

least 108 people, among them 49 children, had been murdered in Houla. The inspectors also provided
additional information, which completely contradicted Damascus' claims: Only 20 of the dead were killed
by the army's artillery barrage against the residential neighborhood. The other 88 were executed, most of
them by being shot in the head at close range.

These testimonies, combined with the extensive media coverage, prodded Western decision makers to
take action. But it's hard not to be somewhat cynical: After 15 months of relentless killing and more than
13,000 dead (according to opposition estimates), Western countries have now remembered to expel the
Syrian ambassadors and to recall their own ambassadors from Damascus.

Barak is right: Assad has long since stopped taking the international community into account. He feels
secure as long as he enjoys Russian diplomatic support and Ìranian financial and military aid, and refuses
to accept a plan that will enable him to leave the country safely, along the lines of the Yemen and Tunisia
models.

The best evidence of this was seen precisely in parallel to announcements by the European Union
countries that the Western ambassadors were being expelled: another massacre at Deir el-Zour (the town
adjacent to the nuclear site that was bombed by Ìsrael - according to foreign media reports and the Bush
administration - in 2007) with more bodies of civilians who were executed in their homes.

On Tuesday and Wednesday, many dozens of people were killed in Syria, despite the seemingly
dramatic action by the West. On Tuesday, Assad met with UN envoy Kofi Anan, who was urgently
dispatched to Syria in the wake of the Houla attack. Assad declared, as usual, that the massacre had
been perpetrated by gangs of terrorists and not by his forces, but the UN inspectors stated that it was
most likely that the civilians in Houla were killed by the president's loyalists. Anan's efforts to achieve a
cease-fire have been an exercise in futility, but somewhat pathetically he continues to implore Assad to
return to the blueprint he drew up to stop the violence.

For the present, Assad continues to control his army, and his regime shows no signs of disintegrating.
Apparently this is a gradual process of weakening. The only development that has emerged with
some sort of potential to dissuade the Syrian president from continuing to shell densely populated
neighborhoods has been the declarations in recent days by France and Australia to consider a military
operation in Syria. While this could also generate brutally extreme reactions by Damascus, the alternative
is to allow Assad to go on massacring children and women as long as he wishes.


01 Jun 12
Press TV
Obama Ordered Stuxnet Cyber Attack On Iran: Report
A US daily has revealed that President Barack Obama secretly ordered a cyber attack with the Stuxnet
computer virus against Ìran to sabotage the country's nuclear energy program.

"From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on
the computer systems that run Ìran's main nuclear enrichment facilities, significantly expanding America's
first sustained use of cyber weapons,¨ The New York Times quoted "participants in the program¨ as
saying on Friday.

The report added that the offensive was part of a wave of digital attacks codenamed "Olympic Games.¨
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


"Mr. Obama decided to accelerate the attacks - begun in the Bush administration and code-named
Olympic Games - even after an element of the program accidentally became public in the summer of
2010 because of a programming error,¨ the report added.

The US daily also confirmed that the Stuxnet virus was created with the help of a secret Ìsraeli
intelligence unit.

Stuxnet, first indentified by the Ìranian officials in June 2010, is a malware designed to infect computers
using a control system favored by industries that manage water supplies, oil rigs, and power plants.

Ìn July 2010, media reports claimed that Stuxnet had targeted industrial computers around the globe, with
Ìran being the main target of the attack. They said the country's Bushehr nuclear power plant was at the
center of the cyber attack.

However, Ìranian experts detected the virus in time, averting any damage to the country's industrial sites
and resources.

On Wednesday, Head of the Ìnformation Technology Organization of Ìran Ali Hakim Javadi said the
country's experts have managed to produce antivirus software that can spot and remove the newly
detected computer virus Flame, which experts say is 20 times more powerful than the Stuxnet virus.

Ìsraeli Deputy Prime Minister Moshe Ya'alon strongly hinted Tuesday that Tel Aviv was involved in
creating the computer virus to sabotage Ìran's nuclear energy activities.

Ya'alon expressed support for the creation of the virus and similar tools, arguing that it was "reasonable"
for anyone who sees Ìran as a threat to take such steps.


01 Jun 12
New York Times
Obama Order Sped Up Wave Of Cyberattacks Against Iran
By David E. Sanger

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on
the computer systems that run Ìran's main nuclear enrichment facilities, significantly expanding America's
first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks ÷ begun in the Bush administration and code-named
Olympic Games ÷ even after an element of the program accidentally became public in the summer of
2010 because of a programming error that allowed it to escape Ìran's Natanz plant and sent it around
the world on the Ìnternet. Computer security experts who began studying the worm, which had been
developed by the United States and Ìsrael, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm's "escape,¨ Mr. Obama,
Vice President Joseph R. Biden Jr. and the director of the Central Ìntelligence Agency at the time, Leon
E. Panetta, considered whether America's most ambitious attempt to slow the progress of Ìran's nuclear
efforts had been fatally compromised.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


"Should we shut this thing down?¨ Mr. Obama asked, according to members of the president's national
security team who were in the room.

Told it was unclear how much the Ìranians knew about the code, and offered evidence that it was still
causing havoc, Mr. Obama decided that the cyberattacks should proceed. Ìn the following weeks, the
Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of
that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out
nearly 1,000 of the 5,000 centrifuges Ìran had spinning at the time to purify uranium.

This account of the American and Ìsraeli effort to undermine the Ìranian nuclear program is based on
interviews over the past 18 months with current and former American, European and Ìsraeli officials
involved in the program, as well as a range of outside experts. None would allow their names to be used
because the effort remains highly classified, and parts of it continue to this day.

These officials gave differing assessments of how successful the sabotage program was in slowing
Ìran's progress toward developing the ability to build nuclear weapons. Ìnternal Obama administration
estimates say the effort was set back by 18 months to two years, but some experts inside and outside the
government are more skeptical, noting that Ìran's enrichment levels have steadily recovered, giving the
country enough fuel today for five or more weapons, with additional enrichment.

Whether Ìran is still trying to design and build a weapon is in dispute. The most recent United States
intelligence estimate concludes that Ìran suspended major parts of its weaponization effort after 2003,
though there is evidence that some remnants of it continue.

Ìran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm
and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig.
Gen. Gholamreza Jalali, the head of Ìran's Passive Defense Organization, said that the Ìranian military
was prepared "to fight our enemies¨ in "cyberspace and Ìnternet warfare.¨ But there has been scant
evidence that it has begun to strike back.
The United States government only recently acknowledged developing cyberweapons, and it has never
admitted using them. There have been reports of one-time attacks against personal computers used by
members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems,
including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely
different type and sophistication.

Ìt appears to be the first time the United States has repeatedly used cyberweapons to cripple another
country's infrastructure, achieving, with computer code, what until then could be accomplished only
by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as
the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups
that have dissected the code, said at a symposium at Stanford University in April. Those forensic
investigations into the inner workings of the code, while picking apart how it worked, came to no
conclusions about who was responsible.

