It has been described as the most sophisticated cyber weapon ever created, yet precious little is known about the Flame malware. Who created it? What is it targeting? Why? How closely related to Stuxnet and Duqu is it?
What we do know is that Flame is targeting individuals, private companies and government organisations across the Middle East and Africa and is capable of searching for any kind of intelligence, such as emails, documents and even instant message conversations.
CBR rounds up the expert reaction to the news.
Alexander Gostev, Kaspersky Lab expert
Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyber-espionage.
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists.
So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.
There is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with Stuxnet and Duqu, its authors remain unknown.
Symantec Security Response
The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analysed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organised, well-funded group of people working to a clear set of directives.
A number of components of the threat have been retrieved and are currently being analysed. Several of the components have been written in such a way that they do not appear overtly malicious. There is no high-entropy data and no obviously suspicious strings. The code itself is complex, which hampers analysis.
The overall functionality includes the ability to steal documents, take screenshots of users’ desktops, spread through removable drives, and disable security products.
Henry Harrison, Detica’s technical director
Individual cases such as Flame – and, a little while back, Shady RAT – are heavily publicised by the security firms who investigate them, but the sad reality is that this sort of attack is not at all unusual.
Targeted data-stealing attacks are a common phenomenon – but in most cases they don’t get reported. That’s either because the companies affected didn’t report the attacks, for fear of reputational damage, or – most of the time – because the attacks are so successful that the targets don’t even realise that their data has been stolen. What is newsworthy here is not so much the attack, but the very fact that it has been reported
Ross Brewer, managing director and vice president, international markets, LogRhythm
As cyber warfare continues to escalate, criminal tactics are becoming increasingly damaging and sophisticated. The fact that Flame avoided detection from 43 different anti-virus tools and took more than two years to detect is simply unacceptable in this day and age, and acts as solid proof that traditional perimeter defences such as anti-virus software just aren’t enough.
This discovery once again highlights how critical it is to have a clear view of every single event that occurs across an organisation’s entire IT estate at all times. Having this constant 360 degree visibility of IT network log data means that organisations can monitor all anomalous cyber activity.
Rather than just keeping threats out – which clearly no longer serves as an effective security strategy – data security now depends on addressing any potential threats in real time. This enables proactive identification, isolation and remediation of any potential cyber threats the moment that they occur – rather than having to depend on reactive perimeter solutions that can miss sophisticated malicious components such as Flame.
Peter Szor, McAfee
SkyWiper [another name for Flame] does not show direct relationship in its code to Stuxnet or Duqu at this point. It uses a similar yet more complex structure, which in many ways reminds researchers of these attacks.
Generally, attackers try to conceal their presence by infecting locations unrelated to the main targets, possibly to further conceal their identity, and then use these locations as C&C servers. Continuing research will certainly need to take this into consideration.