Published on May 28, 2012 By DrJBHL In Personal Computing

Kaspersky has reported discovering a really super piece of spyware after being requested to investigate suspected malware causing information loss at the Iranian oil refinery/depot. They believe it’s been around since August 2010.

Photocredit: Kaspersky Labs

The countries affected appear to be Israel, Iran, Sudan, Syria, Lebanon and Saudi Arabia.

There are three classes of malware/spyware producers: Hacktivists, cybercriminals and nation states. The backtracking and identification of the targets yields the suspicion of just who and what group he/she/they belong to.

In this case, there’s no doubt some nation state is responsible…. based on the targets, sophistication of the attack and research needed to produce such software. I’m betting the NSA.

This spyware takes pictures of emails every time an email program is opened, and if a conversation is going on near a computer with a microphone, it compresses and sends the conversation. It appears to be an information only tool, not designed to damage the systems it resides on.

Stuxnet was simple minded compared to this one. Flame is like a tool kit which can go after whatever the sender wants, since after initial infection, additional modules can be added like plugins to a browser. Apparently there are more than twenty such modules in its full library. I read hints of this in the past (and there being five such modules), about the time I brought Duqu to your attention. At that time, Flame hadn’t been differentiated from Duqu publicly.

Flame appears to have infected over 600 very specific targets. So don’t worry, I doubt yours is on the list.

There will be many more interesting developments in this story, and as they come up, I’ll try my best to keep you all abreast.

Update (6/5/2012): It now appears that the Flame/Skywiper virus/Trojan exploited a 'hole' in an MS program to disguise itself as the program to grab blueprints and specs of the Iranian-Russian reactors, as well as take pictures of and the communications of those using those specs, and more.

Source:

http://www.bbc.com/news/technology-18238326

http://www.wired.com/threatlevel/2012/05/flame/ – Much more comprehensive history and analysis.

Update: http://www.israelnationalnews.com/News/News.aspx/156557#.T83nxTyjN8E

Comments (Page 1)

Scoutdog

on May 28, 2012

What's weird is that this thing doesn't appear to be aimed at a particular geopolitical bloc: Iran and Israel are affected, along with Saudi Arabia (a major US ally in the region), Sudan and Syria (rogue and unstable, to different degrees), and Lebanon (stable, but hosts a lot of anti-Israeli sentiment). Seeing as the US's adventures into digital tactics have been somewhat... underwhelming in the past, it's possible (although I don't think very likely) that they created something like this and then ended up spreading it far wider than they had originally intended. However, it's possible this is a hacktivist attack that has something to do with the Arab Spring, a general attempt by some country to spread chaos, or -most likely- a very well-put-together cybercrime operation- even though money was not directly taken, this information would have a lot of value, and it cut a very wide swath through the region.

DrJBHL

on May 28, 2012

More about gathering information about who's saying what to whom. The U.S. would seem to me to be the most likely to have done it.

Scoutdog

on May 28, 2012

Likely in terms of motivation, possibly, assuming they didn't intend for it to be as wide-reaching as it was. But the most sophisticated cyberattack in history coming from these guys seems unlikely, especially given that the US has little to no history of doing anything in that arena before (the religious references in the Stuxnet file names suggest it was at least masterminded by Israel if not actively developed there).

Daiwa

on May 28, 2012

Notice the 2 names for 1 of the targets. And I don't mean Saudi Arabia.

DrJBHL

on May 28, 2012

Yes... well, didn't want to turn this "political", but there really aren't anything but terror links in that entity which are worthy as intelligence targets.

Certainly nothing of any scientific or technological or military value.... as opposed to the other "entity".

Daiwa

on May 28, 2012

Just thought it was "interesting."

DrJBHL

on May 28, 2012

It is... and you were spot on for noticing.

DrJBHL

on May 29, 2012

Update 1:

The Israeli Vice PM Moshe Ya'alon was quoted in an interview:

"Israel has been blessed with a prolific hi-tech sector that opens possibilities in both the business and security fields,” said an enigmatic Strategic Affairs Minister Moshe Ya’alon Tuesday morning, responding to a question as to whether Israel could be behind the sophisticated computer virus “Flame.”

- http://www.timesofisrael.com/yaalon-on-flame-virus-the-west-is-using-all-the-means-at-its-disposal-to-prevent-a-nuclear-iran/

The article went on to say, (and paraphrase Ya'alon) that:

"...several Western countries that possess advanced technologies and see a nuclear Iran as a significant threat could be behind the large-scale cyber attack that infiltrated thousands of computer systems in Iran and across the Middle East.

“Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it,” he said.

Ya’alon agreed with experts’ estimates that only a state could possess the resources necessary to develop such an advanced cyber weapon and noted that Western countries were doing all they could to prevent Iran from developing a nuclear weapon."

tazgecko

on May 29, 2012

Kaspersky has put up a questions and answers page for Flame

http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

tazgecko

on Jun 01, 2012

Obama order sped up wave of cyber attacks against Iran

http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=3&pagewanted=2&seid=auto&smid=tw-nytimespolitics&pagewanted=all

Stuxnet was developed the US and 'escaped' ...

'“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.'

DrJBHL

on Jun 05, 2012

Updated: http://www.israelnationalnews.com/News/News.aspx/156557#.T83nxTyjN8E

Dr Guy

on Jun 05, 2012

DrJBHL

reply 2

More about gathering information about who's saying what to whom. The U.S. would seem to me to be the most likely to have done it.

Actually any Western European country. America is the prime suspect because we are number 1. But the bug seems to be ham handed, so that indicates a less sophisticated approach.

Jythier

on Jun 05, 2012

Dr. Guy, wouldn't that just mean it was government programmers who made it?

Dr Guy

on Jun 05, 2012

Jythier

reply 13

Dr. Guy, wouldn't that just mean it was government programmers who made it?

After I wrote my comment, I thought some might take it the wrong way - ham handed. What I meant by that is had the US made it, it would have been tight and focused, not scatter shot. That a government may have done it is probably right. But It does not look like a top tier intelligence agency, rather a smaller one hoping to pick up anything.

DrJBHL

on Jun 05, 2012

Dr Guy

reply 14

It does not look like a top tier intelligence agency, rather a smaller one hoping to pick up anything.

Where is that coming from? Is there a reference?

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!