The firms found Flame to be a highly sophisticated, professional attack that bears the hallmarks of being state-funded – just as originally suspected.
Both firms have performed a forensic investigation of the control servers used to execute the Flame operation, which they discovered were built to look like publishing platforms with a content management system called Newsforyou. Extensive cryptography and a series of measures meant to cover the tracks left from the system were supposed to prevent the operation from ever coming to light, but perpetrators left behind a series of errors that researchers were able to leverage to find more information.
Symantec found that the operation goes all the way back to 2006, but the servers were set up on March 25, 2012, and May 18, 2012, respectively. The servers would go on to control at least a few hundred compromised computers over the next few weeks of their existence. Just one of the servers involved, forensics revealed, extracted six gigabytes worth of data from its targets in eight days. The number of total Flame victims could exceed 10,000, researchers said.
The systems were configured to disable any unnecessary logging events and entries in the database were deleted at regular intervals. Existing log files were securely deleted from the server on a regular basis, too – all of which was meant to prevent information from falling into the hands of interested third parties.
There’s also evidence of a sophisticated administrative structure within the perpetrator group. Distinct profiles were found for those responsible for setting up the server (administrators), those responsible for uploading packages and downloading stolen data through the control panel (operators) and those holding the private key with the ability to decrypt the stolen data (attackers).
“The operators themselves may actually be completely unaware of the contents of the stolen data due to the use of data security compartmentalization techniques,” Symantec researchers said. “The use of this type of structure suggests that this is the work of a well-funded and organized group.”
After studying the cryptography, the assessment was that “this new side of Flame was so advanced that only the world's top cryptographers could be able to implement it,” according to Kaspersky, which in June had definitively confirmed that Flame developers communicated with the Stuxnet development team, which was “another convincing fact that Flame was developed with nation-state backing,” it said.
Stuxnet, as first reported by the New York Times, was very likely a joint Israeli-US virus that took out Iranian nuclear facilities in 2011.