In March 2014, Le Monde journalists – Martin Untersinger and Jacques Follorou, released an article providing documents from the Communications Security Establishment Canada (CSEC) accusing France of cyber-attacks against Iran between November 2009 and 2010 including the Atomic Energy Organization of Iran (AEOI).
In July 2012, two years after the first discovery of Stuxnet, Meghan Kelly wrote for Venture Beat mentioning that an Iranian AEOI scientist sent an SOS e-mail to F-Secure Chief Research Officer Mikko Hypponen, saying the AEOI was under a cyber attack. In his email, the scientist explained the malware shutdown the AEOI their automation networks in Natanz and Fordo facilities. As a reminder, Stuxnet is believed to be a joint project between the U.S. and Israel as covered by David Sanger for the New York Times back in June, 2012.
In conclusion, those events provide additional context on the political alignment between the U.S. and France on the current talks over Iran.
Last week again, during his polemical intervention, Bibi raised his “concerns” on Iranian Nuclear capabilities and urged the congress to “act quickly” because “time is running out”. As Jon Stewart and the Intercept recently reminded us, Bibi made a strangely similar claim in front of congress 19 years ago. In addition of the Israeli concerns on the Iranian nuclear capabilities, adds the 2007 Israeli airstrike during the night of the 5th September targeting Syria’s Al Kibar Nuclear Reactor as covered by Erich Follath and Holger Stark for Der Spiegel in November 2009. This was also one of the first notable cyber-attack, as initially covered by David Fulghum for Aviation Week in November 2007 – that subscribes to the “War on Fear” Era. Pierre Razoux, Head of Research at NATO, provided a detailed analysis of the raid mentioning that the North Korean supplied nuclear components were part of the targets of the airstrike.
An airstrike where the U.S. denied any involvement:
There was no U.S. active engagement other than consulting on potential target vulnerabilities, says a U.S. electronic warfare specialist.
The recent discoveries of BABAR, EVILBUNNY and CASPER are currently putting French General Directorate for External Security (DGSE) in the spotlight of current nation state cyber-attackers due to the allegation from CSEC. Although, BABAR (allegedly French malware) and STUXNET (allegedly U.S.-Israeli malware) seem to share the same political goal, the motives behind CASPER, which had been discovered in April 2014 on the Syrian Judicial Private Investigation Commission website (jpic.gov.sy), still remain unclear.
This translates as three different alleged main actors who targeted Iran and Syria on nuclear matters since 2007, the third and most recent potential actor (France) is not so surprising if you remember the nature of the relationship between France and Iran was in late 2009. On 25 September 2009, David Sanger and William J. Broad wrote an article for the NYT explaining that the U.S. and France were “warning” Iran over “Nuclear Deception” where we can read the following:
President Nicolas Sarkozy of France was more blunt, giving Iran two months to meet international demands, and Mr. Brown said, “The international community has no choice today but to draw a line in the sand.”
WMI Query :: “SELECT * FROM AntiVirusProduct”
One of the technique shared across from BABAR, EVILBUNNY, and CASPER – as highlighted by Marion Marschalek and Paul Rascagneres – is the ability to to retrieve AntiVirus information by using the following WMI Query “SELECT * FROM AntiVirusProduct”. A very simplistic trick as you can see in the above screenshot, but which only publicly appeared during 2008. The first occurrence of the above WMI SQL Query is from May 2008 in a blogpost of a Microsoft employee, Alejandro Campos Magenci who first provided a proof of concept (POC) VB script – then a second occurrence appeared few months later on a French online forum called “Comment Ca Marche” (How Does It Work, an online collaborative website like StackOverflow) by user operating the nickname cs_omnia and authored by Hanteville Nicolas on the 12th September 2008. This time, the POC appeared as a C++ implementation – providing enough information on using the Win32 WMI APIs – making it the first public usable C++ implementation. If the authors are the French government as what the CSEC suggest, this suggest that the authors heard of this trick from this French collaborative forum.
Those recent events demonstrate the alignment between the Five Eyes, Israel and France regarding Iran, Syria and North Korea on the nuclear matters – and this goes without mentioning the rise of Daesh (ISIS) cells from Syria & Iraq in Europe.
Although, cyber-attack attribution is known to be difficult, controvertial and that there is still a possibility that CSEC attribution to the French government may be erroneous. But as @thegrugq, an Operation Security expert, would ironically say:
After extensive research of the most likely suspect, it turns out over 5 million Chinese speak French! There are 1.3Bn Chinese, so 5/1,300 malware samples are expected to be in French – The Grugq
EDIT1 (7th April 2015):