A similar process is now under way to figure out the origins of another cyberweapon called Flame that
was recently discovered to have attacked the computers of Ìranian officials, sweeping up information
from those machines. But the computer code appears to be at least five years old, and American officials
say that it was not part of Olympic Games. They have declined to say whether the United States was
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

responsible for the Flame attack.

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games,
was acutely aware that with every attack he was pushing the United States into new territory, much
as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental
missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any
American acknowledgment that it was using cyberweapons ÷ even under the most careful and limited
circumstances ÷ could enable other countries, terrorists or hackers to justify their own attacks.

"We discussed the irony, more than once,¨ one of his aides said. Another said that the administration was
resistant to developing a "grand theory for a weapon whose possibilities they were still discovering.¨ Yet
Mr. Obama concluded that when it came to stopping Ìran, the United States had no other choice.

Ìf Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Ìran
to work. Ìsrael could carry out a conventional military attack, prompting a conflict that could spread
throughout the region.

A Bush Ìnitiative

The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good
options in dealing with Ìran. At the time, America's European allies were divided about the cost that
imposing sanctions on Ìran would have on their own economies. Having falsely accused Saddam
Hussein of reconstituting his nuclear program in Ìraq, Mr. Bush had little credibility in publicly discussing
another nation's nuclear ambitions. The Ìranians seemed to sense his vulnerability, and, frustrated by
negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence
had been exposed just three years before.

Ìran's president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and described grand
ambitions to install upward of 50,000 centrifuges. For a country with only one nuclear power reactor
÷ whose fuel comes from Russia ÷ to say that it needed fuel for its civilian nuclear program seemed
dubious to Bush administration officials. They feared that the fuel could be used in another way besides
providing power: to create a stockpile that could later be enriched to bomb-grade material if the Ìranians
made a political decision to do so.

Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military
strike against the Ìranian nuclear facilities before they could produce fuel suitable for a weapon. Several
times, the administration reviewed military options and concluded that they would only further inflame a
region already at war, and would have uncertain results.

For years the C.Ì.A. had introduced faulty parts and designs into Ìran's systems ÷ even tinkering with
imported power supplies so that they would blow up ÷ but the sabotage had had relatively little effect.
General James E. Cartwright, who had established a small cyberoperation inside the United States
Strategic Command, which is responsible for many of America's nuclear forces, joined intelligence
officials in presenting a radical new idea to Mr. Bush and his national security team. Ìt involved a far more
sophisticated cyberweapon than the United States had designed before.

The goal was to gain access to the Natanz plant's industrial computer controls. That required leaping the
electronic moat that cut the Natanz plant off from the Ìnternet ÷ called the air gap, because it physically
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

separates the facility from the outside world. The computer code would invade the specialized computers
that command the centrifuges.

The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted
into the computers, which were made by the German company Siemens and an Ìranian manufacturer, to
map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant,
to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds.
The connections were complex, and unless every circuit was understood, efforts to seize control of the
centrifuges could fail.

Eventually the beacon would have to "phone home¨ ÷ literally send a message back to the headquarters
of the National Security Agency that would describe the structure and daily rhythms of the enrichment
plant. Expectations for the plan were low; one participant said the goal was simply to "throw a little sand in
the gears¨ and buy some time. Mr. Bush was skeptical, but lacking other options, he authorized the effort.

Breakthrough, Aided by Ìsrael

Ìt took months for the beacons to do their work and report home, complete with maps of the electronic
directories of the controllers and what amounted to blueprints of how they were connected to the
centrifuges deep underground.

Then the N.S.A. and a secret Ìsraeli unit respected by American intelligence officials for its cyberskills set
to work developing the enormously complex computer worm that would become the attacker from within.

The unusually tight collaboration with Ìsrael was driven by two imperatives. Ìsrael's Unit 8200, a part of
its military, had technical expertise that rivaled the N.S.A.'s, and the Ìsraelis had deep intelligence about
operations at Natanz that would be vital to making the cyberattack a success. But American officials
had another interest, to dissuade the Ìsraelis from carrying out their own pre-emptive strike against the
Ìranian nuclear facilities. To do that, the Ìsraelis would have to be convinced that the new line of attack
was working. The only way to convince them, several officials said in interviews, was to have them deeply
involved in every aspect of the program.

Soon the two countries had developed a complex worm that the Americans called "the bug.¨ But the bug
needed to be tested. So, under enormous secrecy, the United States began building replicas of Ìran's P-
1 centrifuges, an aging, unreliable design that Ìran purchased from Abdul Qadeer Khan, the Pakistani
nuclear chief who had begun selling fuel-making technology on the black market. Fortunately for the
United States, it already owned some P-1s, thanks to the Libyan dictator, Col. Muammar el-Qaddafi.

When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he
had bought from the Pakistani nuclear ring, and they were placed in storage at a weapons laboratory in
Tennessee. The military and intelligence officials overseeing Olympic Games borrowed some for what
they termed "destructive testing,¨ essentially building a virtual replica of Natanz, but spreading the test
over several of the Energy Department's national laboratories to keep even the most trusted nuclear
workers from figuring out what was afoot.

Those first small-scale tests were surprisingly successful: the bug invaded the computers, lurking for
days or weeks, before sending instructions to speed them up or slow them down so suddenly that their
delicate parts, spinning at supersonic speeds, self-destructed. After several false starts, it worked. One
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

day, toward the end of Mr. Bush's term, the rubble of a centrifuge was spread out on the conference table
in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to
test against the real target: Ìran's underground enrichment plant.

"Previous cyberattacks had effects limited to other computers,¨ Michael V. Hayden, the former chief of the
C.Ì.A., said, declining to describe what he knew of these attacks when he was in office. "This is the first
attack of a major nature in which a cyberattack was used to effect physical destruction,¨ rather than just
slow another computer, or hack into it to steal data.

"Somebody crossed the Rubicon,¨ he said.

Getting the worm into Natanz, however, was no easy trick. The United States and Ìsrael would have to
rely on engineers, maintenance workers and others ÷ both spies and unwitting accomplices ÷ with
physical access to the plant. "That was our holy grail,¨ one of the architects of the plan said. "Ìt turns out
there is always an idiot around who doesn't think much about the thumb drive in their hand.¨

Ìn fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later,
more sophisticated methods were developed to deliver the malicious code.

The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Ìranians
were mystified about the cause, according to intercepts that the United States later picked up. "The
thinking was that the Ìranians would blame bad parts, or bad engineering, or just incompetence,¨ one of
the architects of the early attack said.

The Ìranians were confused partly because no two attacks were exactly alike. Moreover, the code would
lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the
Natanz control room indicating that everything downstairs was operating normally. "This may have been
the most brilliant part of the code,¨ one American official said.

Later, word circulated through the Ìnternational Atomic Energy Agency, the Vienna-based nuclear
watchdog, that the Ìranians had grown so distrustful of their own instruments that they had assigned
people to sit in the plant and radio back what they saw.

"The intent was that the failures should make them feel they were stupid, which is what happened,¨
the participant in the attacks said. When a few centrifuges failed, the Ìranians would close down
whole "stands¨ that linked 164 machines, looking for signs of sabotage in all of them. "They overreacted,¨
one official said. "We soon discovered they fired people.¨

Ìmagery recovered by nuclear inspectors from cameras at Natanz ÷ which the nuclear agency uses
to keep track of what happens between visits ÷ showed the results. There was some evidence of
wreckage, but it was clear that the Ìranians had also carted away centrifuges that had previously
appeared to be working well.

