Cybersecurity Researchers Rediscover an Old Flame

Written by

The most sophisticated cyber-espionage toolkit ever to infect a PC is back. Researchers at Alphabet’s cybersecurity company Chronicle Security have uncovered a new version of Flame, the nation-state-level cybersecurity spying tool that the world thought had been shut down for good in 2012.

First discovered by Kaspersky, Flame was thought to be part of a state-run cyber-espionage operation. The software, which infected computers across the Middle East and North Africa for at least two years, was far bigger than the Stuxnet software that compromised Iran's nuclear program in 2009-10, and with which it shared some code. At the time, the anti-virus company called Flame one of the most complex threats ever discovered.

After Kaspersky blew the lid off the project, Flame went dark. Its controllers sent a kill module called SUICIDE to infected machines, erasing the malware across the board and taking down their own command-and-control servers. However, rather than killing it off altogether, they apparently adapted it and added strong encryption, making it more difficult to detect.

In a technical analysis, researchers J. A. Guerrero-Saade and Silas Cutler explained that hidden timestamps in what appeared to be old Flame malware samples showed that they had been compiled in 2014, nearly 2 years after Flame's controllers supposedly pulled the plug. 

Although built on the original Flame source code, the new malware, dubbed Flame 2.0, contained new features including AES-256 encryption to throw researchers off the trial.

The encryption stopped the team analyzing much of the new software's functionality, but they could tell that it interacted with an infected machine's audio input and that it identified other processes running on the host. It also probably moved laterally throughout the network, they added. The software also included the first Flame samples compiled for 64-bit Windows systems.

Of particular note was Flame 2.0's relationship to other nation-state malware, including not only Flame, but also Stuxnet and advanced malware platform Duqu. This led the team to group together these families and some other components developed as far back as 2002, attributing them to a far-reaching and multi-faceted threat actor called GOSSIPGIRL. 

GOSSIPGIRL cropped up in a 2010 internal presentation by the Communications Security Establishment, which is Canada's international signals intelligence agency (its version of the US NSA, or the UK's GCHQ).

Chronicle called GOSSIPGIRL a supra-threat actor (STA). This is a nation-state-level project involving either multiple agencies, or multiple malware platforms, or both. 

All this sheds new light on the shadowy world of nation-state cyber espionage. It’s still a highly murky community, but research efforts like this bring it slowly but surely into slightly sharper focus.

The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.

What’s hot on Infosecurity Magazine?