Welcome to the new frontier of cyber-espionage, and remember this name: "Flame" -- a mysterious new cyber spy tool that hit the headlines on Monday, May 28. Its code is 20 times larger than Stuxnet, the mysterious computer worm that temporarily crippled Iran's Siemens nuclear centrifuges, and it "might be the most sophisticated cyber weapon yet unleashed" according to Kaspersky Lab, a Russian-based cybersecurity firm. Kaspersky published the findings of its analysis on Monday in addition to the Iranian Computer Emergency Response Team (CERT) and Budapest University. Most of the infected systems are located in the Middle East, with Iran, Israel, Palestine, Sudan, Syria, Lebanon, and Hungary topping the list. Flame stands out in the various ways through which it "exfiltrates" data, including surreptitiously recorded audio data captured by internal microphones. However, unlike Stuxnet, Flame was designed to spy -- not destroy.
The variety of spy tools that Flame employs is astonishing. According to Kaspersky, "of course, other malware exists which can record audio, but key here is Flame's completeness -- the ability to steal data in so many different ways." It also takes snapshots of instant messages and records a user's keystrokes. Flame is remotely controlled through a command and control server and it's highly dynamic. In other words, it has been updated remotely since it was first launched at least as early as March 2010 and its "creators are constantly introducing changes into different modules" which expand its functionality. Now that it has been detected, the Iranian CERT apparently offers infected users a removal tool.
According to the Washington Post, some analysts see the United States and Israel behind Flame. Kaspersky will only go so far as to say that it's likely the work of a nation-state rather than a private entity or hacking group because of the sophistication and the geographic location of the infected systems, For now, the perpetrator's identity remains unknown. Flame was designed to avoid being detected, hiding in large amounts of code and using a programming language unusual for malware. Victims include individuals, private companies, educational institutions, and state-related organizations. Other details are also unclear at this point, however, such as how Flame accesses a system in the first place. Kaspersky considers Flame an operation likely to have been run in tandem with Stuxnet.
Unlike Stuxnet, Flame was designed for a non-destructive purpose. That said, both types of code essentially consist of three elements, according to Herb Lin, chief scientist at the National Research Council: a vulnerability, access, and payload. Think of a computer system as a walled-in garden. The first objective is to find a hole in the wall to get into the garden. A vulnerability in the computer system -- the hole -- will allow that access to the system. Once inside the garden, there are basically two ways it plays out determined by the payload. A cyber-espionage payload -- like Flame -- walks around making copies and taking pictures of what's in the garden. By contrast, a cyber-warfare payload -- like Stuxnet -- destroys what's in the garden.