On 28 May the Iranian National CERT (MAHER) published an alert on a new attack. “The attack, codenamed "Flame" is launched by a new malware,” it claimed. “At the time of writing, none of the 43 tested antiviruses could detect any of the malicious components.” Nevertheless, it continued, Iran had developed both a method of detection and a method of removal.
This announcement coincided with news stories in the mainstream press about a new highly targeted massive state-sponsored cyberweapon aimed at Iran. Nearly all of this is at least true in part – except it’s not new. It is certainly targeted, and Like Stuxnet appears to be targeted mainly against Iran. It is massive: 20Mb. It is (probably) state-sponsored. Most researchers believe that only a nation state with extensive resources could be behind the development of Flame; while Arutz Sheva (Israel National News) quotes the Israeli vice prime minister Moshe Ya'alon saying "Whoever sees the Iranian threat as a meaningful threat – it is reasonable he would take various measures, including this one.” Arutz Sheva takes this as a hint that Israel developed Flame.
However, while there is extensive conjecture about Flame, there is little yet known. Kaspersky announced yesterday that “The complexity and functionality of the newly discovered malicious program exceeds those of all other cyber menaces known to date.” But while it may be ‘newly discovered’, it is not new malware; something that David Harley, senior researcher at ESET points out. “Conflicting conjecture and confusion over the ‘ownership’ of the detection is muddying the waters,” he comments. “According to the Iran National CERT they had detection (but not removal) for the malware ESET calls Win32/Flamer.A in early May, but Kaspersky claims it’s been in the wild since March 2010: however, it seems to be the same malware threat the Laboratory of Cryptography and System Security (CrySyS) in Budapest calls sKyWIper (which they believe may have been active for 5-8 years or even longer).
“Perhaps the most interesting feature,” he added, “is that the Iran National CERT has volunteered to share samples with security vendors, despite the fact that many software vendors (notably those headquartered in the US) are unable to trade legally with Iran. Bizarrely, these malicious programs are running in Iran on an operating system that Microsoft can’t export to Iran. This restriction may have hampered initial detection of the malware by security vendors outside the region, but samples have subsequently trickled into the mainstream via secondary sources.”
Put simply, almost everything we know about Flame so far is conjecture. We know it is large, sophisticated and targeted. We believe that the primary target is Iran, but it has also been found in other locations. We suspect that it could only have been produced by a nation state, and there is a suggestion that the nation state is Israel. It has some similarities with Stuxnet and Duqu, but more in scope and complexity than in code.
We also know some of its capabilities: its ability to steal documents, screenshots and even audio recordings. According to Alexander Gostev, chief security expert at Kaspersky Lab, “One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveying infected systems, collecting information and targeting new systems to accomplish its unknown goals.”
An exhaustive analysis of the malware itself, however, is going to take many months.