But by the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr.
Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified
programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush's advice.

The Stuxnet Surprise
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


Mr. Obama came to office with an interest in cyberissues, but he had discussed them during the
campaign mostly in terms of threats to personal privacy and the risks to infrastructure like the electrical
grid and the air traffic control system. He commissioned a major study on how to improve America's
defenses and announced it with great fanfare in the East Room.

What he did not say then was that he was also learning the arts of cyberwar. The architects of Olympic
Games would meet him in the Situation Room, often with what they called the "horse blanket,¨ a giant
foldout schematic diagram of Ìran's nuclear production facilities. Mr. Obama authorized the attacks to
continue, and every few weeks ÷ certainly after a major attack ÷ he would get updates and authorize
the next step. Sometimes it was a strike riskier and bolder than what had been tried previously.

"From his first days in office, he was deep into every step in slowing the Ìranian program ÷ the
diplomacy, the sanctions, every major decision,¨ a senior administration official said. "And it's safe to say
that whatever other activity might have been under way was no exception to that rule.¨

But the good luck did not last. Ìn the summer of 2010, shortly after a new variant of the worm had
been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz
machines, had broken free, like a zoo animal that found the keys to the cage. Ìt fell to Mr. Panetta and
two other crucial players in Olympic Games ÷ General Cartwright, the vice chairman of the Joint Chiefs
of Staff, and Michael J. Morell, the deputy director of the C.Ì.A. ÷ to break the news to Mr. Obama and
Mr. Biden.

An error in the code, they said, had led it to spread to an engineer's computer when it was hooked
up to the centrifuges. When the engineer left Natanz and connected the computer to the Ìnternet, the
American- and Ìsraeli-made bug failed to recognize that its environment had changed. Ìt began replicating
itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least
to ordinary computer users.

"We think there was a modification done by the Ìsraelis,¨ one of the briefers told the president, "and we
don't know if we were part of that activity.¨

Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do
damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. "Ìt's got to be the
Ìsraelis,¨ he said. "They went too far.¨

Ìn fact, both the Ìsraelis and the Americans had been aiming for a particular part of the centrifuge plant, a
critical area whose loss, they had concluded, would set the Ìranians back considerably. Ìt is unclear who
introduced the programming error.

The question facing Mr. Obama was whether the rest of Olympic Games was in jeopardy, now that a
variant of the bug was replicating itself "in the wild,¨ where computer security experts can dissect it and
figure out its purpose.

"Ì don't think we have enough information,¨ Mr. Obama told the group that day, according to the officials.
But in the meantime, he ordered that the cyberattacks continue. They were his best hope of disrupting the
Ìranian nuclear program unless economic sanctions began to bite harder and reduced Ìran's oil revenues.

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Within a week, another version of the bug brought down just under 1,000 centrifuges. Olympic Games
was still on.

A Weapon's Uncertain Future

American cyberattacks are not limited to Ìran, but the focus of attention, as one administration official put
it, "has been overwhelmingly on one country.¨ There is no reason to believe that will remain the case for
long. Some officials question why the same techniques have not been used more aggressively against
North Korea. Others see chances to disrupt Chinese military plans, forces in Syria on the way to suppress
the uprising there, and Qaeda operations around the world. "We've considered a lot more attacks than we
have gone ahead with,¨ one former intelligence official said.

Mr. Obama has repeatedly told his aides that there are risks to using ÷ and particularly to overusing ÷
the weapon. Ìn fact, no country's infrastructure is more dependent on computer systems, and thus more
vulnerable to attack, than that of the United States. Ìt is only a matter of time, most experts believe, before
it becomes the target of the same kind of weapon that the Americans have used, secretly, against Ìran.

This article is adapted from "Confront and Conceal: Obama's Secret Wars and Surprising Use of
American Power," to be published by Crown on Tuesday (05 Jun 12).

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) How a Secret Cyberwar Program Worked (NYT, 01 Jun 12)

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Timeline: From Inception to a Leak (NYT, 01 Jun 12)


01 Jun 12
New York Times
Cyber Attacks On Iran - Stuxnet And FIame
Over the last few years, Ìran has become the target of a series of notable cyberattacks, some of which
were linked to its nuclear program. The best known of these was Stuxnet, the name given to a computer
worm, or malicious computer program.

According to an article in The New York Times in June 2012, during President Obama's first few months
in office, he secretly ordered increasingly sophisticated attacks on Ìran's computer systems at its nuclear
enrichment facilities, significantly expanding America's first sustained use of cyberweapons.

Mr. Obama decided to accelerate the attacks ÷ begun in the Bush administration and code-named
Olympic Games ÷ even after an element of the program accidentally became public in the summer of
2010 because of a programming error that allowed it to escape Ìran's Natanz plant and sent it around
the world on the Ìnternet. Computer security experts who began studying the worm, which had been
developed by the United States and Ìsrael, gave it a name: Stuxnet.

The Natanz plant was hit by a newer version of the computer worm, and then another after that. The last
of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out
nearly 1,000 of the 5,000 centrifuges Ìran had spinning at the time to purify uranium.

Ìran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm
and contained it. Ìn 2011, Ìran announced that it had begun its own military cyberunit, but there has been
scant evidence that it has begun to strike back.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


Ìnternal Obama administration estimates say Ìran's nuclear program was set back by 18 months to
two years, but some experts inside and outside the government are more skeptical, noting that Ìran's
enrichment levels have steadily recovered, giving the country enough fuel today for five or more
weapons, with additional enrichment.

Stuxnet appears to be the first time the United States has repeatedly used cyberweapons to cripple
another country's infrastructure, achieving, with computer code, what until then could be accomplished
only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big
as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of many groups
that have dissected the code, said at a symposium at Stanford University in April. Those forensic
investigations into the inner workings of the code, while picking apart how it worked, came to no
conclusions about who was responsible.

The Flame Virus: More Harmful Than Stuxnet?

A similar dissecting process is now under way to figure out the origins of another cyberweapon called
Flame, a data-mining virus that in May 2012 penetrated the computers of high-ranking Ìranian officials,
sweeping up information from their machines. But the computer code appears to be at least five years
old, and American officials say that it was not part of Olympic Games. They have declined to say whether
the United States was responsible for the Flame attack.

Ìn a message posted on its Web site, Ìran's Computer Emergency Response Team Coordination Center
warned that the virus was potentially more harmful than Stuxnet. Ìn contrast to Stuxnet, Flame appeared
to be designed not to do damage but to secretly collect information from a wide variety of sources.

Researchers at Kaspersky Lab in Moscow said that Flame is likely part of the same campaign as Stuxnet,
though it appears to have been written by a different group of programmers. They declined to name the
government.

Ìn April, Ìran disconnected its main oil terminals from the Ìnternet, after a cyberattack began erasing
information on hard disks in the Oil Ministry's computers. Ìranian cyber defense officials labeled that
program Wiper.

