Security researchers have uncovered a massive cyber attack that is attempting to steal data from Middle Eastern countries and has been operating undetected for up to two years.
The malware, nicknamed Flame, is said to be targeting countries across the Middle East and Africa including Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. It is searching for any kind of intelligence, such as emails, documents and even instant message conversations.
Flame has been described as incredibly complex. Kaspersky Lab, one of the firms to reveal details of the malware, said it is, "one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyber-espionage."
It complexity is one reason why it was undetected for so long, Kaspersky said. It believes Flame has been operating since August 2010.
Kaspersky Lab said the malware contains 20 times more code than Stuxnet, making analysis much more difficult. The company however added that while there are no "major similarities" with either Stuxnet or Duqu it is likely that Flame was run in parallel to the other malware.
"Knowing that sooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects – but based on a completely different philosophy. This way, if one of the research projects is discovered, the other one can continue unhindered," Kaspersky explained in a blog.
Kaspersky’s analysis of the malware revealed that it is an, "attack toolkit… It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so."
Although the exact entry point and method is unclear, one the malware is inside a network it can start to sniff traffic and can perform other tasks such as taking screenshots, recording audio conversations and intercepting the keyboard.
While Stuxnet and Duqu were targeted at government organisations and facilities, it is not so clear who or what Flame is targeting. Victims detected by Kaspersky include individuals and educational institutions, suggesting this is a more general piece of malware that could be used to target institutions beyond the government.
In terms of who or what is behind Flame, Kaspersky makes it very clear that this is state-sponsored cyber espionage.
"Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states," Kaspersky said. "Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists.
"So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it," the Russian firm added.
Symantec has also been looking into the malware in conjunction with CrySys. They have dubbed it Skywiper. They too say it is likely to have a well-funded party behind it. "This code was not likely to have been written by a single individual but by an organised, well-funded group of people working to a clear set of directives," Symantec said.
Iran’s Computer Emergency Response Team, Maher, has also issued a statement, saying the malware is a "close relation" to Stuxnet. Maher added that none of the 43 antivirus products it tested picked up the malware.
"The preliminary findings of the research, conducted upon an urgent request from the International Telecommunication Union (ITU), confirm the highly targeted nature of this malicious program. One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals," said Alexander Gostev, chief security expert at Kaspersky Lab.
