A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyber-espionage operation.
The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the West Bank and other places in the Middle East and North Africa for at least two years.
Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet — the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame rather than common cyber-criminals, marking it as yet another tool in the growing arsenal of cyberweaponry.
The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.
“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”
Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.
The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
Kaspersky Lab is calling it “one of the most complex threats ever discovered.”
“It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, chief security expert at Kaspersky Lab.
Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies.
“It’s a very big chunk of code. Because of that, it’s quite interesting that it stayed undetected for at least two years,” Gostev said. He noted that there are clues that the malware may actually date back to as early as 2007, around the same time that Stuxnet and DuQu are believed to have been created.
Gostev says that because of its size and complexity, complete analysis of the code may take years.
“It took us half-a-year to analyze Stuxnet,” he said. “This is 20 times more complicated. It will take us 10 years to fully understand everything.”
Kaspersky discovered the malware about two weeks ago after the United Nations International Telecommunications Union asked the lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Co. had been hit with malware that was stealing and deleting information from the systems. The malware was named alternatively in news articles as “Wiper” and “Viper,” a discrepancy that may be due to a translation mixup.
Although the Flame toolkit does not appear to have been written by the same programmers who wrote Stuxnet and DuQu, it does share a few interesting things with Stuxnet.
Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June 2009. It is widely believed to have been designed to sabotage centrifuges used in Iran’s uranium enrichment program. DuQu was an espionage tool discovered on machines in Iran, Sudan, and elsewhere in 2011 that was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques.
But Flame doesn’t resemble either of these in framework, design or functionality.
Stuxnet and DuQu were made of compact and efficient code that was pared down to its essentials. Flame is 20 megabytes in size, compared to Stuxnet’s 500 kilobytes, and contains a lot of components that are not used by the code by default, but appear to be there to provide the attackers with options to turn on post-installation.
Join the official YWN WhatsApp status
6 Responses
Barukh ha-Shem we live in an age in which wars are fought by hackers. The old style of going around killing people and leveling cities is so uncool.
#1: I’m not so sure. Cyber warfare has the potential for killing millions of people.
Sabotaging the enemies infrastructure and sowing seeds of paranoia are not new. Winning the invisible war against the enemy makes winning the killing war much easier and less bloody for us. If successful enough, the killing war can be avoided altogether. That in effect is how Regan defeated the Soviet Union.
#2 – I’ld much rather have my hard drive wiped than having my house burned down and my kids dismembered. Imagine if all we blamed the Romans, Crusaders and Nazis for was corrupting datafiles or making our computers run slow.
#1: It’s not as simple as having your hard drive wiped. How about your electricity shut off, you water poisoned, and your food supply tainted? Oh, and cyber war can very easily burn your house down – and worse – like prescribing the wrong medication for your kids, R”L.
Cyber war can also get your wife to divorce you, wipe out your bank account, and leave your with a police record as a criminal or pedophile.
And it can be done in a heartbeat with you unwittingly helping the process.
This is not a joke – we have been at this war for at least ten years. Most of the world doesn’t realize how serious it already is.
#5- “old fashioned” war involved having your family killed in a gas chamber, having your neighborhood reduced to ash and rouble, having your born torn to bits by shrapnel – and has a side effect it usually involved plague, famine, and all sorts of horrible things. We know too much about the good old days…