Flame: Attackers 'sought confidential Iran data'

By Dave Lee
Technology reporter, BBC News

  • Published
Screenshot of Flame
Image caption,
The characteristics of Flame have seen it compared to past Stuxnet and Duqu

The attackers behind the massive Flame malware were seeking to obtain technical drawings from Iran, researchers have said.

Analysis by Kaspersky Lab suggested that the huge majority of targets were within the country.

The malware network, which was revealed last week, has since stopped operating.

It was also revealed that the attackers used a number of complex fake identities in order to carry out their plans.

The names, complete with fake addresses and billing information, were used to register more than 80 domain names used to distribute the malware.

The identities had been registering the domains since 2008 - a sign that Flame had been collecting data for several years.

Kaspersky Lab was able to compile statistics on the infection's spread by using a method known as "sinkholing".

"Sinkholing is a procedure when we discover a malicious server - whether it is an IP address or domain name - which we can take over with the help of the authorities or the [domain] registrar," explained Vitaly Kamluk, a senior researcher at Kaspersky.

"We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them."

By using this method, they found the majority of infected targets were directed at Iran, with other high counts found in both Israel and Palestine.

The attackers had a "high interest in AutoCad drawings, in addition to PDF and text files", the researchers said.

'Intelligence gathering'

AutoCad is a popular design software package used by engineers and architects.

"They were looking for the designs of mechanical and electrical equipment," said Prof Alan Woodward, a computing specialist from the University of Surrey.

"This could be either to find out how far advanced some particular project was/is, or to steal some design(s) to sell on the black market.

"However, Iran isn't likely to have any intellectual property not available elsewhere. So, this suggests more a case of intelligence-gathering than onward selling on the black market."

Further instances of infected machines were detected in the US, as well as in the UK and other parts of Europe.

However, the researchers pointed out this did not necessarily mean these countries were targets, as use of proxy servers can distort location data.

The source of the attacks is still unknown, but early analysis showed the malware's command and control centres (C&C) were hosted in a variety of locations.

The C&C centres were used to control the spread and operation of the attack, as well as collected the stolen data.

Flame's C&C centres moved regularly, with operations being hosted in Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland and the UK.

Stuxnet similiarities

The characteristics of Flame have seen it compared to past high-profile cyber-espionage attacks, most notably Stuxnet and Duqu.

Stuxnet specifically targeted nuclear centrifuges in Iran, reports said.

A recent New York Times article said US President Barack Obama was responsible for directing the attack's operations.

Kaspersky's Mr Kamluk acknowledged the similarities between Stuxnet and Flame.

"The geographical spread is very similar," he said. "It might be different attackers - however, the interests are all the same here."

Microsoft has issued a security advisory and update to fix a vulnerability in Windows which allowed Flame to masquerade as a Microsoft-written piece of software.