Flame reportedly set up Stuxnet attack, was under human control
- By William Jackson
- Jun 20, 2012
Flame, the recently identified malware that appears to date back to 2007 or earlier, was being actively updated as recently as March of 2012, and its targeted attacks apparently were being controlled by individuals rather than being automated, according to research by security company Bit9.
Flame, formally identified as W32.Flamer, is a cyber weapon developed by the United States and Israel targeting Iran and is part of the same program that developed Stuxnet, the Washington Post reported.
Bit9 CTO Harry Sverdlove said his company, which provides whitelisting and reputation-based blocking services, blocked repeated attacks by Flame against a customer in the Middle East. When event logs were analyzed it was found that the same attack dropping the same files, identified as Flame, occurred repeatedly from October 2011 through March. The attacks always came during the morning, local time, about the same time each day but not at exactly the same time.
Flame's unique trick: Using Bluetooth to spy on victims
Researchers find ‘proof’ of Flame-Stuxnet link
“That is a high indication that it was a human operator,” Sverdlove said. “It was not an opportunistic attack. There was a person behind it. It was his job,” to periodically attempt to install the files on the targeted computer.
The files used in the attack evolved over that time, he said. “Flame was being actively updated.”
Although Flame was blocked from executing on the customer’s server, it was not recognized as a malicious attack until logs were examined months later, after the discovery and public disclosure of Flame in May.
The incident highlights a weak spot of whitelisting as a security tool. It enforces a list of authorized files, activities or users for a computer, and routinely blocks everything that is not on the list. Although the technique can block previously unknown exploits and malware, it also can obscure attacks because a large amount of otherwise benign activity also might be blocked. The Flame incident was not discovered until specific queries were made after the fact, Sverdlove said.
“We can’t look at everything,” he said. “It sat below the radar for several years. It never rose to the level of ‘oh my gosh, it’s an outbreak.’ It’s a problem throughout the security industry, how to prioritize,” and examine information once the initial attack is over.
He said that Bit9 has a project under way to allow automated identification of suspicious activity that merits additional attention. “There is no technical reason we can’t do it,” he said.
Flame, also known as Flamer and sKyWIper, was identified in May and quickly gained notoriety as the largest and one of the most sophisticated pieces of malware yet found. It also is one of the stealthiest, and despite its size of 20 megabits it apparently survived for years before it was detected. Researchers at CrySyS Lab at the Budapest University of Technology and Economics have identified elements of the code that date as far back as 2007.
One reason for its stealth is that it appears to be dedicated to quiet information gathering against a small group of individuals, most in the Middle East. Comparisons with the Stuxnet worm, which targeted and damaged uranium processing equipment in Iran, immediately were made. Most researchers agree that they are not the work of the same individuals, but similarities suggested they were part of the same program.
The Washington Post, citing unnamed government officials, has reported that Flame was developed by the National Security Agency and the CIA, in cooperation with the Israeli government, as part of the same program as Stuxnet. Flame apparently predates Stuxnet and was an intelligence gathering tool used to lay the groundwork for the Stuxnet attack.
Sverdlove did not identify the Middle East customer targeted by Flame, but said it was in a geographical area in which other attacks had been identified. He said he believes that the customer was most likely being used as a stepping stone in an attempt to reach others.
“The system in question is not an interesting system,” he said. He said Flame is a multistage attack capable of targeting resources through relationships. It is able to do this without detection because it takes no action on an infected system without human direction, spreading quietly.
Sverdlove said he believed Stuxnet spread much farther and was discovered more quickly because it was designed to target an isolated system that would not allow remote control of the worm through a command and control network. “It really had to choice but to propagate” on its own, he said.
The result was that there have been more than 60,000 reported infections by Stuxnet around the world, although no other reported instances of damage by the worm.
The spread and discovery of Stuxnet and Flame illustrate an inherent danger in cyber weapons: Once deployed, they become available to researchers and other nations for possible reuse.
How easily such complex pieces of software can be repurposed remains to be seen. Sverdlove believes that “the barrier to entry is now almost nothing.”
But adapting even individual modules from the programs for new targets and uses could prove to be a challenge requiring a high level of technical expertise not available everywhere.
William Jackson is freelance writer and the author of the CyberEye blog.