The most sophisticated cyber-warfare tool yet?

I’ve been following the unfolding of the ‘Flame‘ affair, an extraordinarily sophisticated cyber-warfare tool discovered in Iran, with intense interest.  According to the Weekly Standard:

Once a computer is infected by Flame, the program begins a process of taking over the entire machine. Flame records every keystroke by the user, creating a perfect log of all activity. It takes pictures of the screen every 60 seconds ​— ​and every 15 seconds when instant message or email programs are in use. It records all administrative action on the computer​ — ​taking note of network passwords, for instance. And it rummages through the computer’s hard drive copying documents and files.

But that’s not all. Flame also takes control of the machine’s Bluetooth capability and turns it into a hub for a small wireless network, bonding with other Bluetooth-enabled devices in the vicinity, such as cell phones. It then uses the Bluetooth connection to case whatever information is on the remote device ​— ​say, an address book, calendar, or email list. Most spectacularly, Flame is able to turn on the computer’s built-in microphone and record the user, or anyone else who happens to be chatting in the vicinity.

Flame then compiles all of this information ​— ​the passwords, the documents, the keystroke logs, the screenshots, and the audio recordings​ — ​encrypts it, and secretly uploads it to a command-and-control server (C&C), where someone is waiting to analyze it.

. . .

When it works its way onto a new machine, Flame comes in an initial package of six megabytes. After the worm takes control of the box, it inventories the machine and the surrounding networks, and then begins communicating with a remote C&C  server. On the other end of the line, a team takes in the data being sent by Flame, makes a determination of the new host’s value, and then returns instructions to the waiting worm. Depending on what the C&C team see, they might instruct Flame to install any of 14 additional modules ​— ​mini add-on programs which, for instance, would give Flame the ability to take over the computer’s microphone, or Bluetooth functionality. One module, named “browse32,” is a kill module. When activated by the C&C, browse32 systematically moves through the computer, deleting every trace of Flame’s existence. Its wipe is so thorough that once it’s been triggered, no one ​— ​not even computer security techs ​— ​can tell if Flame was ever there in the first place.

. . .

As for the question of security ​— ​how does Flame talk its way past the computer’s antivirus protections? No one knows. The techs at Kaspersky Lab watched Flame attack a PC running the fully updated Windows 7 security suite. The worm took over the computer effortlessly. This suggests that the worm’s designers have access to one or more vulnerabilities in the operating system that even the people who designed the OS don’t know about.

. . .

Flame … is a study in stealth and patience. Unlike Stuxnet, with its single-minded search for a specific computer system, Flame seems to have wandered in many directions: onto computers used by governments, universities, and private companies. It moved slowly, and the overall number of infected systems seems to be quite low. Current estimates put it at 1,000 computers, nearly all of them located in Iran, the Palestinian territories, Sudan, Syria, and Lebanon. Flame kept the number of infections low because it never moved from one computer to another without explicit instructions from its C&C. … It was a detailed, deliberate process of identifying and exploiting targets that must have required significant manpower and intelligence capability on the C&C side. In other words, the design and deployment of Flame was only half of the job. Another team, with a different skill set, was needed to run the operation once it was in the field.

But once Flame was running, it was like something out of science fiction. Flame could watch a target even when he was completely alone. It could listen to every word he said on the telephone, or through Skype, or to a colleague walking past his desk. It could rifle through his computer files and find any document. Or peek into a cell phone sitting in someone’s pocket in the next room. It never had to worry about getting caught in the act. And on a moment’s notice, it could erase any sign that it was ever there. It kept up constant communication with its handlers, even when they were thousands of miles away, and it always followed orders.

Whoever engineered Flame didn’t just build the most spectacular computer worm ever made. They created the perfect spy.

There’s more at the link.  Bold print is my emphasis.  A more detailed report may be found at Wired magazine.

I’m rather amused by all the speculation about who’s behind Flame.  Come on, people!  Who were (and are) Flame’s targets?  The reports so far identify computers in Iran (well over half of those infected), plus others in Palestine, Sudan, Syria and Lebanon.  Which nation regards all of those states as actual or potential enemies?  I’ll be politically correct and won’t publish its name . . . but if you said it’s a six-letter word beginning with the letter ‘I’, I’ll not be calling you a liar.

I’m absolutely in awe of the technological skill and intelligence acumen it took to develop, deploy and operate this beast.  It’s been out there for at least two to three years, possibly five years or more.  It’s harvested a literally incalculable amount of data – incalculable because it erases itself so thoroughly that no-one can say for sure just how many computers may have been infected by it.  For example, each and every computer in Iran’s nuclear development laboratories and plants and defense factories and government agencies must now be considered to have been compromised.  There’s no way to tell which were, and which weren’t – so they’ve all got to be suspect.  The information gathered may be sufficient to provide specific targeting information for strikes against Iran’s nuclear program and every single associated industrial site, office building or military barracks.  Heck, with that quality and quantity of information-gathering, an attacker might know by now precisely which window or door to put the bomb through!

This appears to be a masterpiece of electronic espionage.  It’ll take years to analyze just how much damage has been done – and while insiders may eventually figure out most of it, the full picture will probably never be publicly revealed.  Furthermore, if first Stuxnet, then Duqu, and now Flame are (as many believe, including myself) all the product of a single national espionage effort, how many more such programs are out there?  I daresay, right now, cyber-security experts around the world are tearing their hair out and having joint and several nightmares about that . . .  In particular, in the light of the Jonathan Pollard affair, I believe the USA should be very concerned about its security.



  1. Network logging would pretty much be your only clue. 1 to 4 per minute screenshots would make up a fair bit of data to transfer.

    Avoiding things like this is a convenient side effect of things like SIPRnet, which has no connections to the regular internet.

    It would be a poor idea, I believe, to presume that the Iranians aren't smart enough to have certain computers and networks which never see a connection to the regular internet.

  2. You should listen to Fresh Air on NPR today, or on their web site later. The author of a book on exactly this is interviewed. And it is not just a six letter Theocratic Democracy behind it.


  3. My only thought is that Flame seems too perfect to be real. It's an application that has superpowers. Yes, it's supposedly created by a nation-state ( six-letter word beginning with the letter 'I'? I'm sure you mean "Italia", right? =) ), but there's just about nothing that a government can do right. And yes, I'm including their intelligence services in there. Even if/though they farmed it out, it just can't be that perfect. I don't buy it.

    What I would buy is that it's a really sophisticated case of psyops, and they're trying to get their enemies to distrust their computer infrastructure. Once you've planted the idea of a mysterious ghost haunting any piece of hardware, then every minor hiccup is blamed on it.

    If that is the case, then that's almost as cool a story as the software itself! Too bad we'll likely never know.

Leave a comment

Your email address will not be published. Required fields are marked *