US on 'Israeli spy virus': We take steps to ensure confidentiality
US State Department treads lightly after report suggesting that Israeli spies planted a computer virus in hotels that hosted nuclear talks with Iran; expert: Virus can control computers remotely.
The cybersecurity firm that discovered the virus, Kaspersky Lab, said it was likely created by a state and had similarities to the Duqu virus, which many reportedly believe is the work of Israeli spies.
US State Department Press Office Director Jeff Rathke said that "these are claims by a private company… about another government," and noted that "more generally I can say that we… take steps certainly to ensure that… confidential, classified negotiating details stay behind closed doors in these negotiations."
The Wall Street Journal said the virus was widely believed to be used by Israeli spies and Kaspersky had linked it to "three luxury European hotels" used in the negotiations involving Iran and six world powers.
How it works
Guy Mizrahi, the CEO of information security company Cyberia, explained how the malicious virus works.
"This is a computer program which allows control of the computer from afar - if the computer has a microphone, it can be turned on and we can listen to everything that is happening in that room," he said.
"If the computer has a webcam, it can be activated and we can see what it is broadcasting, without the other side necessarily knowing. Even when the webcam has a light indicating it's on, that function can be turned off.
"These kinds of abilities have existed for over a decade and are easy to obtain. Basic spying activities like operating a microphone and webcam are very common in corporate intelligence and spying agencies."
Is there a way to know if a virus was installed in a computer?
"There are companies that deal with this kind of testing - it's not very simple to do. A private individual or an organization, with the tools at their disposal, cannot discover this. There are quite a few hotels that put a computer inside the room and customers use it to log onto their email and other program - this is where the information could be obtained from.
"Even if you don't use the computer itself, the webcam or microphone can be activated from afar and you can be spied on."
Is there a way to tell who is behind the virus?
"At the end of the day it's very hard to get to whoever created this virus. If an intelligence agency did this, it is trying not to leave loopholes and covers its tracks. There is no need for someone to physically infiltrate the hotel and install the virus. It could be done with an email including a link that when clicked, it installs the Trojan horse on the computer."
Is there a difference between a virus considered "Israeli-made" and one that isn't?
"There is really no proof that this was an Israeli-made or not Israeli-made virus. It's all speculation. If no mistakes were made in writing the code or operating it, there is no way to know if it was written by Israelis or operated by them."
Suspicions
Kaspersky said it looked into the "cyber-intrusion" after detecting the "Duqu 2.0" malware in its own systems in early spring this year, which it said was designed to spy on its technology, research, and internal processes.
Other victims of Duqu had been found in Western countries, the Middle East and Asia, it said in an emailed statement.
"Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal," the statement said.
Kaspersky said Duqu was previously used for an unspecified cyberattack in 2011 that bore similarities to Stuxnet, a computer "worm" that partially sabotaged Iran's nuclear program in 2009-2010 by destroying a thousand or more centrifuges that were enriching uranium.
Another Duqu attack, Kaspersky said, was carried out "in relation to" the commemoration of the 70th anniversary in January this year of the liberation of the Auschwitz-Birkenau Nazi concentration camp in Poland.
That ceremony was attended by the heads of state of Germany, France, Britain and other nations.
Kaspersky told the Wall Street Journal that the hackers may have eavesdropped on conversations and stolen electronic files after taking over hotel computer systems, allowing significant collection of secret information.
While Kaspersky has remained true to its policy and refrained from identifying a possible state actor by name, it provided a subtle clue that Duqu 2.0's origin may be in Israel: Its report discusses the attack under the headline "The Duqu Bet", perhaps a reference to the second letter in the Hebrew alphabet.
