In early May of this year, the UN’s International Telecommunication Union approached groups of forensic analysts to investigate an unknown piece of malware that was removing sensitive data from computers in the Middle East region. Among those participating in the analysis were researchers from the Laboratory of Cryptography and System Security (CrySyS Lab) at the Budapest University of Technology and Economics, as well as analysts from security firm Kaspersky Lab.
Following in the wake of Stuxnet and Duqu, what the researchers discovered was the third in a line of sophisticated, targeted cyber threats made public over the last year. CrySyS Lab called the threat sKyWIPer – but numerous security firms commonly dubbed it ‘Flame’, the namesake of an attack module in the encrypted malware’s code.
The same day CrySyS Lab released its report, Iran’s National Computer Emergency Response Team (MAHER) issued its own press release noting it had identified the same Flame malware – which had infected many selected targets in Iran – in response to its investigation of Stuxnet and Duqu.
MAHER said Flame went undetected by 43 different anti-virus products, but that it had already created a detection and removal tool that it was distributing to affected organizations within the country. The timing of the announcement, perhaps not coincidentally, came just a day before a New York Times article implicating the US government’s role in the Stuxnet infection that compromised Iran’s Natanz nuclear enrichment facility.
Kaspersky Labs claimed Columbus-like discovery of Flame, but this assessment is disputed by others in the industry. Furthermore, the Moscow-based security company asserted that what the researchers in Budapest were evaluating was not the same malware, but potentially an entirely different threat.
Alex Gostev, head of the global research team at Kaspersky Labs, said they were looking for the ‘Wiper’ code when they came across what he called a new piece of malware, nicknamed Flame. He added that there is no “current information that tied Flame to the Wiper attacks”, but did acknowledge that “given the complexity of Flame, a data wiping plug-in could easily be deployed at any time”. There was simply no evidence that such a plug-in existed he said – at least not yet. Subsequent analysis indicates Flame indeed did contain a plug-in module that enabled a ‘self-destruct’ feature, which contributed to its ability to remain undetected for years.
If Gostev is correct, and sKyWIPer and Flame are two different threats, then what are we to make of the amazing similarities between the two? There are simply too many coincidences. Call it whatever you like, but the treat still remains.
Yet, the wrangling over who first identified what misses the point entirely. The questions that we need to be asking are: what is Flame; who created it; what does it do; and who should be concerned about it?
A New Breed of Malware
News of Flame’s existence may still be fresh in our memory, but the malware itself is likely quite old when compared with how quickly developments in this space occur. It’s something that ESET senior research fellow, David Harley, reminded us shortly after this latest threat hit the headlines.
“Conflicting conjecture and confusion over the ‘ownership’ of the detection is muddying the waters”, he observed. “According to the Iran National CERT, they had detection of the malware…in early May, but Kaspersky claims it has been in the wild since 2010. It seems to be the same malware threat the laboratory in Budapest calls sKyWIper, which they believe may have been active for five to eight years, or even longer.”
Symantec rates Flame as a “very low” threat – mostly because it’s considered to be highly targeted. This is a conclusion that most observers agree on. Flame’s alleged longevity in the wild lends credence to Symantec’s threat assessment. Limited organizations were affected in such a subtle manner that few, if any, flags were raised.
That assessment, however, does not apply to the actual damage Flame can inflict. Its primary purpose – nearly universally accepted – is stealing information through a dizzying array of means. “Flame can be described as one of the most complex threats ever discovered”, wrote Kaspersky’s Gostev in one preliminary analysis. Making light of its size and sophistication, the researcher said it “redefines the notion of cyberwar and cyber-espionage”.
The size that Gostev alluded to, coupled with its vast set of features, means that thorough analysis of Flame will take several months. “At 20 MB, it’s a very complex and large piece of malware – about 20 times larger than Stuxnet or Duqu”, said Andy Hayter, anti-malcode program manager for ICSA Labs.
Tracy Hulver, chief identity strategist with Verizon, described Flame as “a new breed of worm”. Its massive size means there are parts of the code that continue to puzzle researchers with respect to its functionality. “It’s becoming much closer aligned with a biological type of virus, where there are large sections of DNA that biologists have no idea what it is for”, he said in comparison when evaluating the complexity. “You are seeing the same thing with malware”, he added.
Kevin Curran, a senior member of IEEE and reader in computer science at the University of Ulster, is also impressed by Flame’s size. It’s “like a ‘wish list’ of what malware can do”, he commented. “I was amazed by the features and complexity.”
The feature that really caught his attention was Flame’s ability to record conversations on Skype, by tapping into a device’s microphone. Curran readily admitted that the widely available yet proprietary service is vulnerable to a Flame-like attack. “For years I have been telling people that Skype is secure and a great communication channel”, he said in retrospect. Now, Curran added, there’s something out there that can turn on the microphone and hear both sides of the conversation.
"Flame can easily be described as one of the most complex threats ever discovered" |
Alex Gostev, Kaspersky Lab |
That is just one of an impressive assortment of intelligence gathering techniques Flame is able to deliver. The researchers from CrySyS Lab said the sample they examined was designed to steal information, comprising a modular structure “incorporating multiple propagation and attack techniques” that permitted the gathering of intelligence via keyboards, device screens, microphones, storage devices, WiFi connections, Bluetooth, and USBs running on the same network.
In a report on their preliminary forensic analysis, the malware they evaluated was, in their opinion, “the most sophisticated malware we [have] encountered during our practice”. It is, they added, “arguably…the most complex malware ever found”.
