Cyber-Spying Flame Attackers Operated On Need To Know Basis

  /     /     /  
Publicated : 22/11/2024   Category : security


Cyber-Spying Flame Attackers Operated On Need To Know Basis


Complex malware dates back to 2006, with at least four individuals authoring and operating the malware operation itself -- which continues to evolve



New research published separately today by Kaspersky Lab and Symantec, and in conjunction with CERT-Bund/BSI and the International Telecommunications Union-IMPACT, shows that the sophisticated Flame cyberespionage campaign dates back to 2006 and confirms earlier suspicions of the existence of other related malware -- with three other related malware families out there, one of which is still in the wild.
Flame, which was first discovered by researchers this spring, is an information-stealing and spying tool that has been tied to Stuxnet, which sabotaged Irans Natanz nuclear facility. Its basically a virtual, digitized spy tool that does what a human spy would do: record phone calls, snap photos, and siphon information.
Researchers today confirmed their hypotheses that Flame just scratched the surface of the cyberespionage campaign most likely being conducted by a nation state. Published reports have pointed to the U.S. and Israel as playing a part in both Stuxnet and Flame, but neither Kaspersky Lab nor Symantec will comment.
Among the new findings about Flame is that its not the newest version of malware used by the command-and-control (C&C) server investigated by both Kaspersky and Symantec, and that the attackers took great pains to cover their tracks in order to evade detection. They went to great lengths to hide things. Not only was the data stolen encrypted ... so no one could see it, but the fact that periodically everything on the server gets deleted, and the Wiper module would delete the malware off the client. Quite a bit of care was taken in covering their tracks, says Kevin Haley, director of Symantec Security Response. Thats indicative of a spy kind of thing.
Researchers say the operation smacks of a traditional military or intelligence operation, with each player in the operation responsible for a particular role, and not everyone having the same access to the specifics. Kaspersky Lab published redacted versions of the nicknames of the four Flame authors, D***, H*****, O******, and R***. H had the most experience of the group, with encryption expertise as well as other complex coding skills, and likely was the project lead, according to Kaspersky.
There were delineated roles in the Flame attack: Admins could set up the server, operators uploaded packages of malware and downloaded stolen information via a control panel, and attack coordinators held the private key to decrypt the stolen booty, according to Symantecs research. The person operating that software didnt actually see the data being stolen, Haley says. It was a spy game kind of thing, on a need-to-know [basis], he says.
Even so, the findings didnt provide any additional information on just who was behind it. Theres nothing there that says this is who did it. Theres no claim of credit, Haley says.
Despite the striking way Flame was
designed to appear ordinary and to blend into the computing environment
, the attackers apparently left behind a few clues. According to Kaspersky, the attackers inadvertently locked themselves out of the Flame C&C server and left behind some files, showing that the attackers uploaded 5.5 gigabytes of compressed files on a weekly basis to that particular server.
They didnt delete some HTTP logs on one server, so the researchers were able to calculate some number of Flame victims. Not surprisingly given the Stuxnet connection, the victims were mainly located in Iran, with 3,702 , as well as a country that had not yet been detected as a target: Sudan, with 1,280. Our previous statistics did not show a large number of infections in Sudan, so this must have been a dedicated campaign targeting systems in Iran and Sudan, Kasperskys
blog post said today
. If just one server handled 5000+ victims during a one-week period and given several servers were available, we can estimate the total number of victims for Flame is probably higher than previously estimated, exceeding 10,000.
How could such a professional and well-oiled campaign leave traces after so aggressively covering its tracks for so long?
The amount of effort in covering up their tracks was surprising. On the flip side of that, its probably not a surprise that they made a mistake. We see mistakes in coding software all the time, Symantecs Haley says.
The C&C servers support not just Flame but also three other malware families. Kaspersky identifies them as SP, SPE, FL, and IP. SPE is a Flame-related variant, but the others remain unknown. IP appears to be the newest of the four, according to Kaspersky, and the developers are working on a new protocol dubbed Red Protocol.
Clearly, this command and control is not used exclusively for Flamer, Symantecs Haley says. I dont know if weve seen them all -- its possible we have not.
[ Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See
How Flame Hid In Plain Sight For Years
. ]
Another interesting tactic employed by Flame: The coders disguised it as a legitimate content management system called Newsforyou.
The application is designed to resemble a simple news/blog application. This approach may serve to disguise the true nature of the application from any automation or casual inspection. Although the code was running on Linux server, it is likely some of the command-and-control servers were running Windows, or at least that the code was developed and tested on Windows computers, Symantec
wrote in its new Flame report
, which also confirmed that one of Flames servers automatically wiped itself off computers in late May 2012.
This is far from the end of Flame and its cyberspying relatives. They will continue to evolve, researchers say.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cyber-Spying Flame Attackers Operated On Need To Know Basis