The Eternal Flame is something you’ll probably recognize as the ever burning fire in ancient Greece; but in fact it has deeper roots in the Middle East. The first records of such custom are, interestingly enough, set in ancient Iran and Israel.
The security industry’s skies are now alight with Flame, the latest discovery in the chain of super-grade cyber weapons that many analysts think are targeting Iran. Reported by Kaspersky, Flame is a high-yield reconnaissance tool that targets Internet-connected PCs in Iran and other targets, doubling as an intelligence collection mechanism using multiple channels and a penetration tool into corporate networks.
After Stuxnet, which was really off-the-scale as it comes to advanced threats due to its unique ability to disrupt air-gapped industrial control networks, no one should have any illusion as to the extent of cyber espionage.
Flame was developed a few years back, and was successfully deployed in the field. I bet the original life span projected for Flame was probably a few months, and the original set of targets was no more than a few dozen carefully selected critical infrastructure resources; but it just worked. It roamed the sensitive networks unhindered and undetected, and its operators must have felt a bit like the NASA scientists that launched the 2003 Mars Rovers. Designed for a 90-day scientific mission in the harsh environment of the red planet, these two tiny envoys of humanity kept going and going, and one of them – Opportunity – is still surveying our heavenly neighbor after all these years. Flame is most likely the same: an extremely targeted mission that developed into an ongoing campaign simply because it worked.
Compared to Stuxnet, Flame is far more similar to the type of cyber attacks attributed by US officials to China, although here it’s focused on covert intelligence gathering while many APTs are part of a mass-scale industrial espionage campaign designed to gain economic advantage. It hits computers connected to the Internet – which means it was never designed to attack military targets as they often use segregated networks. To attack a military network you need something more – often a USB infection like in Stuxnet or the worm that attacked the Pentagon in 2008 and required a 14-month cleanup operation.
How Flame got into its target victims is still unclear, but the likely method is spear phishing by pinpointing specific employees or a drive-by-download hijack of a popular site frequented by the target population.
There are hundreds of examples for the use of spear phishing in an APT; an example for the second method is the highly targeted attack against the website of the Israeli Institute for National Security Studies, which penetrated deep and caused visitors to be infected with the Poison Ivy remote administration tool. The INSS is a prominent Israeli think tank in the field of national security, headed by a retired general who until recently was Israel’s Director of Intelligence. Its publications are read by thousands of people from the intelligence, military and government communities, mostly in Israel, US and other western nations. Having their PCs remotely controlled by the attacker is a bad idea for all those concerned.
Let’s remember that Cyber reconnaissance efforts like Flame are a natural extension of good old human-based intelligence networks and, in a way, the clandestine behind-enemy-lines field work that sets the infrastructure for signal intelligence operations. It’s the digital equivalent of a state- sponsored covert reconnaissance operation. Unlike a physical operation conducted by spies or paramilitary troops, where people might actually get caught, here it’s a far cleaner operation with less traces leading to the origin and more ways to camouflage the exact identity of the attacker.
There’s one other thing you can bet on: it’s entirely likely that there are other, far more advanced cyber espionage campaigns set in the field, and that more than one actor is staging them. Flame is visible now, but the rest of the virtual iceberg is well hidden.