A malware program called Flame has likely been stealing data since 2010 from computers in seven Middle Eastern countries, including Iran, Israel, and Syria, according to Russian antivirus vendor Kaspersky Lab, which announced the find a little more than a month ago. Company analyst Aleks Gostev wrote that it was “the most sophisticated cyber weapon yet,” able to steal files, take screenshots, grab audio, and discover nearby devices. It has “the ability to turn infected computers into all-purpose spying machines that can even suck information out of nearby cell phones,” the AP reported.
The Kaspersky announcement came shortly after advocates for a stronger public and private response to cyberthreats in the United States decried the level of complacency about this menace at an April congressional committee hearing on the issue. It’s hard to marshal support for a nearly invisible threat, however. Those trying to sound the alarm are hampered by the unwillingness of governments to reveal national security incidents and the reluctance of companies to publicize their own security breaches, both of which make it impossible to assess the size of the problem.
As Shawn Henry, president of CrowdStrike Services and a former executive assistant director at the FBI, said at the hearing, people read about cybercrimes like breached bank accounts, but “the most sophisticated and damaging attacks occur primarily out of the public’s sight,” because those incidents are classified. These are the threats from foreign intelligence services that are trying to obtain military and economic intelligence, he explained. As a result, “the real threat is grossly underappreciated by the public.”
The problem is exacerbated by the fact that “companies don’t have to report breaches involving intellectual property or critical infrastructure,” said James A. Lewis, Center for Strategic and International Studies. “We all know the Google case [but] at least 34 other high-tech companies were also penetrated, although they did not report the fact,” he said, to illustrate the point.
In the past three years, “well-coordinated, organized teams [have] succeeded in extracting billions of dollars of intellectual property from leading global companies in the information technology, defense, and energy sectors,” McAfee, Inc. Executive Vice President Stuart McClure told the committee.