Flame Thrower

Welcome to the new frontier of cyber-espionage, and remember this name: "Flame" — a mysterious new cyber spy tool that hit the headlines on Monday, May 28. Its code is 20 times larger than Stuxnet, the mysterious computer worm that temporarily crippled Iran’s Siemens nuclear centrifuges, and it "might be the most sophisticated cyber weapon yet unleashed" according to Kaspersky Lab, a Russian-based cybersecurity firm. Kaspersky published the findings of its analysis on Monday in addition to the Iranian Computer Emergency Response Team (CERT) and Budapest University. Most of the infected systems are located in the Middle East, with Iran, Israel, Palestine, Sudan, Syria, Lebanon, and Hungary topping the list. Flame stands out in the various ways through which it "exfiltrates" data, including surreptitiously recorded audio data captured by internal microphones. However, unlike Stuxnet, Flame was designed to spy — not destroy.

The variety of spy tools that Flame employs is astonishing. According to Kaspersky, "of course, other malware exists which can record audio, but key here is Flame’s completeness — the ability to steal data in so many different ways." It also takes snapshots of instant messages and records a user’s keystrokes. Flame is remotely controlled through a command and control server and it’s highly dynamic. In other words, it has been updated remotely since it was first launched at least as early as March 2010 and its "creators are constantly introducing changes into different modules" which expand its functionality. Now that it has been detected, the Iranian CERT apparently offers infected users a removal tool.

According to the Washington Post, some analysts see the United States and Israel behind Flame. Kaspersky will only go so far as to say that it’s likely the work of a nation-state rather than a private entity or hacking group because of the sophistication and the geographic location of the infected systems, For now, the perpetrator’s identity remains unknown. Flame was designed to avoid being detected, hiding in large amounts of code and using a programming language unusual for malware. Victims include individuals, private companies, educational institutions, and state-related organizations. Other details are also unclear at this point, however, such as how Flame accesses a system in the first place. Kaspersky considers Flame an operation likely to have been run in tandem with Stuxnet.

Unlike Stuxnet, Flame was designed for a non-destructive purpose. That said, both types of code essentially consist of three elements, according to Herb Lin, chief scientist at the National Research Council: a vulnerability, access, and payload. Think of a computer system as a walled-in garden. The first objective is to find a hole in the wall to get into the garden. A vulnerability in the computer system — the hole — will allow that access to the system. Once inside the garden, there are basically two ways it plays out determined by the payload. A cyber-espionage payload — like Flame — walks around making copies and taking pictures of what’s in the garden. By contrast, a cyber-warfare payload — like Stuxnet — destroys what’s in the garden. 

But cyber-espionage tools differ in terms of their payload though. Stuxnet’s cousin, Duqu, was designed (like Flame) to spy, not destroy. The security firm, Symantec, considered Duqu "a threat nearly identical to Stuxnet, but with a completely different purpose … Duqu’s purpose is to gather intelligence data and assets from entities such as indus­trial infrastructure and system manufacturers, amongst others not in the industrial sector." Duqu and Stuxnet were therefore very similar in the vulnerabilities exploited but differed in the payloads used. In other words, Duqu and Stuxnet used the same hole in the wall but behaved differently once inside, whereas Duqu and Flame accessed the garden differently but were sent with a similar mission. There is another important difference between Duqu and Flame. As Kaspersky highlights, the "intelligence gathering operation behind Duqu was rather small-scale and focused. We believe there were less than 50 targets worldwide for Duqu — all of them, super-high profile. Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide."

This shows that while cyber-espionage and cyber-warfare differ in intent, the gap is very small. Replace a non-destructive payload with a destructive one using the same vulnerability and access and the story changes very quickly. In fact, Symantec, also described Duqu as "the precursor to a future Stuxnet-like attack … looking for information such as design documents that could help them [the attackers] mount a future attack on various industries, including industrial control system facilities." This also explains why Michael Hayden, former director of the National Security Agency and the Central Intelligence Agency, has called them "operationally indistinguishable."

But Flame is not the new Stuxnet, and it’s important not to lump them together. However, as Stuxnet and Duqu have showcased, the question about Flame is whether the information-sharing was an end in itself or only the means to a future attack that remains yet to be discovered or launched.

The answer to this question might take a while to uncover. "Consider this: it took us several months to analyze the 500k code of Stuxnet," notes Kaspersky. "It will probably take year [sic] to fully understand the 20MB of code of Flame."