Security researchers are dissecting a newly discovered malware toolkit being called The Flame, which is believed to be funded by a nation-state and possibly part of an intelligence-gathering operation.
CISOs should be mildly interested in the characteristics of the malware to gain a perspective about whether something like this can infect their environment and how they would respond to such an attack.
Pete Lindstrom, research director, Spire Security
The Flame, discovered by Kaspersky Lab, was detected on the systems of individuals in Lebanon, Syria, Sudan and Israel. Kaspersky researchers said the malware, which is 20 megabytes in size, is highly sophisticated and was designed to gather as much data as possible about the targeted individuals. Kaspersky said the code base is different than the notorious Stuxnet worm or the Duqu Trojan, but the attacker’s aim and technique share certain similarities.
“While its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators,” wrote Aleks Gostev, chief security expert at Kaspersky Lab, in an analysis of The Flame. “Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.”
The Flame contains functionality that enables the attackers to record audio and keystrokes as well as steal documents and other data on the victim’s machine. Functionality is also built in so it can be directly controlled, enabling attackers to add new functionality and delete any traces of itself to avoid detection. Kaspersky noted the encryption, the plug-in capabilities and the programming language as signs that the sophisticated toolkit was developed by a well-funded organization. Researchers have not yet determined how the malware spreads and whether any zero-day vulnerabilities are exploited.
An analysis by the CrySyS Lab in Hungary determined The Flame malware toolkit may have been in use as early as 2010. CrySyS, which calls the malware Skywiper, said it was likely not made by the same developer team, but added that it’s possible for a nation state to hire multiple development teams to achieve the same objectives.
Risk to U.S. firms
The malware was highly targeted and researchers say it is likely part of a broader cyberwarfare campaign designed to infect a minimal number of individuals. There were less than 200 infections detected in Iran and fewer infections in other countries in the Middle East and North Africa.
What we’re seeing here is a significant shift of what used to be the classic attacker and now there is becoming more and more evidence of state sponsored malware and attacks going on.
Andrew Storms, director of security operations, nCircle Network Security Inc.
“Certainly the researchers that do this for a living have to acknowledge that this seems like an interesting piece of malware,” said Pete Lindstrom, research director at Spire Security. “I think this stuff is so far removed from most CISOs that if they are interested, they’re interested from a professional level.”
There are no signs, according to Kaspersky Lab, that the malware-infected systems are in a corporate network. Its size at 20 mb would likely make it difficult to remain stealthy on corporate networks, Lindstrom said. But it wouldn’t hurt for security professionals to determine if the company’s security software can potentially identify the malicious code. A log review would also help identify any network anomalies, he said.
“CISOs should be mildly interested in the characteristics of the malware to gain a perspective about whether something like this can infect their environment and how they would respond to such an attack,” Lidnstrom said.
From a technical perspective, there is a lot to decompile and analyze before anything can be learned from the malware, said Andrew Storms, director of security operations at nCircle Network Security Inc.. From a broader perspective, the threat is an indication of how difficult it is for CISOs to profile attackers, Storms said.
“What we’re seeing here is a significant shift of what used to be the classic attacker and now there is becoming more and more evidence of state sponsored malware and attacks going on,” Storms said.
Proactive CISOs will pay attention to any threat posed by The Flame, but it’s even more important to continue to focus on basic security measures, Storms said. Understand where the most sensitive company data resides, know who has access to it and build out the enterprise defensive and detection capabilities, he said.
“I think important take out idea of cyberwar and just define it as what’s at risk in the organization and who are the potential threat actors,” Storms said. "It’s not so much about cyberwarefare, but about intellectual property, the assets that could be taken and what you are doing to protect it.”