Flame reportedly set up Stuxnet attack, was under human control

Flame, the recently identified malware that appears to date back to 2007 or earlier, was being actively updated as recently as March of 2012, and its targeted attacks apparently were being controlled by individuals rather than being automated, according to research by security company Bit9.

Flame, formally identified as W32.Flamer, is a cyber weapon developed by the United States and Israel targeting Iran and is part of the same program that developed Stuxnet, the Washington Post reported.

Bit9 CTO Harry Sverdlove said his company, which provides whitelisting and reputation-based blocking services, blocked repeated attacks by Flame against a customer in the Middle East. When event logs were analyzed it was found that the same attack dropping the same files, identified as Flame, occurred repeatedly from October 2011 through March. The attacks always came during the morning, local time, about the same time each day but not at exactly the same time.


Related coverage:

Flame's unique trick: Using Bluetooth to spy on victims

Researchers find ‘proof’ of Flame-Stuxnet link


“That is a high indication that it was a human operator,” Sverdlove said. “It was not an opportunistic attack. There was a person behind it. It was his job,” to periodically attempt to install the files on the targeted computer.

The files used in the attack evolved over that time, he said. “Flame was being actively updated.”

Although Flame was blocked from executing on the customer’s server, it was not recognized as a malicious attack until logs were examined months later, after the discovery and public disclosure of Flame in May.

The incident highlights a weak spot of whitelisting as a security tool. It enforces a list of authorized files, activities or users for a computer, and routinely blocks everything that is not on the list. Although the technique can block previously unknown exploits and malware, it also can obscure attacks because a large amount of otherwise benign activity also might be blocked. The Flame incident was not discovered until specific queries were made after the fact, Sverdlove said.

“We can’t look at everything,” he said. “It sat below the radar for several years. It never rose to the level of ‘oh my gosh, it’s an outbreak.’ It’s a problem throughout the security industry, how to prioritize,” and examine information once the initial attack is over.

He said that Bit9 has a project under way to allow automated identification of suspicious activity that merits additional attention. “There is no technical reason we can’t do it,” he said.

Flame, also known as Flamer and sKyWIper, was identified in May and quickly gained notoriety as the largest and one of the most sophisticated pieces of malware yet found. It also is one of the stealthiest, and despite its size of 20 megabits it apparently survived for years before it was detected. Researchers at CrySyS Lab at the Budapest University of Technology and Economics have identified elements of the code that date as far back as 2007.

One reason for its stealth is that it appears to be dedicated to quiet information gathering against a small group of individuals, most in the Middle East. Comparisons with the Stuxnet worm, which targeted and damaged uranium processing equipment in Iran, immediately were made. Most researchers agree that they are not the work of the same individuals, but similarities suggested they were part of the same program.

The Washington Post, citing unnamed government officials, has reported that Flame was developed by the National Security Agency and the CIA, in cooperation with the Israeli government, as part of the same program as Stuxnet. Flame apparently predates Stuxnet and was an intelligence gathering tool used to lay the groundwork for the Stuxnet attack.

Sverdlove did not identify the Middle East customer targeted by Flame, but said it was in a geographical area in which other attacks had been identified. He said he believes that the customer was most likely being used as a stepping stone in an attempt to reach others.

“The system in question is not an interesting system,” he said. He said Flame is a multistage attack capable of targeting resources through relationships. It is able to do this without detection because it takes no action on an infected system without human direction, spreading quietly.

Sverdlove said he believed Stuxnet spread much farther and was discovered more quickly because it was designed to target an isolated system that would not allow remote control of the worm through a command and control network. “It really had to choice but to propagate” on its own, he said.

The result was that there have been more than 60,000 reported infections by Stuxnet around the world, although no other reported instances of damage by the worm.

The spread and discovery of Stuxnet and Flame illustrate an inherent danger in cyber weapons: Once deployed, they become available to researchers and other nations for possible reuse.

How easily such complex pieces of software can be repurposed remains to be seen. Sverdlove believes that “the barrier to entry is now almost nothing.”

But adapting even individual modules from the programs for new targets and uses could prove to be a challenge requiring a high level of technical expertise not available everywhere. 

Reader Comments

Tue, Jun 26, 2012 The Shrimper

It STILL amazes me how casually all this is discussed and reported. Why not tell us, Mr. Sverdlove who your Middle East client is ????? No one seems to have any problem blabbing all of OUR cyber-secrets to the world? Idiots.!!!......

Fri, Jun 22, 2012 Cowboy Joe

"Fed" is correct, but I'd have to add the coming bumpy ride was inevitable. Which kids are dumb enough to smack a bull on the rump is kind of a random choice of history; that from time to time some will - and the gamut of outcomes implied - is a given.

Thu, Jun 21, 2012 The Almighty Dollar$$$

"Bit9 CTO Harry Sverdlove said his company, which provides whitelisting and reputation-based blocking services, blocked repeated attacks by Flame against a customer in the Middle East.
Source: GCN (http://s.tt/1feGE)" What name of country is missing in this article? Probably because people would not be happy if he stated who they performed the work for.

Thu, Jun 21, 2012 DC Fed Washington D.C.

Well written article. This is the stuff of sci/fi technothrillers just a few years ago. It was inevitable that intelligence agencies of the major powers would be engaged in cyber based espionage (and sabotage) and it could have been considered criminal negligence on the part of the U.S. intel community if they had not been on the forefront of exploiting cyber espionage opportunities. It's the dirty little secret no one wants to admit. What interests me is the leak and the exposure of the program. I see two possibilities to the media stories: 1) the InfoSec community was so convincing in their assertion that this could only be done by a major power that the media jumped to conclusions and created the 'unnamed sources' to bolster their credibility in blaming the US and Israel, or, b)there is a nasty leak in the NSA/CIA and the leaker has disclosed information that would be grounds for charges of treason in another time. WikiLeaks was embarassing to the State Dept, leaks regarding espinage techniques and capabilities goes way beyond embarassment. Disclosing this information is tantamount to telling Vlad (the impaler) Putin the names of members and home addresses of his staff that are on our payroll. What the leaker(s) and the media have also done is posted a great big target on the U.S. and given a green light in the court of public oppinion for any future cyber attack on U.S. interests. The loose lips on this one have sown the seeds for a massive payback in the not too distant future. Tighten up your firewalls everyone, it's going to be a bumpy ride.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above