AS THE COMPLEXITIES of the gigantic Flame computer virus are dissected, the blame game has begun. The nefarious application came to light after data was deleted from hard drives in Iran’s oil ministry several weeks ago, with Israel being seen as likely culprits by Iranian officials and security analysts alike.
Indeed, Israel’s vice prime minister Moshe Ya’alon did little to stop these rumours yesterday when he said: “Israel is blessed with high technology and we boast tools that open all sorts of opportunities for us.”
Despite Ya’alon’s barely-veiled boasts, due to the complexities of the coding involved in Flame, it is unlikely that Israel – or any other nation – will be held accountable. It is this inability to pinpoint the genesis of such attacks which makes this manner of cyber warfare so appealing to nation states.
“It’s about plausible deniability,” says Vitaly Kamluk, chief malware expert with Kaspersky Lab, enlisted by the UN’s Geneva-based International Telecommunications Union to investigate the threat a few weeks ago.
“There are no traces that can point to one organisation or any country with Flame,” he adds. “We followed the controls of the malware but we discovered that there are more than a thousand different servers [involved] located in different countries, all geographically spread out, so it’s unclear where is the central country.”
Sophos senior technology consultant Graham Cluley suggests that for rogue nation states, “the beauty of an internet attack is your ability to hide your tracks and to be relatively anonymous no matter how big the attack is”.
DCU law and government lecturer Dr Maura Conway says the “blanket of anonymity” has been a factor for various governments to launch similar attacks for several years. “In all aspects of warfare and intelligence gathering, plausible anonymity is key.”
There are a number of factors that mark Flame out as unique. For one thing, it is estimated to have sat undetected on Iranian computers for two to five years collecting data. Its size is fascinating as well, with its combined applications bulking it up to about 20MB, as opposed to smaller threats such as the Stuxnet worm which infiltrated Iran’s nuclear program in 2010 which was “20 times smaller”, according to Cluley.
“The benefit they get out of this size of file is that it looks normal,” says Mikko Hyppönen, chief research officer with security specialists F-Secure. “Flame looks like your average application, not the encrypted, hidden malware we’re used to seeing. It’s big, it has libraries and it’s hiding in plain sight. It might seem odd, but it worked, it went undetected for years. You can’t argue with that.”
Hyppönen says the other fascinating stat is that compared with Stuxnet, or other attacks such as the data-grabbing Duqu virus, this did not infect hundreds of thousands of computers to get what it needed. Kaspersky and Symantec, which was also brought in to investigate Flame, have found fewer than 600 incidents of the virus, pointing to each infiltration being very deliberate.
There were 189 attacks in Iran, 98 incidents in the West Bank, 32 in Sudan, 30 in Syria and other Flame detections found in Lebanon, Saudi Arabia and Egypt. Businesses, academics, private individuals and government agencies were all victims.
Gavin O’Gorman, who acts as threat intelligence security response manager with Symantec, was made aware of the threat posed by Flame late last week, and from the company’s Dublin offices he collaborated with colleagues in the US and Japan over the weekend to analyse just what they were looking at.
“It is so comprehensive, Flame is easily the largest threat – in terms of code size – we have ever encountered. It has a huge number of modules in it so it has got an awful lot of functionality.“
These functions include reporting on network resources, stealing specific files, capturing screenshots, evading more than 100 security products, recording audio through a computer’s built- in microphone and even scanning for nearby Bluetooth devices to take information from them.
“It can also serve as a beacon, signalling other devices that this virus has infected,” Kamluk says.
Looking at the complexity involved, Martin Libicki, a senior scientist with non-profit global policy think-tank Rand, says that while “we can all only speculate for now”, in all probability this was the work of a nation state.
“You get to that conclusion because there doesn’t seem to be any money at the victim end and cyber criminals tend to go for money not data,” he adds.
“Cyber criminals are specific in their methods, in other words they have ‘cased the joint’ and they know what they want to do get. It seems to be targeted, unlike Stuxnet, which was a worm which basically spread willy-nilly. This was meant to be absorbed within particular determined networks.”
This minor number of infiltrations may be key to it remaining undetected for years. There are other possible reasons for this as well though.
Uri Rivner, chief strategist with another security behemoth RSA, compares Flame to “the Nasa rovers that were sent to Mars and meant to work for a few months, but then Houston realised they could hold out in the conditions for a few years. I think that’s what happened here. The software probably widened its capabilities over time and widened the data it was able to look at.”
Be it Israel, the US or any other country responsible for Flame, O’Gorman, Hyppönen, Cluley and Kamluk all agree there are likely to be more of these subtle cyber espionage viruses currently at work across the globe.
As Kamluk points out, Flame was not the original target of Kaspersky’s UN-prompted investigations, rather it was stumbled upon while another threat was being investigated.