The increasing number of cyberattacks on Ìran runs parallel to a series of mysterious explosions and
assassinations of nuclear scientists and underscores growing feelings among officials and normal
Ìranians that the country is increasingly targeted by covert operations, organized by the United States and
Ìsrael.

Origins of Stuxnet: A Bush Ìnitiative

The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good
options in dealing with Ìran. At the time, America's European allies were divided about the cost that
imposing sanctions on Ìran would have on their own economies. Having falsely accused Saddam
Hussein of reconstituting his nuclear program in Ìraq, Mr. Bush had little credibility in publicly discussing
another nation's nuclear ambitions. The Ìranians seemed to sense his vulnerability, and, frustrated by
negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence
had been exposed just three years before.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military
strike against the Ìranian nuclear facilities before they could produce fuel suitable for a weapon. Several
times, the administration reviewed military options and concluded that they would only further inflame a
region already at war, and would have uncertain results.

For years the C.Ì.A. had introduced faulty parts and designs into Ìran's systems ÷ even tinkering with
imported power supplies so that they would blow up ÷ but the sabotage had had relatively little effect.
General James E. Cartwright, who had established a small cyberoperation inside the United States
Strategic Command, which is responsible for many of America's nuclear forces, joined intelligence
officials in presenting a radical new idea to Mr. Bush and his national security team. Ìt involved a far more
sophisticated cyberweapon than the United States had designed before.

The goal was to gain access to the Natanz plant's industrial computer controls. That required leaping the
electronic moat that cut the Natanz plant off from the Ìnternet ÷ called the air gap, because it physically
separates the facility from the outside world. The computer code would invade the specialized computers
that command the centrifuges.

The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted
into the computers, which were made by the German company Siemens and an Ìranian manufacturer, to
map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant,
to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds.
The connections were complex, and unless every circuit was understood, efforts to seize control of the
centrifuges could fail.

Eventually the beacon would have to "phone home¨ ÷ literally send a message back to the headquarters
of the National Security Agency that would describe the structure and daily rhythms of the enrichment
plant.

Ìt took months for the beacons to do their work and report home, complete with maps of the electronic
directories of the controllers and what amounted to blueprints of how they were connected to the
centrifuges deep underground.

Developing a Complex Worm Called 'The Bug'

Then the N.S.A. and a secret Ìsraeli unit respected by American intelligence officials for its cyberskills set
to work developing the enormously complex computer worm that would become the attacker from within.

Soon the two countries had developed a complex worm that the Americans called "the bug.¨

The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Ìranians
were mystified about the cause, according to intercepts that the United States later picked up.

The Ìranians were confused partly because no two attacks were exactly alike. Moreover, the code would
lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the
Natanz control room indicating that everything downstairs was operating normally.

Ìmagery recovered by nuclear inspectors from cameras at Natanz ÷ which the nuclear agency uses
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

to keep track of what happens between visits ÷ showed the results. There was some evidence of
wreckage, but it was clear that the Ìranians had also carted away centrifuges that had previously
appeared to be working well.

By the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr.
Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified
programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush's advice.

Obama Authorizes Cyberattacks to Continue

Mr. Obama authorized the attacks to continue, and every few weeks ÷ certainly after a major attack ÷
he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what
had been tried previously.

Ìn the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became
clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a
zoo animal that found the keys to the cage.

An error in the code had led it to spread to an engineer's computer when it was hooked up to the
centrifuges. When the engineer left Natanz and connected the computer to the Ìnternet, the American-
and Ìsraeli-made bug failed to recognize that its environment had changed. Ìt began replicating itself
all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to
ordinary computer users.

The question facing Mr. Obama was whether the rest of Olympic Games was in jeopardy, now that a
variant of the bug was replicating itself "in the wild,¨ where computer security experts can dissect it and
figure out its purpose.

Within a week, another version of the bug brought down just under 1,000 centrifuges. Olympic Games
was still on.


31 May 12
EtteIaat
US Is Losing RegionaI Bases
A top Ìranian commander says the United States is losing its geopolitical bases in the region as a
consequence of the wave of the Ìslamic Awakening in Muslim countries.

"The important event that has today impacted the atmosphere of the global and regional security as well
as our national security is the rapid geopolitical developments, particularly in Muslim countries,¨ Deputy
Commander of the Ìslamic Revolution Guard Corps (ÌRGC) Brigadier General Hossein Salami said during
a conference on "Sustainable Security¨ in the capital Tehran on Wednesday, Press TV reported.

Referring to the wave of popular uprisings in the Middle East and North Africa, he added that "These
developments are upsetting the geopolitics in the world, an order which had been shaped by the Western
powers."

The Ìranian commander went on to say that, "Today, the Zionist regime [of Ìsrael] as a source of threat is
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

[also] losing its geopolitical supporters in the region.¨

Since January 2011, revolutions have swept through the Middle East and North Africa unseating dictators
such as Tunisian Zine El Abidine Ben Ali, Egyptian Hosni Mubarak, Yemeni Ali Abdullah Saleh and
Libyan Muammar Gaddafi.

Despite violent crackdowns, countries such as Bahrain have also been engaged in massive near-daily
demonstrations against their despotic US-backed rulers.

Protests have also spread to the US and Europe, where demonstrators are braving police brutality to
participate in rallies against financial greed, corporatism and austerity cuts.


30 May 12
AI Arabiya
U.N. Agency PIans Major Warning On 'FIame' Virus Risk; IsraeI On AIert
A United Nations agency charged with helping member nations secure their national infrastructures
plans to issue a sharp warning about the risk of the Flame computer virus that was recently discovered
in Ìran and other parts of the Middle East, as Ìsrael stepped up its supervision over computer systems of
commercial banks.

"This is the most serious (cyber) warning we have ever put out,¨ said Marco Obiso, cyber security
coordinator for the U.N.'s Geneva-based Ìnternational Telecommunications Union.

The confidential warning will tell member nations that the Flame virus is a dangerous espionage tool that
could potentially be used to attack critical infrastructure, he told Reuters in an interview on Tuesday.

"They should be on alert,¨ he said, adding that he believed Flame was likely built on behalf of a nation
state.

The warning is the latest signal that a new era of cyber warfare has begun following the 2010 Stuxnet
virus attack that targeted Ìran's nuclear program. The United States explicitly stated for the first time last
year that it reserved the right to retaliate with force against a cyber-attack.

A top Ìsraeli minister said on Tuesday the use of cyber weapons, such as the newly uncovered Flame
virus, to counter Ìran's nuclear plans would be "reasonable,¨ hinting at Ìsrael's possible involvement, AFP
reported.

"For anyone who sees the Ìranian threat as significant, it is reasonable that he would take different steps,
including these, in order to hobble it,¨ Vice Prime Minister Moshe Yaalon told army radio, just hours after
the virus was discovered by Russia's Kaspersky Lab.
"Ìsrael is blessed with being a country which is technologically rich, and these tools open up all sorts of
possibilities for us,¨ said Yaalon, who is also Ìsrael's strategic affairs minister.

