The Flame is “ignited” between the U.S. and France

French weekly news magazine L’Express has reported that offices of France’s former president Sarkozy were hit by a cyber espionage campaign back in May 2012. Few days before the second round of the presidential election won by Hollande the President’s office was infected by Flame malware, within the compromise PCs also the one of Sarkozy’s Secretary General, Xavier Musca.

What is Flame malware and who has developed it?

Flame is considered a complex malware realized with the primary intent to create a comprehensive cyber espionage tool kit. The geographic distribution of the targets hit by the malware, primary located in the Middle East, combined with the high level of sophistication of the agent are clear clues that the malicious application  is the result of a  state sponsored project.

“Kaspersky Team defined Flame as a sophisticated attack toolkit which condenses the characteristics of a backdoor, a Trojan, and a worm able to spread itself within a local network and on removable media.”

Roel Schouwenberg , Kaspersky researcher, reveled a link between Flame  and the cyber weapon Stuxnet noting that a module of the spytool were also used in a particular version of Stuxnet.

“Flame was used as some sort of a kick-starter to get the Stuxnet project going,” he stated. “As soon as the Stuxnet team had their code ready, they went their way.” Schouwenberg said.

Starting from 2009, the evolution of the two projects has proceeded independently. The security community is also convinced that Stuxnet Virus was part of a US cyber warfare project prosecuted by Obama, accordingly many experts attribute the paternity of Flame to a joint venture between U.S. and Israel

The use of Flame in a cyber attack against French government is the demonstration of a cyber espionage campaign to steal sensible information to top politicians of the country. Exponents of French Govenments declared:

“Hackers have not only managed to get to the heart of French political power,” “but they were able to search the computers of close advisers of Nicolas Sarkozy.”

The cyber espionage campaign probably has been successful in the disclosure of confidential information regarding the policy of the French government even if it seems not to have directly involved the President who does not use a specific computer.

 “secret notes were recovered from hard drives, and also strategic plans.” reports the article.

The attack against the President office was of spear phishing type that used popular social network Facebook to spread the malware. The attackers have shared a link to an infected website that was a replica of the Elysee’s intranet, the hackers have used it to infect the machine and also to gather user’s credentials. All the machines  part of presidential network, including a number of Sarkozy’s closest collaborators, were infected by Flame agent.

The links between Stuxnet and Flame led to think that US are responsible for the attack against Élysée Palace, but it was the immediate response of the U.S. government that denied any implication.

Homeland Security spokesman Matthew Chandler declared to The Hill in a statement.

“France is one of our strongest allies. “We categorically deny the allegations by unnamed sources that the U.S. government participated in a cyberattack against the French government,” “Our outstanding cooperation in intelligence sharing, law enforcement and cyber defense has never been stronger, and remains essential in successfully combating the common threat of extremism,”

Homeland Security Secretary Janet Napolitano released the following declarations on the event:

“We have no greater partner than France; we have no greater ally than France “We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones.”

Once discovered the malware the Agence nationale de la sécurité des systèmes d’information (Anssi) has isolated the network to collect evidences of the attack and of course to secure the IT infrastructure. The clean-up operation lasted several days due the complexity of the attack.

At the moment there aren’t official announcements from French government, accredited sources revealed that national infrastructures are steadily under attack,  last May they were hit byother  two large scale cyber attacks.

The event certainly will leave a mark on the diplomatic relations between the countries and it is the confirmation of the commitment of any countries in cyber warfare. Every government is improving its cyber capabilities but event like this are not isolated, each state is exploring every way to obtain sensible information on competitors and allies.

Another meaningful factor associated with the use of malware is that any government today could have manipulated the source code of Flame to conduct an attack doing the blame on the United States or Israel, we live in the age of disinformation and of relocation of cyber threat, in cyberspace every certainty becomes evanescent.

The mystery is dense!

Pierluigi Paganini