Introducing “Flame”: Round Three in the Cyber War on Iran

In round the First there was Stuxnet.  Stuxnet was, when discovered, the most sophisticated malware known.  It was specifically targeted at the industrial electronic controllers essential to the gas centrifuges used by Iran in their Nucelar weapons program.  While Iran has been reticent and conflicted in their reporting of the effects, experts believe the malware caused a significant degradation of the Iranian nuclear program.

 

In round the Second there was Duqu, the son of Stuxnet.  Duqu was less of a direct malware and more of an intelligence collection tool.

 

Round three was kicked off five years ago and has been dubbed “Flame.”

 

Iran hit by new powerful cyber weapon ‘Flame’

By AP | Jerusalem Post

BOSTON – Security experts have discovered a new data-stealing virus dubbed Flame, and found that the largest number of infected machines are in Iran, followed by Israel and the Palestinian territories, then Sudan and Syria.

Experts say the virus  has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign.

It is the most complex piece of malicious software discovered to date, said Kaspersky Lab security senior researcher Roel Schouwenberg, whose company discovered the virus. The results of the Lab’s work were made available on Monday.

Schouwenberg said he did not know who built Flame.

If the Lab’s analysis is correct, Flame could be the third major cyber weapon uncovered after the Stuxnet virus that attacked Iran’s nuclear program in 2010, and its data-stealing cousin Duqu, named after the Star Wars villain.

The discovery by one of the world’s largest makers of anti-virus software will likely fuel speculation that nations have already secretly deployed other cyber weapons.

“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about,” Schouwenberg said in an interview.

 

Capabilities of the Flame malware are believed to be:

  • Gather and transmit local files
  • Remotely change system settings
  • Turn on PC microphones to record conversations
  • Capture and transmit screen shots
  • Capture and transmit chat sessions

Nothing has been reported in terms of malicious payloads as of yet, but the information gleaned from the above listed data capture features would be a strike planner’s dream list.

It’s likely to be a long hot summer.

UPDATE

PC Magazine reports these additional features of Flame:

    • File Compression and Decompression
    • Database Manipulation
    • Network Packet Analysis and Sniffing

      As well as these infection statistics:

      Iran 189 infected systems
      Israel/PA 98 infected systems
      Sudan 32 infected systems
      Syria 30 infected systems
      Lebanon 18 infected systems
      Saudi Arabia 10 infected systems
      Egypt 5 infected systems

      Shortlink:

      Posted by on May 28, 2012.
      Filed under Internet, Iran, Middle East.
      Tagged with: .


      You can leave a response or trackback to this entry
      • Walter_Cronanty

        OK, I give – if “…the largest number of infected machines are in Iran, followed by Israel and the Palestinian territories, then Sudan and Syria” then who, or which government or alliance of governments, or perhaps private, rogue group, is the most likely the creator/beneficiary of “Flame”?  I want to get in on the ground floor of this conspiracy theory.
        I find this fascinating “He estimated that no more than 5,000 personal computers around the world have been infected, including a handful in North America.”  Very focused, very hidden.  I’m really interested in who did this, and why.

        • http://wizbangblog.com/author/rodney-graves/ Rodney G. Graves

          Whoever it was had access to the same code base as the creators of Duqu and Stuxnet, and had it more than five years ago (since earliest versions detected appear to have been implanted five years ago).  That the infected systems are being detected now indicates they’ve been activated to either upload their haul, or to perform malicious actions (or both).

          • Walter_Cronanty

            Well, Stuxnet and Flame do share this characteristic: “Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements; ‘The attackers took great care to make sure that only their designated targets were hit…It was a marksman’s job.’”  The Wiki [I know, Wiki] mentioned both the US and Israel as possible creators.  If that is so, why does Israel have the second most infected computers [as measured by the percentage of computers infected] by Flame, while the US is listed as the the nation with the fifth most infected computers by Stuxnet – and why would Azerbaijan be the nation with the fourth most infected computers – of course, given the unit of measurement, perhaps only 2 or 3 computers were infected in Azerbaijan [sarc].

        • Guest

          Walter, it was definitely not Mossad or the CIA.  

          • http://wizbangblog.com/author/rodney-graves/ Rodney G. Graves

            Certainly not the 0bama Administration’s CIA.

            • jim_m

               Yeah, somehow I see the obama admin being more interested on perceived enemies at home (ie conservatives) and focusing his intelligence gathering activities there.

            • ackwired

              Since they were put in five years ago, certainly not.  Note that the Obama CIA did not take them out or disable them, either.

          • Walter_Cronanty

             Alright, you have to give me a reason or a link, or something – throw me a bone, here.

            • GarandFan

               We know it’s not the Obama Administration.  They’d already be crowing about it and have a Hollywood movie in the works for release the 3rd week of October.

            • http://wizbangblog.com/author/rodney-graves/ Rodney G. Graves

              Oldest versions found in the wild were in place for at least five years and thus were deployed in 2007…

            • Guest

              We know it’s not the CIA or the Mossad because there’s no evidence i was the CIA or the Mossad.

      • J A Showalter

        Regarding the high number of infected devices in Israel:
        Israel, being a relatively-open country, which seeks its own preservation and given that the infected machines were identified by geographic boundaries and not ideological boundaries; such would very much make sense in a functional “homeland security” sort of way.

        • jim_m

           My guess is that the number of infected devices in Israel reflects the arab population in communication with Iran and palestinian elements.

          • http://wizbangblog.com/author/rodney-graves/ Rodney G. Graves

            No differentiation between Israel and the PA in the statistics for the win. 

            • jim_m

               geographically or ethnically?

              • http://wizbangblog.com/author/rodney-graves/ Rodney G. Graves

                IP wise.

      • Commander_Chico

        WAR!!!!!  

        First computer viruses, then bombing, then “boots on the ground” “stabilization force.” Americans, of course.

        Replacing Assad with an Al Qaeda/Saudi backed regime in Syria comes first, though. I’m sure that will work out well.

      • jim_m

         obama approved the mission after sitting on the intel for nearly a year and only then when he was certain that he had an Admiral ready to throw under the bus if things went wrong.  Yep, real bravery.  Perhaps you could start paying attention.

      • http://richi.co.uk/ Richi Jennings

        Yes, yes. Every AV program we’ve ever heard of can now detect Flame. Please stop spamming sites with your “global social media.” Sheesh.

      • GarandFan

        In follow-up reports, the MSM seems ready to throw down that it was either the US or Israeli’s (or both).

        Given the intelligence level of the MSM (they support Obama, don’t they?), everyone else is excluded.

        Here’s a thought.  Remember the “stupid Poles”?  Well they were the first to break the “unbreakable” Enigma machine used by the Germans.

        Wouldn’t even surprise me that it was some outside group that has been hired by a nation-state.   It would have a vested interest in not leaking anything.

      • Pingback: Pieces of a Jigsaw Puzzle | Wizbang