Evidence suggests that the Flame virus may have been built on behalf of the same nation or nations that
commissioned the Stuxnet worm that attacked Ìran's nuclear program in 2010, according to Kaspersky
Lab, the Russian cyber security software maker that took credit for discovering the infections.

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

"Ì think it is a much more serious threat than Stuxnet,¨ Obiso said.

He said the ÌTU would set up a program to collect data, including virus samples, to track Flame's spread
around the globe and observe any changes in its composition.

Kaspersky Lab said it found the Flame infection after the ÌTU asked the Russian company to investigate
recent reports from Tehran that a mysterious virus was responsible for massive data losses on some
Ìranian computer systems.

So far, the Kaspersky team has not turned up the original data-wiping virus that they were seeking and
the Ìranian government has not provided Kaspersky a sample of that software, Obiso said.

A Pentagon spokesman asked about Flame referred reporters to the Department of Homeland Security.

DHS officials declined to respond to specific questions about the virus, but an agency spokesman issued
a brief written statement that said: "DHS was notified of the malware and has been working with our
federal partners to determine and analyze its potential impact on the U.S.¨

Some industry participants appeared skeptical that the threat was as serious as the U.N. agency and
Kaspersky had suggested.

Meanwhile, Ìsrael's Haaretz daily reported on Wednesday that the Shin Bet security service has recently
stepped up its supervision over computer systems of commercial banks, out of fear that they could
become the target of a cyber attack that could dry up the country's financial lifeblood.

According to the report, the Shin Bet is seeking to have the banks defined as institutions that are
responsible for essential infrastructure, which would enable the agency to supervise them even more
closely. All companies that fall under this definition have their computer systems directly supervised by
the Shin Bet via the National Ìnformation Security Authority.

Ìsrael has suffered several cyber attacks over the past year. The most serious one was when a Saudi
hacker posted some 15,000 Ìsraeli credit card numbers online. Hackers, meanwhile, shut down several
key Ìsraeli websites, including those of the stock exchange and El Al Ìsrael Airlines.

The Shin Bet responded to those attacks by ordering the Bank of Ìsrael to have banks bar access to their
websites from certain sites in Ìran, Saudi Arabia and Algeria, according to the Haaretz report.

Jeff Moss, a respected hacking expert who sits on the U.S. government's Homeland Security Advisory
Council, said that the ÌTU and Kaspersky were "over-reacting¨ to the spread of Flame.

"Ìt will take time to disassemble, but it is not the end of the Net,¨ said Moss, who serves as chief security
officer of the Ìnternet Corporation for Assigned Names and Numbers, or ÌCANN, which manages some of
the Ìnternet's key infrastructure.

"We seem to be getting to a point where every time new malware is discovered it's branded 'the worst
ever,'¨ said Marcus Carey, a researcher at with cyber security firm Rapid7.

Organizations involved in cyber security keep some of their communications confidential to keep
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

adversaries from developing strategies to combat their defenses and also to keep other hackers from
obtaining details about emerging threats that they could use to build other pieces of malicious software.


30 May 12
IRIB EngIish Radio
Zionist Regime Hints It Created FIame MaIware
Unclassified

Zionist regime's Deputy Prime Minister Moshe Ya'alon has strongly hinted that the regime was involved in
creating the computer virus Flame -- a new Stuxnet-like espionage malware -- to sabotage Ìran's nuclear
plans.

According to Press TV, speaking in an interview with Zionist regime's Army Radio on Tuesday, Ya'alon
expressed support for the creation of the virus and similar tools, saying it "opens up all kinds of
possibilities.¨

He also noted that it is reasonable for anyone who sees Ìran as a threat to take such steps, saying
that "whoever sees the Ìranian threat as a serious threat would be likely to take different steps, including
these, in order to hurt them."

Ya'alon made the remarks only hours after a Russian lab discovered the new virus.

The computer security firm Kaspersky Lab, one of the world's top virus-hunting agencies, said the virus is
being used as a cyber weapon to attack entities in several countries.


30 May 12
Mehr News
Iran SuccessfuIIy Combats FIame Spyware
Ìranian experts have created the required anti-virus software to clean the systems infected by a newly
detected virus that has been described as the most complex cyber menace to date, Ali Hakim-Javadi, the
Ìranian deputy minister of information and communications technology, announced on Wednesday.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


Reuters reported on Monday that security experts had discovered a new data-stealing spyware virus
dubbed Flame that they say had lurked inside thousands of computers across the Middle East for as long
as five years as part of a sophisticated cyber warfare campaign.

The Associated Press also quoted the director of Ìran's Passive Defense Organization, Gholam Reza
Jalali, as saying on Wednesday that Ìranian experts had "found¨ and "defeated¨ the Flame virus.


30 May 12
Fars News
Iran SIams Enemy Cyber Attack
Ìran indirectly accused Ìsrael of using a sophisticated malicious computer program to collect information
from the Ìslamic Republic as a UN agency warned that the Flame virus could be a more serious threat
than Stuxnet.

"Some countries and illegitimate regimes are used to producing viruses," Ìranian Foreign Ministry
Spokesman Ramin Mehman-Parast told reporters on Tuesday when asked about a malware, codenamed
Flame.

His comments are seen as a clear reference to Ìsrael. "Such acts of cyberwar would not damage Ìran's
computer systems," he said.

Meantime, Ìsrael's Deputy Prime Minister Moshe Ya'alon acknowledged the Zionist regime's cyber war
attack on Ìran, including developing malicious softwares to damage sensitive Ìranian data and computers.

According to a report posted by Ìsraeli daily Jerusalem post, in comments that proved Ìsrael is behind
the "Flame" virus, Ya'alon on Tuesday said that "whoever sees the Ìranian threat as a serious threat
would be likely to take different steps, including these, in order to hurt them."

Speaking in an interview with Army Radio, Ya'alon further hinted that Jerusalem was behind the cyber
attack, took alleged credit for his regime by saying that Ìsrael a technological power.

"These achievements of ours open up all kinds of possibilities for us," Ya'alon added.

Also on Tuesday, officials at the UN agency charged with helping member nations secure their national
infrastructures, said it plans to issue a sharp warning about the risk of the Flame virus.
"This is the most serious (cyber) warning we have ever put out," Marco Obiso, cyber security coordinator
for the UN's Geneva-based Ìnternational Telecommunications Union, told Reuters. "Ì think it is a much
more serious threat than Stuxnet," Obiso said.

The confidential warning will tell member nations that the Flame virus is dangerous espionage tool that
could potentially be used to attack critical infrastructure, he said in an interview. "They should be on alert,"
he said.

The US and Ìsrael have made repeated attempts in the last several years to damage Ìran's nuclear and
industrial sites through web infiltration and computer malwares.

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Computers of some Ìranian nuclear sites were attacked by the Stuxnet virus, the first known computer
worm discovered in 2010 to target industrial controls.


30 May 12
Fars News
Iran Shows Prompt Response To IsraeI's Cyber War
Ìran declared on Tuesday that it has produced an anti-virus program against "Flame," an extraordinarily
sophisticated malware that attacked its servers recently.

