Iran CERT fingers Flame for oil refinery attacks

The malware that cut Iran’s major oil arteries from the internet was likely the sophisticated Flame worm, Iran’s Computer Emergency Response Team (CCCERT) says.

The CERT told SC Magazine that it thought the April “wiping incident” in which key parts of Iran’s oil export sector had internet access cut, was due to the downloading and installation of a module of the Flame malware.

Iran’s Kharg Island terminal was responsible for exporting 90 per cent of the nation’s oil and was also disconnected along with an unknown number of other facilities across the country.

Mehr News said at the time of the infection that the disconnection had not disrupted crude oil production and exports. 

CCCERT planned to release a detailed report later today on the incident.

The malware was publicly detailed almost simultaneously by Iran’s CERT (which dubbed it Flamer), Kaspersky (Flame), and CrySyS (sKyWIper).

Each research entity detailed the malware, and noted similarities to Stuxnet and Duqu. Kaspersky researcher Alex Gostev said it was the “most sophisticated cyber weapon yet unleashed”.

It was described as surveillance malware and had the ability to record audio, keystrokes and even Bluetooth devices.

The malware had targeted predominately Middle Eastern countries and some European nations, but  its creator was unknown.

In an interview with Army Radio reported by ABC News, Israel's vice premier did not deflect suspicion about the nation's involvement in the creation of Flame.

"Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it," Israeli Vice Premier Moshe Yaalon said of Flame. "Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us."

CrySyS has released a detailed technical writeup on Flame (pdf) and you can download Iran CERT’s Flame removal tool from SC.

Copyright © SC Magazine, Australia