The blogosphere and the nontech media are all abuzz about Flame, the newly exposed malware that is apparently wreaking havoc with Iranian computers. Its also creating problems elsewhere in the Middle East, but apparently hasnt spread significantly beyond there.
But is Flame really a new threat, or is it simply a newly discovered threat? Or maybe its been around for a while and only seems new to people who havent been paying attention.
What is known about Flame (or Flamer or Skywiper) is that its come to the attention of the International Telecommunications Unions cyber-security people. The ITUs people put out a report saying its a dangerous piece of malware. Whats also known is that Flame apparently doesnt really do any damage to the systems it infects, but rather collects information and sends it to a series of servers around the world and that those servers send it along to somewhere else.
We also know one other thing: cyber-security experts dont agree on whether its a threat, whether it is still operating or whether the whole thing is overblown. Kaspersky Lab, which has close ties to the ITU, is calling Flame the most sophisticated cyber-weapon yet released.
Kaspersky Lab has described Flame is a backdoor Trojan with worm-like features that allow it to propagate on local networks and removable media. It is reportedly capable of taking screenshots, recording audio conversations and intercepting network traffic. On the other hand, security expert Jeffrey Carr thinks the whole thing is overblown. Carr is CEO of cyber-security firm Taia Global.
Carr, in fact, suggests that the most likely source for malware such as Flame is a group of mercenary hacker crews who make a business of stealing anything they can and reselling it to the highest bidder. But is Carr right? Is Kaspersky right? We really dont know if anyone is right, but I suspect theyre all wrong, at least at some level.
One thing we do know is that Flame is sophisticated. It can morph into many forms, rendering many signature-based antivirus packages less effective than they might be. We also know that Flame is extremely complexits apparently written in C++, has a number of modules, propagates through a variety of media and can perform a variety of functions. In other words, its the perfect spyware.
There are also suggestions that Flame has actually been around for more than five years, which if true, means that its been operating without many people knowing it even existsfor a very long time in malware terms. Its also not very widespread. The country with the most infections reported is Iran, and even there, the number of infections noted in Carrs article is fewer than 200. Thats not exactly a global nightmareat least not yet.
Flame Looks Well-Suited for State-Sponsored Espionage
Working with the assumption that Flame is really intended for cyber-espionage, which is what appears to be the case, then how worried should we be? The answer is, not very worried. Flame does not appear to have spread beyond the Middle East, and it doesnt do any actual damage. The infection is easily found if you know what to look for, and Iranian authorities reported that they have created a tool for removing it in the few days since they found out about it.
The reality of Flame is that unless youre in one of the affected countries, this isnt much of a threat and certainly doesnt deserve all the hype surrounding it. However, it does show that someone, somewhere, has developed an effective cyber-espionage system and that they have the infrastructure to use it. In other words, worrying specifically about Flame is counter-productive. You should worry about what whoever created Flame is doing now totally undetected.
And, of course, that brings us back to the question of Flames origin. If Flame was created, as many have suggested, by a national cyber-espionage team of some sort, then the people who should worry are the people on that nations list of enemies. Since the target appears to be Iran in this case, then Iran needs to worry about being attacked by some country that doesnt like them, which is basically everybody.
But that also means that only places that have some commerce with Iran also need to worry about being infected; this might explain why only Middle Eastern countries seem to have been affected. However, that does bring up the question of why so many computers in Israel were affected, unless Israel is somehow connecting with Irans computers in some way.
But suppose the origin of Flame is really some sort of criminal syndicate? Despite Carrs suggestions, Im not sure that makes sense. Unless the hypothetical criminal syndicate thought Iran might have information worth stealing (nuclear secrets?) and had a ready buyer (the United States?), its hard to see why theyd bother. But its easy to see why other countries would bother.
After all, the United Nations has been trying to penetrate Irans nuclear secrets for years. Just because the ITU is an agency thats part of the UN doesnt mean that body wasnt involved. But so could any number of other governmental entities, including the United States. Could the United States possibly be sponsoring a cyber-espionage effort aimed at Iran? I dont know, but if I were the Director of National Intelligence, Id do it in a heartbeat.