Ìn a statement, Ìran's National Computer Emergency Response Team said that "investigations during the
last few months" had resulted in the detection of the virus, which has been dubbed Flame and is capable
of stealing data from infected computers.

"Ìt seems there is a close relation to the Stuxnet and Duqu targeted attacks," the statement said, adding
that the malware's "propagation methods, complexity level, precise targeting and superb functionality"
were reminiscent of the Stuxnet and Duqu cyber threats to which Ìran had also fallen victim.

Stuxnet was designed to damage Ìran's nuclear sites, specially Natanz uranium enrichment facility. Duqu,
like Flame, was apparently built for espionage but shared characteristics with Stuxnet.

Ìran's National Computer Emergency Response Team also said it has developed tools to detect and
remove Flame from infected computers.

Ìt said that the detection and clean-up tool was finished in early May and is now ready for distribution to
organizations at risk of infection.

Security companies said Flame, named after one of its attack modules, is one of the most complex
threats ever seen.

Ìran says its home-grown defense could both spot when Flame is present and clean up infected PCs.

Flame was discovered after the UN's Ìnternational Telecommunications Union asked for help from
security firms to find out what was wiping data from machines across the Middle East.

An investigation uncovered the sophisticated malicious program which, until then, had largely evaded
detection.

An in-depth look at Flame by the Laboratory of Cryptography and System Security at Hungary's
University of Technology and Economics in Budapest, said it stayed hidden because it was so different to
the viruses, worms and trojans that most security programs were designed to catch.

Ìn addition, said the report, Flame tried to work out which security scanning software was installed on a
target machine and then disguised itself as a type of computer file that an individual anti-virus program
would not usually suspect of harboring malicious code.

Graham Cluley, senior technology consultant at security firm Sophos, said the program had also escaped
detection because it was so tightly targeted.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


"Flame isn't like a Conficker or a Code Red. Ìt's not a widespread threat," he told the BBC. "The security
firm that talked a lot about Flame only found a couple of hundred computers that appeared to have been
impacted."

Mr. Cluley said detecting the software was not difficult once it had been spotted.

"Ìt's much easier writing protection for a piece of malware than analyzing what it actually does," he
said. "What's going to take a while is dissecting Flame to find out all of its quirks and functionality."

Ìt is not yet clear who created Flame but experts say its complexity suggests that it was the work of a
nation state rather than hacktivists or cyber criminals.

Figures released by Kaspersky Labs in a report about the malicious program said 189 infections were
reported in Ìran, compared to 98 in Ìsrael/Palestine and 32 in Sudan. Syria, Lebanon, Saudi Arabia and
Egypt were also hit.

Ìsrael has tried to take the credit for the malware with its Deputy Prime Minister Moshe Ya'alon saying on
Tuesday that "whoever sees the Ìranian threat as a serious threat would be likely to take different steps,
including these, in order to hurt them."

Speaking in an interview with Ìsrael's Army Radio, Ya'alon further hinted that Jerusalem was behind the
cyber attack.

"These achievements of ours open up all kinds of possibilities for us," Ya'alon added.

Ìn April, Ìran briefly disconnected servers from the net at its Kharg island oil terminal as it cleared up after
a virus outbreak - now thought to be caused by Flame.


30 May 12
Uskowi on Iran
Iran Under Cyber-Attack By Data-Mining Virus
(U) The computer virus known as Flame as shown by the Russian computer security firm Kaspersky Lab/
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Agence France-Presse/Getty Images, 30 May 12)

The data-mining virus called Flame has reportedly penetrated important computers in Ìran in what is
described as the most malicious program ever discovered. Ìran's Computer Emergency Response Team
Coordination Center (CERTCC) also warned that the virus was extremely dangerous. Ìranian computer
experts discovered Flame, which could reportedly be as much as five years old.

"The complexity and functionality of the newly discovered malicious program exceed those of all other
cyber menaces known to date,¨ reported Kaspersky Lab, a Russian producer of antivirus software
[Ìnternational Herald Tribune, 30 May].

Experts believe that the virus bears special encryption hallmarks with similarities to previous Ìsraeli
malware. Ìn an interview with Radio Ìsrael, the country's vice prime minister and strategic affairs minister,
Moshe Yaalon, all but took responsibility for the attack.

"Anyone who sees the Ìranian threat as a significant threat ÷ it's reasonable that he will take various
steps, including these, to harm it,¨ said Yaalon in response to a question on Flame virus.
Flame seems to be designed to mine data from personal computers and that it was distributed through
USB sticks rather than the Ìnternet, meaning that a USB has to be inserted manually into at least one
computer in a network.

"This virus copies what you enter on your keyboard; it monitors what you see on your computer screen,¨
said a spokesman for Ìran's CRTCC. That includes collecting passwords, recording sounds if the
computer is connected to a microphone, scanning disks for specific files and monitoring Skype.

"Those controlling the virus can direct it from a distance,¨ said the CRTCC spokesman. "Flame is no
ordinary product. This was designed to monitor selected computers.¨


30 May 12
JerusaIem Post
PM: IsraeI Increasing Its Cyber-Defense CapabiIities
Speaking at INSS, Netanyahu says as one of world's most computerized countries, Israel vulnerable to
cyber threat; does not mention 'Flame' virus that has been attacking Iranian computers.

The capacity Ìsrael is developing in the cyber sphere is significantly increasing its defensive capabilities,
Prime Minister Binyamin Netanyahu said Tuesday, a day after it was revealed that a computer virus has
been attacking Ìran.

Netanyahu, speaking at the annual conference in Tel Aviv of the Ìnstitute for National Security Studies
(ÌNSS), said that when it comes to cyberspace, the size of a country is not significant. But there is, he
said, great significance to a country's "scientific strength, and with that Ìsrael is blessed.¨

Netanyahu did not mention the cyber issue in direct connection to the virus dubbed "Flame¨ that has been
attacking Ìranian computers, but rather in the context of five threats Ìsrael faced, the other four being
nuclear weapons, missiles, the enormous stockpiles of weapons in the region, and the influx of illegal
migrants.

ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Netanyahu said that as one of the world's most computerized countries, Ìsrael is also one of the most
vulnerable to cyber attacks, and for that reason was investing tremendously in finances and human
resources to develop its cyber capabilities.

Regarding Ìran, Netanyahu voiced criticism of the strategy behind the current talks between Tehran and
the world powers known as the P5+1 ÷ the US, Russia, China, France, Britain and Germany. Netanyahu
said that not only did the world need to stiffen sanctions against Ìran, which he said it has done, but that it
also needed to stiffen its demands, which it has not.

He said that the objectives of the negotiations needed to be to get Ìran to stop all uranium enrichment,
transfer its stockpile of enriched uranium out of the country and close the underground facility at
Qom. Only a clear Ìranian commitment in the negotiations to those three demands, and their full
implementation, can stop the Ìranian nuclear program, he said.

Unfortunately, Netanyahu declared, while in the past the world demanded that Ìran stop enrichment even
to 3.5 percent, "that is not what happening today.¨

"On the one hand, good is being done through imposing heavy economic sanctions on Ìran, that is
important and we called for it,¨ he said. "But on the other hand, these sanctions need to be accompanied
by the demands that Ì spelled out.¨

Only a combination of the two, he said, will bring about an end to the Ìranian nuclear program.

