Now that you’re done with the NYT piece on Obama’s Al Qaeda “kill list,” take 10 more minutes and dive into Wired’s fascinating read on the greatest spy machine ever invented. Unlike Stuxnet, this one doesn’t mess with industrial equipment; all it does is record virtually everything you’re doing on your computer — or within earshot of your computer — while leaving almost no trace of its existence.
The apparent target is just who you’d think it’d be.
The [Flame] malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware…
Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.
The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.
Current estimates are that 1,000 computers worldwide are infected, a plurality of which are in Iran. Interestingly, though, Flame doesn’t replicate automatically. Stuxnet did — so much so that Richard Clarke theorized there must have been a flaw in its programming. Not only does replication make it more likely that the virus will be detected but these are, after all, the cyber equivalents of atomic bombs. The more freely available the virus is, the more likely it is that hackers and/or U.S. enemies will reverse-engineer the program to wreak havoc. (Then again, hackers can already access virtually any unsecured U.S. network, in which case who needs Flame?) The braintrust behind Flame evidently took care to make sure its exposure was limited, which helps explain why it wasn’t discovered as quickly as Stuxnet.
Apparently there are almost no similarities between Stuxnet and Flame except, per Wired, one possible likeness in their export function as well as the ability to spread via USB sticks by exploiting code vulnerabilities. Does that mean the two programs came from different sources or are the differences simply a function of what they’re designed to do? Flame is vastly bigger and more complex according to cybersecurity experts (one says it’s “20 times” more complicated than Stuxnet), but then it’s designed to perform many more tasks than merely controlling the spin of uranium centrifuges. Another clue: The two viruses seem to have emerged at roughly the same time. Stuxnet has been traced to as early as June 2009 but started circulating more widely in early 2010. Flame apparently started circulating at around the same time although it may have been around as early as 2007, says Wired, noting that Stuxnet is believed to have been written in this same period. Indeed, we already know from the NYT that Stuxnet began development during Bush’s administration and was, reportedly, accelerated by Obama. Looks like Flame might have been on the tasklist too.
We also know from the Times that Stuxnet was likely a joint U.S./Israeli project. ABC sees another common thread there:
A top Israeli official hinted today that his country could be behind the most sophisticated cyber espionage program ever developed, known as Flame, which infiltrated and has spied on computer systems throughout the Middle East, including those in Iran, for the past two years.
“Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them,” Israel’s vice prime minister Moshe Yaalon told Israel’s Army Radio today, referring to the cyber attack. “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.”…
So far, researchers in the U.S. and abroad have said Flame appears to only be used for spying purposes, rather than being used to cause physical damage to systems, like Stuxnet. Still, Kaspersky Labs said in a blog post, “such highly flexible malware can be used to deploy specific attack modules” that could target a country’s critical infrastructure and there could also be variations of the code that have yet to be discovered.
In other words, Flame might have some sort of built-in Stuxnet-like capacity to take over industrial machinery if need be. (One of the UN’s own cybersecurity experts said, “I think it is a much more serious threat than Stuxnet.”) No one knows yet because they’re only just now starting to unpack it; it’s like an alien autopsy where you’re suddenly looking at an advanced physiology you’ve never seen and have to figure out what each of the organs does. Two obvious possibilities, then, on what Flame might be designed to do. One: It could detect Iranian chatter about how far along their nuclear program is, which in turn would tell Israel when time has run out and an attack needs to be launched. Right now they’re impatient with the halting negotiations between the west and Iran but willing to tolerate them, maybe because Flame is telling them that Iran hasn’t reached nuclear “breakout” capabilities just yet. Two: It could be a way to disable Iran’s air defenses in advance of an attack or, more ambitiously, Iran’s enrichment facility at Fordo, which is buried deep inside a mountain and virtually impervious to a conventional attack. If bombs can’t take that out, they’ll need another way in. Then again, if Israel has already penetrated Fordo well enough to get Flame onto the computers there, they probably already have another way in. Anything else I’m missing here, techies? All theories welcome. Exit quotation: “If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about.”