The country that brought us Iranian nuclear assassinations, explosions at Iran missile bases, and Stuxnet, is at it again.
 |
| Map of known infections from Flame
|
…We’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame.
Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.…Flame is one of the most complex threats ever discovered.
Classical Zionism decrees that Israel should be a “light unto the nations.” But Israeli cyberwarriors have taken the saying a bit too literally making Israel a “flame” unto the nations. Such a contribution Israel is making to the advancement of western civilization. It would make Herzl and Ahad HaAm proud.
My major scoop is that my senior Israeli source confirms that it is a product of Israeli cyberwarfare experts. Most such products are produced by the IDF’s Unit 8200, though the Mossad also may take some role in such projects. So add to all the previous marginally successful efforts this new one. The goal is apparently to infiltrate the computers of individuals in Iran, Israel, Palestine and elsewhere who are engaged in activities that interest Israel’s secret police including military intelligence. My source also tells me that this is the first known instance in which Israeli intelligence has used malware to intrude on Israeli citizens. Within Israel and the Palestinian territories Flame is implemented by the Shin Bet. The “beauty” of it for the secret police is that unlike “legal” eavesdropping on phones or computers, you don’t need to ask for judicial approval to infect a computer. No Israeli police officer would ever investigate a case of an Israeli computer infected with Flame since it would lead to exposing Israeli security services.
Flame appears to be the third generation of Israeli malware after Stuxnet and Duqu, which were more specifically targeted at Iranian industrial facilities, specifically its centrifuge network. It shares some capabilities with them and exploits similar vulnerabilities to gain access to targeted computers and systems (though it is 20 times larger in size). There is also some indication of similar exploits used by Stuxnet and Flame used to access host computers, which indicate they may share common authorship or have been developed by two separate groups sharing data:
Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master…
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.
Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
The “innovation” of Flame is that it not only can record audio, which is a relatively rare feature of worms, it can intrude into the host in multiple ways to steal and monitor information (including recording keystrokes and taking screenshots). In this fashion it can capture IM conversations that might be otherwise encrypted. It’s what they call in baseball a “triple threat.” It also has lots of wifi features especially using Bluetooth which enable it to use the host to scan nearby electronic devices (possibly for vulnerabilities and access to them as well).
Unlike with Stuxnet, the creators of Flame obscured any possibly information that would identify when the original source was created. This would make it more difficult to track the code to its source in any specific way. Kapersky though considers the worm a creation that does not predate and says that its authors continue to refine it.
Unlike Stuxnet which was designed to sabotage Iran’s centrifuge network, Flame is not a single-focus malware:
…The creators of Flame are simply looking for any kind of intelligence – e-mails, documents, messages, discussions inside sensitive locations, pretty much everything. We have not seen any specific signs indicating a particular target such as the energy industry – making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes.
However, Flame can do some of the things that Stuxnet did, so it could also be adapted for such specific uses in the event it found a convenient target. Also, unlike Stuxnet which was designed to sabotage Iran’s nuclear program, the current worm targets individuals and organizations more than state entities:
There doesn’t seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from individuals to certain state-related organizations or educational institutions.
Flame uses at least 80 different servers and domain names to relay its data back home, so it is extremely difficult to track usage and where the information is transferred.
Kapersky notes that Flame may’ve been a companion project to Stuxnet and Duqu that was different enough from them that if the latter two were discovered, Flame could continue operating undetected:
…We believe Flame to be a parallel project, created as a fallback in case some other project is discovered.
Here is some further data on how Flame retrieves information and gleans what is useful to it from what is not:
Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide. The targets are also of a much wider scope, including academia, private companies, specific individuals and so on.
According to our observations, the operators of Flame…infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections.
Like Stuxnet, Flame uses USB sticks as a method of infection and has two different ways it can accomplish this. Once inside, it can take advantage of multiple vulnerabilities to gain access not just to individual computers but entire networks.
When asked why the package is so big, Kapersky responded:
Much of these [the size of Flame] are libraries designed to handle SSL traffic, SSH connections, sniffing, attack, interception of communications and so on.
The cybersecurity experts note it took them months to analyze Stuxnet. Because of its greater size it will likely take a year to do the same for the current worm.
UPDATE: Senior Israeli minister, Bogie Yaalon, did everything but spill the beans to Galey Tzahal (Hebrew) in answering a question about the origin of Flame:
Anyone who believes that the Iranian threat is meaningful would find it desirable to take effective means, including these, to sabotage it. Israel is blessed with being a country that has tremendous technological capabilities. These tools open all sorts of possibilities for us.
Of course, this doesn’t answer the question why computers in Israel, Palestine, Egypt, Russia and the U.S. were infected as well. Especially since Flame targets specific computers and does not attack in a generalized way as Stuxnet did.
