The United States and Israel are responsible for developing the sophisticated espionage rootkit known as Flame, according to anonymous Western sources quoted in a news report.
The malware was designed to provide intelligence about Iran’s computer networks and spy on Iranian officials through their computers as part of an ongoing cyberwarfare campaign, according to the Washington Post.
The program was a joint effort of the National Security Agency, the CIA and Israel’s military, which also produced the Stuxnet worm that is believed to have sabotaged centrifuges used for Iran’s uranium enrichment program in 2009 and 2010.
“This is about preparing the battlefield for another type of covert action,” a former high-ranking US intelligence official told the Post. “Cyber collection against the Iranian program is way further down the road than this.”
Flame was discovered last month by Russia-based antivirus firm Kaspersky Lab, following reports in Iran that malware aimed at computers belonging to that country’s oil industry had wiped data from the computers. In trying to investigate that issue, Kaspersky came across components of the Flame malware, which the researcher believed was not directly connected to the malware that wiped the Iranian computers clean but which they believed was created by the same nation states behind Stuxnet.
Kaspersky disclosed last week that Flame in fact contained some of the same code as Stuxnet, directly tying the two pieces of malware together.
According to the Post Flame was designed to infiltrate highly secure networks in order to siphon intelligence from them, including information that would help the attackers map a target network. Flame, as previously reported, can activate a computer’s internal microphone to record conversations conducted via Skype or in the vicinity of the computer. It also contains modules that log keyboard strokes, take screen shots of what’s occurring on a machine, extract geolocation data from images and turn an infected computer into a Bluetooth beacon to siphon information from Bluetooth-enabled phones that are near the computer.
Flame exploited a vulnerability in Microsoft’s terminal service system to allow the attackers to obtain a fraudulent Microsoft digital certificate to sign their code, so that it could masquerade as legitimate Microsoft code and be installed on a target machine via the Microsoft software update function.
Flame was developed at least five years ago as part of a classified program code-named Olympic Games, the same program that produced Stuxnet.
“It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage,” said Michael V. Hayden, a former NSA director and CIA director who left office in 2009, told the Post.
It’s still unclear whether the malware used to attack computers in Iran’s oil ministry is the same malware now known as Flame. According to the Post, the attack on the oil ministry computers was directed by Israel alone, a matter which apparently caught US officials off guard, according to anonymous sources who spoke with the newspaper.