Flame, a notorious piece of malware discovered in late May to be infecting and stealing information from hundreds of computers in the Middle East and Europe, shares something in common with the equally infamous Stuxnet malware that reportedly damaged an Iranian nuclear facility in 2010: The two types of malware contain some of the same source code that allowed them to be installed in the first place, according to a new analysis posted online by Russian cybersecurity firm Kaspersky Labs revealed on Monday.
Specifically, what Kaspersky Labs researchers uncovered was that an earlier version of Flame, named “Tocy.a” and first detected in October 2010, is highly similar to a portable executable file found inside Stuxnet, called “Resource 207.”
In both the case of Stuxnet and Flame, the code in common was used to install and propagate the malware onto computers from an infected USB stick by causing the victim’s computer to “autorun” the malware once the stick had been inserted.
The implications of the finding are still being sorted out by Kaspersky and other security firms analyzing Flame’s source code, but they could be enormous, given a recent report in The New York Times that states the Stuxnet malware was a covert cyber weapon developed by the U.S. and Israel in order to derail Iran’s nuclear program, and that it was just one of the fruits of an ongoing U.S. cyber war and espionage effort codenamed Olympic Games.
What’s now known is the fact that Flame’s creation actually predated Stuxnet’s in early 2009, putting Flame’s origin at no later than 2008, according to Kaspersky. Another cybersecurity firm, Budapest-based CrySyS Lab, found traces of Flame dating back to 2007. Although Flame’s discovery was only made this year, in 2012, researchers can now use the malware’s profile to go back and see if their software caught variants of it earlier without fully knowing what it was.
And yet, surprisingly, given the similarities in the Flame and Stuxnet code as well as their regions of prominence — the Middle East, namely Iran, where the government said it was detected infecting computers in the country’s oil sector — Kaspersky and other leading cybersecurity researchers still aren’t ready to say that Flame and Stuxnet were created by the same teams of programmers (Though given the complexity of both malware varieties, researchers are quite certain both were commissioned by nation-states).
As Kaspersky researcher Alexander Gostev wrote in a blog post on Monday: “After 2009, the evolution of the Flame platform continued independently from Stuxnet…In 2009, part of the code from the Flame platform was used in Stuxnet. We believe that source code was used, rather than complete binary modules. Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities.”
“Possibly the most interesting thing is that they collaborated, but possibly stopped collaboration and took individual directions at some timepoint,” agreed Boldizsár Bencsáth, a cybersecurity researcher with CrySyS Lab in Hungary, in an email to TPM.
To reason why security researchers are so certain that two types of malware were developed independently is because aside from the similar installation and spreading mechanism, Flame and Stuxnet are completely different.
“These are not derivative pieces of code,” said Kevin Haley, director of security response at American cybersecurity firm Symantec, which has also been analyzing the code and recently confirmed the connection between Stuxnet and Flame on its own, in a phone interview with TPM. “There are different people involved — clearly different people set down at different keyboards and created both of them — we’re not changing our mind on that.”
Further, as Haley and Bencsáth told TPM, the commonality between Flame and Stuxnet need not have necessarily been authorized by the programmers of either piece of malware, given the ease with which malware, particularly the Flame variant, can be customized with different functions and components. Yet both were almost surely the result of nation-state programs.
“We’ve got a completely different piece of code [Flame] that clearly loaned some of itself out to somebody else [Stuxnet],” Haley explained, “But there are two major pieces of
code, that’s a lot of time and resources that the standard cyber criminal doesn’t have to invest.”
“These large code bases need multiple developers, so some connections, ‘hired’ modules can still work,” Bencsáth added.
The Obama Administration has not officially commented on Flame, but an official with the United Nations telecommunications agency recently said that he was doubtful that the United States was behind that specific malware, raising more questions as to who, then, could and would want to develop such a tool of cyber espionage apparently directed at Iran.
Jeffrey Carr, CEO of boutique cybersecurity firm Taia Global, offered another option.
“It’s certainly possible that multiple countries could be running cyber operations in the Middle East as well so I’m not prepared to say that only one country is responsible for both,” Carr told TPM in an email.
However, Carr said that the discovery that Flame and Stuxnet share some of the same install code should indicate to researchers that there was overt cooperation between the two teams that developed each variant.
Further, because the separate Duqu malware first detected in the fall of 2011 was found to be a variant of Stuxnet, it appears as though Stuxnet is the common factor linking Flame, Stuxnet and Duqu together as a trifecta of similarly-timed and targeted cyber armaments and espionage tools active in the region.
“Kaspersky’s analysis has demonstrated that DuQu and Stuxnet were probably written by the same team and that Flame’s creators had at least a cooperating relationship with Stuxnet’s (and therefore DuQu’s) creators,” said Carr. “They could represent allied countries working in cooperation or they could represent individual teams working on separate projects for the same government who have access to joint resources.”
That said, for all of Flame’s numerous layers, researchers overall aren’t surprised about the malware’s existence, and warn that more such sophisticated cyber attacks are sure to follow, if they aren’t out there already.
“I think the lesson governments take away from these pieces of malware is that they work, and that if ‘we’re not doing it, we should be'” Haley told TPM. “We’d be foolish to believe otherwise.”