Andy Hayter described Flame’s purpose: “It’s there to screen scrape, to keylog, to steal passwords, to record conversations. It’s there to steal information, and not necessarily to do damage to a system like Stuxnet was designed to do.”
He believes Flame is hardly a threat to end users themselves, but still maintains dire implications for certain organizations. “It’s not your trivial piece of malware looking to steal money from someone”, Hayter told Infosecurity. “This is cyber-espionage to the max, and it’s more of a wake-up call to automated industries [i.e., infrastructure, industrials] that things like this are happening today, and they must take the right security precautions to limit the threat as much as possible.”
Secret Agent of the Digital Kind
Hayter sees Flame as a real-life Robert Ludlum story. “I look at it as a spy novel – as espionage done by a computer, and not a person.” He continued: “This was targeted to steal information, much as a human spy would be placed into a hostile environment to steal information and carry it out with them.”
Lance James, director of intelligence for consulting firm Vigilant, agreed with this assessment. “Flame is a James Bond tool. It’s the equivalent of an agent going out into the field and taking pictures of documents.”
James, who has a background in IT forensics and counter-intelligence, is an expert on computer hacking. He would “characterize Flame specifically as espionage”. There is little doubt that weaponized [cyber] tools are currently being developed, he insisted, but labels Flame more akin to an espionage tool, “because I don’t think its intent was to be discovered”. Compare this with Stuxnet, James considered, which he described as being closer to a warfare tool “because it was designed to actually shut down a nuclear centrifuge”.
There is overlap between what is considered an act of kinetic ‘cyberwar’ and ‘cyber-espionage’, James asserted. “In the world of espionage, you still use weaponized tools, and Stuxnet’s design and intent was to be destructive to infrastructure. Think of it as the equivalent of a spy picking a lock to break into a room to gather information”, James relayed. “Intelligence”, he continued, “is a component of warfare”.
Because of the way Flame was designed – with its plug-in modules – James argued it could have been turned into a weapon very easily, “because all the controllers had to do was upload code to destroy things”. He affirmed that Flame has the ability to play on both sides of the equation.
Chicken or Egg?
After a few weeks of analysis, Kaspersky Lab issued another release suggesting that the authors of Flame and Stuxnet, if not the same people, at the very least worked in cooperation. The company said it found a “critical module” in Flame used to help the worm spread that was similar to one employed in an early version of Stuxnet.
“New findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once”, commented Kaspersky’s Gostev in an accompanying blog post.
"This was not script kiddie malware…There’s no way it was created by a renegade group of hackers" |
Kevin Curran, IEEE |
IEEE’s Kevin Curran believes there is enough evidence from anti-virus labs that have analyzed the code to suggest some overlap between Stuxnet and Flame. “We have to take Kaspersky at their word, because that’s what they do for a living – take code apart and analyze it. Stuxnet was clearly [an act of] cyber war; Flame was a precursor to that”, he said.
According to Verizon’s own research, Tracy Hulver agreed with this conclusion. “Flame was probably something that was used as a precursor to Stuxnet, to prepare the way and do reconnaissance on weaknesses and test different methods of propagation.” This was likely followed by Stuxnet, which was the actual, kinetic attack.
Pointing the Finger
There is widespread consensus about the resources that went into the creating Flame, much like its Stuxnet and Duqu predecessors. It required extensive research in the assertion of Vigilant’s Lance James, who added that malware produced by organized criminals does not contain this level of development.
“It’s the malware with the most features, and it was the most well thought out”, he contended. In James’ opinion, Flame is the most thoroughly researched and designed piece of malware he has observed, describing it as “a commissioned piece of software, probably written by a team of researchers and engineers” over a period of years.
ICSA’s Hayter sounded a similar refrain: “This had to be developed by a very highly skilled group of individuals, not a single script kiddie or virus writer. Like Stuxnet and Duqu, it took a lot of skill, a lot of time, and a lot of knowledge to construct a piece of malware like this and deploy it for as long as it went undetected.”
So, just who, or what, was responsible for the funding that put this alleged team of developers together? If Kaspersky’s Alex Gostev and the New York Times both have their facts straight, then its very likely that some arm of the US government was responsible for creating Flame, in cooperation with Israel – although, importantly, these are unconfirmed suspicions. Iran was the primary target of Flame, so it’s safe to assume that whoever was responsible for its creation has a vested interest in conducting clandestine operations against the Arab state.
If the words of Israel’s Vice Prime Minister carry any weight, then we may be safe in making this assumption. When asked about the Flame attack by Israel’s IDF Radio, Moshe Ya’alon said: “Whoever sees the Iranian threat as a meaningful threat – it is reasonable [they] would take various measures, including this one”. Not an overt admission for sure, but he did not stop there. “Israel has been blessed with being a state rich in top-level high-tech”, Ya’alon added. “These tools that we take pride in open up various possibilities for us.” Thus it would be illogical for Israel, the US, or any nation for that matter to hamstring the tools available in their kit.
Curran crystallizes the argument in simple terms: “You can gather much more information using tools like Flame, from the comfort of your location in somewhere like Arizona, then you ever could with agents on the ground in Tel Aviv.”
Viewed from this perspective, weaponized malware to conduct espionage makes plain sense from a nation-state’s perspective. Deploying a ‘cyber weapon’ is far more elegant, less costly, and definitely less bloody than any operation that involves flesh-and-blood agents.
While there will always be a need for real people in the trenches, recent events indicate that those interested in careers with the CIA, MI6 or Mossad should start to think less about a life of international intrigue, and more about how to develop complex, feature-rich computer code.