Regarding the Palestinian diplomatic process, Netanyahu said the process was important first and
foremost to prevent a bi-national state and strengthen Ìsrael's future as a Jewish, democratic state.

"We do not want to rule over the Palestinians, and we do not want the Palestinians as citizens of the
State of Ìsrael,¨ he said, adding that was why he declared on three separate occasions his support for
peace "between two national states, a demilitarized Palestinian state that will recognize a Jewish state.¨

Netanyahu said the new government he has put together with Kadima reflected a wide consensus for
a twostate solution with iron-clad security guarantees, and called on Palestinian Authority President
Mahmoud Abbas "not to miss this unique opportunity.¨

He said he was not placing any conditions on entering negotiations, though he did ÷ as do the
Palestinians ÷ have conditions regarding their outcome.

Switching into English for just a sentence, Netanyahu said, "President Abbas, all we are saying is give
peace a chance.¨

The prime minister rejected the notion, however, that peace with the Palestinians would bring about
regional peace and stability. Referring to Ìslamic radicalism, Netanyahu's said huge historic forces were
working against regional stability, and would continue to work to destroy Ìsrael and torpedo any chances
for peace.

Quoting from a 1968 book by historian Will Durant, Netanyahu said there was no historical or natural
guarantee that good would eventually win out and evil be crushed and disappear, but rather that a nation
was obligated at all times to defend itself and had the right to use the necessary means to ensure its
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

survival.

Ìn his nearly 30-minute address, Netanyahu also discussed the issue of illegal migrants from Africa,
saying that the problem had to be dealt with both by stopping the flood of immigrants and extraditing
those here illegally. He said that extradition was a long and arduous process, but that Ìsrael was
determined to carry it out. First, he said, Ìsrael would return to their homeland the relatively small group of
migrants from South Sudan, and then move on to other nationalities.

At the same time, Netanyahu called on public figures and the public at large to demonstrate restraint and
responsibility.

"We are a moral people and will act accordingly,¨ he declared.

"We reject violence; we respect human rights. Let us not lose our divine image, nor deny it in others. But
with that we cannot accept a situation where migrants from a full continent will come here to work. We
must protect our borders in order to ensure Ìsrael's future as a Jewish democratic state.¨


29 May 12
New York Times
Iran Confirms Attack By Virus That CoIIects Information
By Thomas Erdbrink

(U) The computer virus known as Flame as shown by the Russian computer security firm Kaspersky Lab.
(NYT, 29 May 12)

The computers of high-ranking Ìranian officials appear to have been penetrated by a data-mining virus
called Flame, in what may be the most destructive cyberattack on Ìran since the notorious Stuxnet virus,
an Ìranian cyberdefense organization confirmed on Tuesday.

Ìn a message posted on its Web site, Ìran's Computer Emergency Response Team Coordination Center
warned that the virus was dangerous. An expert at the organization said in a telephone interview that it
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for
Ìran's nuclear enrichment program. Ìn contrast to Stuxnet, the newly identified virus is designed not to do
damage but to collect information secretly from a wide variety of sources.

Flame, which experts say could be as much as five years old, was discovered by Ìranian computer
experts. Ìn a statement about Flame on its Web site, Kaspersky Lab, a Russian producer of antivirus
software, said that "the complexity and functionality of the newly discovered malicious program exceed
those of all other cyber menaces known to date.¨

The virus bears special encryption hallmarks that an Ìranian cyberdefense official said have strong
similarities to previous Ìsraeli malware. "Ìts encryption has a special pattern which you only see
coming from Ìsrael,¨ said Kamran Napelian, an official with Ìran's Computer Emergency Response
Team. "Unfortunately, they are very powerful in the field of Ì.T.¨

While Ìsrael never comments officially on such matters, its involvement was hinted at by top officials
there. "Anyone who sees the Ìranian threat as a significant threat ÷ it's reasonable that he will take
various steps, including these, to harm it,¨ said the vice prime minister and strategic affairs minister,
Moshe Yaalon, in a widely quoted interview with Ìsrael's Army Radio on Tuesday.

Ìn a speech Tuesday night, Prime Minister Benjamin Netanyahu did not mention Flame specifically,
but he did include computer viruses as one of five critical types of threats Ìsrael faces, saying: "We are
investing a great deal of money in that, human capital and financial capital. Ì expect these investments to
yield a great deal in the coming years.¨

Mr. Napelian said that Flame seemed designed to mine data from personal computers and that it was
distributed through USB sticks rather than the Ìnternet, meaning that a USB has to be inserted manually
into at least one computer in a network.

"This virus copies what you enter on your keyboard; it monitors what you see on your computer screen,¨
Mr. Napelian said. That includes collecting passwords, recording sounds if the computer is connected to a
microphone, scanning disks for specific files and monitoring Skype.

"Those controlling the virus can direct it from a distance,¨ Mr. Napelian said. "Flame is no ordinary
product. This was designed to monitor selected computers.¨

Mr. Napelian said he was not authorized to disclose how much damage Flame had caused, but guessed
the virus had been active for the past six months and was responsible for a "massive¨ data loss. Ìran says
it has developed antivirus software to combat Flame, something that international antivirus companies
have yet to do, since they have just become aware of its existence.

"One of the most alarming facts is that the Flame cyberattack campaign is currently in its active phase,
and its operator is consistently surveilling infected systems, collecting information and targeting new
systems to accomplish its unknown goals,¨ Alexander Gostev, chief security expert at Kaspersky Lab,
said on the company's Web site.

Those close to Ìran's leaders said that the virus was tantamount to an attack.

"Ì am no virus expert, and my computer seems to be working,¨ said Sadollah Zarei, a columnist for the
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

state newspaper, Kayhan, "but Ì know this is covert warfare, aimed at weakening us.¨

Jodi Rudoren contributed reporting from Tel Aviv.

This article has been revised to reflect the following correction:

Correction: May 30, 2012. An earlier version of this article misstated the contents of the message posted
on the Web site of Iran's Computer Emergency Response Team Coordination Center. The message said
the Flame virus was dangerous, not that it was potentially more harmful than the 2010 Stuxnet virus. That
observation was made by an expert from the center.


29 May 12
JerusaIem Post
Ya'aIon Hints At IsraeIi RoIe In 'FIame' Virus
Israel's superior technology "opens up all kinds of possibilities," says vice premier on new virus found
attacking Iran.

Ìn comments that could be construed as suggesting that Ìsrael is behind the "Flame" virus, the latest
piece of malicious software to attack Ìranian computers, Vice Premier Moshe Ya'alon on Tuesday said
that "whoever sees the Ìranian threat as a serious threat would be likely to take different steps, including
these, in order to hurt them."

Speaking in an interview with Army Radio, Ya'alon further hinted that Jerusalem was behind the cyber
attack, saying "Ìsrael is blessed to be a nation possessing superior technology. These achievements of
ours open up all kinds of possibilities for us."

The virus, dubbed "Flame,¨ effectively turns every computer it infects into the ultimate spy. Ìt can turn on
PC microphones to record conversations taking place near the computer, take screenshots, log instant
messaging chats, gather data files and remotely change settings on computers.

