First published: 30th May 2012
W32/Flame, also known as SkyWiper, is the current cyber-weapon de jour, joining Stuxnet and DuQu as evidence of State-sponsored cyber attacks. It is currently known to be highly complex, capable of gathering information (including via the infected computer's microphone) and probably has been spreading undetected at least a couple of years. The Laboratory of Cryptography and System Security (CrySyS), Budapest University, notes that one filename, WAVESUP3.DRV, was first seen on Dec 5 2007 in Europe by the Webroot community, so it might be 5 years old.
The pattern of infections is similar to Stuxnet and DuQu, mostly in the Middle East, with Iran and Israel at the top according to Kaspersky labs, but with the odd addition of Hungry, according to ICSAlabs. The Iran National CERT (MAHER) first announced their investigation of Flame on 28th May 2012 and provided a list of its known capabilities. Interestingly, they include physical (via removable media) and local network distribution methods, but not internet distribution, suggesting that, like Stuxnet, this is intended to be introduced to an "interesting" target site via rogue devices, and spread within the site for maximum effect. It is certainly not network-incapable, other modules include network sniffing, and uploading gathered information to command and control servers on the internet by encrypted channels, SSH and HTTPS. It also detects many anti-virus applications and reduces its activity accordingly to avoid being flagged as suspicious.
In a blog post on Flame, Mikko Hyppönen of F-Secure admits, "Stuxnet, Duqu and Flame are all examples of cases where we — the antivirus industry — have failed. All of these cases were spreading undetected for extended periods of time."
It appears that we have quietly moved to a period of cyber cold war, where nation states secretly develop and deploy sophisticated attacks on each other's information systems. Like the USA/USSR Cold War, the battles are normally fought in secret, and with complete deniability. Even when an attack is discovered, possibly years after it was deployed, we can only guess the target and the attacker. Stuxnet is an example of cyber sabotage, and Flame an example of cyber espionage, but these are not the only examples. In the same blog post, Hyppönen notes, "Chinese actors prefer attacks targeted via spoofed e-mails with booby-trapped documents attached. Western actors ... instead use USB sticks or targeted break-ins to gain access". Hardware attacks are also possible, Bruce Schneier discusses a hardware backdoor found in a US-designed, Chinese manufactured chip in his blog, but who put it there, how an what it was used for, or if it was used at all, is unknown. Deniability is complete.
