Flame and Stuxnet, the union is strength

During the Global Media and Technology Summit Eugene Kaspersky, CEO of Kaspersky Lab, revealed to the Reuters agency that the team of experts of his company has found strong similarities between part of the Flame source code and a 2009 version of Stuxnet.

The news is really surprising, the analogies demonstrate that behind the development and the diffusion of such cyber weapons in the Middle East there is the same team of experts.

In the last weeks, an uncomfortable truth was disclosed by The New York Times that could have shed light on one of the most disturbing questions of global security landscape. The planning of the deadly cyber weapon, Stuxnet, started under the administration of George Bush Junior as part of a military operation named “Olympic Games”, but the Obama administration has been pushing a more energetic on the offensive program.

The article published in the popular newspaper is adapted from journalist David Sanger’s forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet.

The announcement made by Eugene Kaspersky confirms that the Flame malware share with Stuxnet the same cyber project developed to attack a country in the Middle East and in particular the Iran.

The response of Washington to the revelation on the secret project Olympic Games is an internal investigation into the leaks of classified information on the development instead of an official denial of the events.

The Kaspersky CEO declared:

“there were two different teams working in collaboration,”

The Kaspersky team was the first to demonstrate a correlation between the two malware also clarifying the deep differences between them.

Stuxnet is considerable a powerful cyber weapon projected to attacks Scada systems inside Iranian nuclear plants meanwhile Flame is a sophisticated tool for cyber espionage.

The presence of the U.S. behind the development of Flame is not surprising, cyber espionage is one of the main activities covered by a cyber strategy, through which it tries to silently steal confidential information, technologies, and intellectual Property. The ability to infiltrate enemy networks, steal classified information represents a major advantage for those who lead the offensive.

Analyzing in detail the malware, just spotted Flame, Kaspersky said that the agent was very different from Stuxnet, the latter developed with the Tilded platform, which was used also for the development of the Duqu malware.

Flame and Tilded are completely different, based on different architectures, for instance, Flame never uses system drivers, while Stuxnet and Duqu’s main method of loading modules for execution are via a kernel driver.

This consideration, however, do not be fooled.

First of all, by the time Stuxnet was created in the first half of 2009, the Flame platform was already in existence because the Kaspersky experts have dated it to 2008.

The sensational discovery is that a Stuxnet instance dated 2009 used a module built on the Flame platform, this module was specifically developed to operate with Stuxnet malware and was removed in the successive versions.

In the successive version of Stuxnet have been found a new module that have substituted it and that were used to empower the propagation of the agent exploiting the vulnerability MS10-046 instead of the “old” autorun.inf.

Interesting also another discovery of the Kaspersky Labs, the Flame module in Stuxnet exploited a 0-day vulnerability enabling an escalation of privileges, presumably exploiting MS09-025.

Resuming the evolution of the two projects has proceeded independently from 2009, this supports the hypothesis that behind Stuxnet and Flame there were two distinct groups of development named by Kaspersky ”Team F” (Flame) and ”Team D” (Tilded).

Both groups have started the development of the respective malware since 2007-2008 at the latest, they have collaborated in fact in 2009, component from the Flame platform was used in Stuxnet, but since 2010, the platforms have been developing independently from each other.

After 2010 the unique analogy is that both teams have exploited the same vulnerabilities. The Kaspersky expert Roel Schouwenberg noted that no Flame components have been used in more advanced versions of Stuxnet:

“Flame was used as some sort of a kick-starter to get the Stuxnet project going,”
“As soon as the Stuxnet team had their code ready, they went their way.”

Why proceed with two different groups of work just before the cyber attack on Iran?

There may be different reasons, the most likely, such as:

• creators of Stuxnet removed Flame components to avoid that it could be discovered in the case of failure to Iranian nuclear program.
• the teams of work are working for different states that have joined the effort to speed-up the creation process of a cyber weapon. Let’s remind that many security experts have alerted the international community regarding the risk that Iran could create its nuclear arsenal within a couple of years, making the time factor determinant.

Let’s conclude with a reflection on Flame … many experts told in the last week that it isn’t a cyber weapon due its espionage prerogative, but we must consider the modular capabilities of the malware and its possibility to load module specifically developed to attack critical infrastructures.

To emphasize the concept is the same researcher Schouwenberg that said he suspected Flame may be capable of deleting data and attacking industrial control systems, of course there aren’t evidences since now but it is a feasible scenario.

Anyway. Flame is technological project yet to discover, Kaspersky Lab researchers are still working on it to complete understand its functionalities.

Pierluigi Paganini

[adrotate banner=”9″]

References

http://www.securelist.com/en/blog?weblogid=208193568