Tuesday 12 June 2012

Flame Culprit Fingered

Flame, also known as Flamer and Skywiper, is a highly sophisticated espionage focused malware, which targets and infects Microsoft Windows systems. Flame is known to spread over the network and by USB thumb drives, and this malware is centrally controlled by 'those' who created and released it onto the world, more on 'those' later. To say Flame is an extremely sophisticated piece of malware is not an understatement,  it can covertly can grab screenshots, log all keyboard entry (think usernames, passwords), record Skype voice calls and even monitor network traffic,  returning all this information is sent covertly to "those" who created it. Those controlling Flame infections can even send specialised control commands, which includes a "kill command", which makes the Flame malware stop running and delete itself, so covering up any evidence of it ever being present on the PC.

Flame: Commendable Malware

Flame is not the product of cyber criminals, it is way too sophisticated, and you only have to look at which area of the world is mostly infected with Flame, which just happens to be middle eastern countries. Cyber criminals tend to target online affluent first world counties like the USA and countries within Europe. You only need to look at the Zeus worm in comparison, which is a worm which targets online banking.  There is a clear difference between a cyber criminal created malware and state sponsored malware, both have different targets, and have different goals following the infection of their targets.

Flame Infection Area
The Flame / Stuxnet Connection
I have to be a little careful how I word this as I don't want a holiday in Guantanamo, so according to this must read New York Times article (http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?) and industry experts I have spoken with off the record, the United States' National Security Agency (NSA) and Israel's Unit 8200 are said to be responsible for creating and launching the Stuxnet worm against Iran's nuclear enrichment facilities. The US government are said to have dubbed their cyber warfare activity as Operation Olympic Games. Now given the great success of Stuxnet in impacting the Iranian Natanz nuclear plant, it was always going to be a matter of time before Stuxnet was followed up.

Kaspersky Labs who have recently analysed Flame, concluded there is a solid link with the development of Flame with Stuxnet (http://www.bbc.co.uk/news/technology-18393985):

"What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected"

"The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once."

"There is a link proven - it's not just copycats.

"We think that these teams are different, two different teams working with each other, helping each other at different stages."

The findings relate to the discovery of "Resource 207", a module found in early versions of the Stuxnet malware. It bears a "striking resemblance" to code used in Flame"

"The list includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming"

So joining up all the dots, it is an obvious conclusion that the United States and/or Israel are responsible for creating, deploying and controlling Flame, and therefore are using Flame to harvest private information on mass.

I am not clear about the United Nation treaties and rules in relation to cyber warfare/espionage engagements against other nation states, I don't think anyone is which could be the problem. But I'll leave you with some food for thought, the US government said it would respond to any state sponsored cyber attack made on it with military force.


“Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests." - http://www.fas.org/irp/congress/2011_cr/cyberwar.html

1 comment:

Steve said...

Nice post which Flame is not the product of cyber criminals, it is way too sophisticated, and you only have to look at which area of the world is mostly infected with Flame, which just happens to be middle eastern countries. Cyber criminals tend to target online affluent first world counties like the USA and countries within Europe. Thanks a lot for posting this article.