Flame brings us spyware that is truly worthy of the name. You don’t hear the word “spyware” used much these days, but according to Kaspersky Lab’s initial analyses, we’ve never seen malware so adept and stealthy at watching, capturing and stealing in so many ways. Kaspersky’s Alexander Gostev says it “redefines the notion ofcCyberwar and cyber espionage.” It’s been in the wild for at least two years, by Kaspersky’s reckoning and very likely longer. Makes you wonder what else might be out there.
I don’t know if Flame actually changes the game of digital cyber theft. Cyber criminals have plenty of simpler tools that are efficient when it comes to infiltrating networks and stealing sensitive information or grabbing credentials and cleaning out bank accounts. But in the world of digital intelligence gathering, Flame apparently raises the stakes. We were impressed by the much smaller, highly focused Stuxnet weapon, aimed at Siemens industrial control systems, and its intelligence-gathering cousin, Duqu, which was used against perhaps 50 targets, according to Kaspersky.
By comparison, flame is huge and highly versatile, an intelligence-gathering toolkit of 20 MBs when fully deployed with all 20 modules. It’s not that any of the functionality is unique, but that there is so much of it with so many options: network monitoring, audio recording, keystroke captures, the use of SSL and SSH encrypted channels, its own databases and code so massive that its sheer size makes analysis extremely difficult and time-consuming. It even turns on its recording capabilities when certain applications, such as IM, are launched, and records the conversation. It has been deployed against a diverse collection of targets in the Middle East, including individuals, educational institutions and state related organizations (for a good discussion, read Gostev’s “The Flame: Questions and Answers“ on Securelist). So, the profile for a target organization is, essentially, anyone that the attacker deems worth intelligence-gathering.
The level of research and the geography of the targets makes it clear, Kaspersky asserts, that a nation state is behind Flame, though, as with Stuxnet and Duqu, there is apparently no way of determining which one or ones, at least based on anything they have seen in the code.
Kaspersky discovered Flame when it was asked to investigate malware that was deleting information in the Middle East. You have to assume that someone would have caught on to Flame eventually, but the fact that it operated in the wild for at least two years without discovery gives one pause. This is not FUD (fear, uncertainty and doubt). Only hubris would lead us to believe that this type of malware is beyond the means of at least a handful of hostile nation states.
This is not to suggest that organizations need to change their security processes and procedures in response to Flame. But the message is to act as if someone is already inside your network, quietly, patiently stealing confidential information. Attackers already have ample tools to get inside most networks – it doesn’t have to be Flame or some theoretical or yet-to-be piece of Uber Malware. Use network monitoring and analysis to watch for anomalous traffic, particularly command and control communications and data exfiltration. Do everything you can to keep attackers out, and do everything you can to root them out once they are in.