Cyber-Spying Flame Attackers Operated On 'Need To Know' Basis

Complex malware dates back to 2006, with at least four individuals authoring and operating the malware operation itself -- which continues to evolve
New research published separately today by Kaspersky Lab and Symantec, and in conjunction with CERT-Bund/BSI and the International Telecommunications Union-IMPACT, shows that the sophisticated Flame cyberespionage campaign dates back to 2006 and confirms earlier suspicions of the existence of other related malware -- with three other related malware families out there, one of which is still in the wild.

Flame, which was first discovered by researchers this spring, is an information-stealing and spying tool that has been tied to Stuxnet, which sabotaged Iran's Natanz nuclear facility. It's basically a virtual, digitized spy tool that does what a human spy would do: record phone calls, snap photos, and siphon information.

Researchers today confirmed their hypotheses that Flame just scratched the surface of the cyberespionage campaign most likely being conducted by a nation state. Published reports have pointed to the U.S. and Israel as playing a part in both Stuxnet and Flame, but neither Kaspersky Lab nor Symantec will comment.

Among the new findings about Flame is that it's not the newest version of malware used by the command-and-control (C&C) server investigated by both Kaspersky and Symantec, and that the attackers took great pains to cover their tracks in order to evade detection. "They went to great lengths to hide things. Not only was the data stolen encrypted ... so no one could see it, but the fact that periodically everything on the server gets deleted, and the Wiper module would delete the malware off the client. Quite a bit of care was taken in covering their tracks," says Kevin Haley, director of Symantec Security Response. "That's indicative of a spy kind of thing."

Researchers say the operation smacks of a traditional military or intelligence operation, with each player in the operation responsible for a particular role, and not everyone having the same access to the specifics. Kaspersky Lab published redacted versions of the nicknames of the four Flame authors, D***, H*****, O******, and R***. "H" had the most experience of the group, with encryption expertise as well as other complex coding skills, and likely was the project lead, according to Kaspersky.

There were delineated roles in the Flame attack: Admins could set up the server, operators uploaded packages of malware and downloaded stolen information via a control panel, and attack coordinators held the private key to decrypt the stolen booty, according to Symantec's research. "The person operating that software didn't actually see the data being stolen," Haley says. "It was a spy game kind of thing, on a need-to-know [basis]," he says.

Even so, the findings didn't provide any additional information on just who was behind it. "There's nothing there that says this is who did it. There's no claim of credit," Haley says.

Despite the striking way Flame was designed to appear ordinary and to blend into the computing environment, the attackers apparently left behind a few clues. According to Kaspersky, the attackers inadvertently locked themselves out of the Flame C&C server and left behind some files, showing that the attackers uploaded 5.5 gigabytes of compressed files on a weekly basis to that particular server.

They didn't delete some HTTP logs on one server, so the researchers were able to calculate some number of Flame victims. Not surprisingly given the Stuxnet connection, the victims were mainly located in Iran, with 3,702 , as well as a country that had not yet been detected as a target: Sudan, with 1,280. "Our previous statistics did not show a large number of infections in Sudan, so this must have been a dedicated campaign targeting systems in Iran and Sudan," Kaspersky's blog post said today. "If just one server handled 5000+ victims during a one-week period and given several servers were available, we can estimate the total number of victims for Flame is probably higher than previously estimated, exceeding 10,000."

How could such a professional and well-oiled campaign leave traces after so aggressively covering its tracks for so long?

"The amount of effort in covering up their tracks was surprising. On the flip side of that, it's probably not a surprise that they made a mistake. We see mistakes in coding software all the time," Symantec's Haley says.

The C&C servers support not just Flame but also three other malware families. Kaspersky identifies them as SP, SPE, FL, and IP. SPE is a Flame-related variant, but the others remain unknown. "IP" appears to be the newest of the four, according to Kaspersky, and the developers are working on a new protocol dubbed "Red Protocol."

"Clearly, this command and control is not used exclusively for Flamer," Symantec's Haley says. "I don't know if we've seen them all -- it's possible we have not."

[ Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See How Flame Hid In Plain Sight For Years. ]

Another interesting tactic employed by Flame: The coders disguised it as a legitimate content management system called "Newsforyou."

"The application is designed to resemble a simple news/blog application. This approach may serve to disguise the true nature of the application from any automation or casual inspection. Although the code was running on Linux server, it is likely some of the command-and-control servers were running Windows, or at least that the code was developed and tested on Windows computers," Symantec wrote in its new Flame report, which also confirmed that one of Flame's servers automatically wiped itself off computers in late May 2012.

This is far from the end of Flame and its cyberspying relatives. They will continue to evolve, researchers say.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.