Security experts from the Russian Kaspersky Lab, who announced Flame's discovery on Monday, said
it is found in its highest concentration in Ìranian computers. Ìt can also be found in other Middle Eastern
locations, including Ìsrael, the West Bank, Syria and Sudan.

The virus has been active for as long as five years, as part of a sophisticated cyber warfare campaign,
the experts said.

Ìt is the most complex piece of malicious software discovered to date, according to Kaspersky Lab's
senior security researcher Roel Schouwenberg, who said he did not know who built Flame.

Ìf the Lab's analysis is correct, Flame could be the third major cyber weapon directed against Ìran, after
the Stuxnet virus that attacked Ìran's nuclear program in 2010, and its data-stealing cousin Duqu.

The complexity of the latest 'Flame' virus bears the hallmarks of a program engineered by a state, a
number of Ìsraeli computer experts believe.

As details of Flame filtered through the media, network security experts in Ìsrael, requesting anonymity,
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

studied the initial reports, and indicated that they believed small groups of hackers could not be behind
the virus.

"This is not a couple of hackers who sat in a basement," one expert said. "This is a large, organized
system. Ìt is possible that years were invested in creating it."

A second analyst said that viruses at this level of sophistication require major capabilities and knowledge
of code development, noting that "these are available only to states. And that's without mentioning a
motive for developing [such a program]."


29 May 12
Fars News
IsraeI Admits To Waging Cyber War On Iran
Ìsrael's Deputy Prime Minister Moshe Ya'alon acknowledged the Zionist regime's cyber war attack on
Ìran, including developing malicious softwares to damage sensitive Ìranian data and computers.

According to a report posted by Ìsraeli daily Jerusalem post, in comments that proved Ìsrael is behind
the "Flame" virus, Ya'alon on Tuesday said that "whoever sees the Ìranian threat as a serious threat
would be likely to take different steps, including these, in order to hurt them."

Speaking in an interview with Army Radio, Ya'alon further hinted that Jerusalem was behind the cyber
attack, took alleged credit for his regime by saying that Ìsrael a technological power.

"These achievements of ours open up all kinds of possibilities for us," Ya'alon added.

The virus, dubbed "Flame," effectively turns every computer it infects into the ultimate spy. Ìt can turn on
PC microphones to record conversations taking place near the computer, take screenshots, log instant
messaging chats, gather data files and remotely change settings on computers.

Security experts from the Russian Kaspersky Lab, who announced Flame's discovery on Monday, said it
is found in its highest concentration in Ìranian computers, but they also underlined that the virus can also
be found in other Middle Eastern locations, including Ìsrael, the West Bank, Syria and Sudan.

The virus has been active for as long as five years, as part of a sophisticated cyber warfare campaign,
the experts said.

Kaspersky Lab's senior security researcher Roel Schouwenberg said he did not know who built Flame.

Ìf the Lab's analysis is correct, Flame could be the third major cyber weapon directed against Ìran, after
the Stuxnet virus that attacked Ìran's nuclear program in 2010, and its data-stealing cousin Duqu.

Ìn December, officials in Tehran said that Ìran's defense computer systems have been able to identify and
control a "supervirus" similar to the one the US and Ìsrael created to damage Tehran's nuclear program.

Anti-virus experts have identified a virus called Duqu that they said shared properties with the Stuxnet
worm apparently created by Mossad, the Ìsraeli security service. Ìt was thought to have targeted the
nuclear program's centrifuges, the devices that enrich uranium to create nuclear fuel.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


Ìran has confirmed some of its computer systems were infected with the Duqu trojan, but said it has found
a way to control the malware.

Security organizations had previously identified Ìran as one of at least eight countries targeted by the
code.

The spyware is believed to have been designed to steal data to help launch further cyber attacks.


28 May 12
AIakhbar
IsraeI, Iran, Lebanon hit by "FIame" super-virus
Security experts have discovered a new data-stealing virus dubbed Flame they say has lurked inside
thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber
warfare campaign.
Ìt is the most complex piece of malicious software discovered to date, said Kaspersky Lab security senior
researcher Roel Schouwenberg, whose company discovered the virus. The results of the Lab's work were
made available on Monday.

Once a system was infected with Flame, the virus began a series of operations including analyzing
network traffic, taking screenshots, and recording audio conversations.

All this data was available to the operators of the virus, who would effectively have been able to access
anything on those computers remotely.

Ìran was most badly effected by the virus, while Ìsrael, Palestine and Lebanon were also hit.

Ìran's National Computer Emergency Response Team posted a security alert stating that it believed
Flame was responsible for "recent incidents of mass data loss" in the country.

Schouwenberg said he did not know who built Flame but suggested it was probably state sponsored.

Ìf confirmed Flame would be the third major cyber weapon uncovered after the Stuxnet virus that attacked
Ìran's nuclear program in 2010, and its data-stealing cousin Duqu, named after the Star Wars villain.

The discovery by one of the world's largest makers of anti-virus software will likely fuel speculation that
nations have already secretly deployed other cyber weapons.

"Ìf Flame went on undiscovered for five years, the only logical conclusion is that there are other
operations ongoing that we don't know about," Schouwenberg said in an interview.


28 May 12
IsraeI NationaI News
The 'FIame' Computer Virus Strikes Iran, 'Worse Than Stuxnet'
Ìranian security experts report a virus far more dangerous than the Stuxnet worm has struck the country's
computer systems.
ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Websites incIuded in OSINT products are subject to monitoring by U.S. and foreign government
agencies, and shouId not be viewed on U.S. government or personaI computers.
Author: OSÌNT ÷ Open Source Ìntelligence (CCJ2-JOWO)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY


Ìranian security experts report a virus far more dangerous than the Stuxnet worm has struck the country's
computer systems.

Dubbed the "Flame,¨ the virus is one that has struck not only Ìran, however, but a number of other
enemies of Ìsrael as well.

The Kaspersky Ìnternet security firm is calling the "Flame¨ data-stealing virus the "most sophisticated
cyber-weapon yet unleashed¨ and hinted it may have been created by the makers of the Stuxnet worm.

Kaspersky called the virus a "cyber-espionage worm¨ designed to collect and delete sensitive information,
primarily in Middle Eastern countries.

The "Flame¨ has struck at least 600 specific computer systems in Ìran, Syria, Lebanon, Egypt, Sudan,
Saudi Arabia and the Palestinian Authority, Kaspersky malware expert Vitaly Kamluk told the BBC. He
added that the virus has probably been operating discreetly for at least two years.

"This virus is stronger than its predecessor,¨ he said. "Ìt is one that could only have been created by a
state or other large entity.¨

Problems in Ìran's computer systems are also continuing to surface in connection with the 2010 "Stuxnet¨
virus. The malware successfully disabled the computers that operated Ìran's uranium enrichment facility.
More than 16,000 of the Natanz facility's centrifuges were destroyed as a result of the cyber attack.


ccj2-osint@centcom.smiI.miI PH: 813-827-1441
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Sign up to vote on this title
UsefulNot useful