A sample of the decompiled Flame source code
In a feature published by EI last week I wrote about the state-backed computer worm Flame, that has been used to spy on Iran, Palestinians and other targets throughout the Middle East.
It has emerged that Flame might also have been used for more robust attacks in addition to spying.
Flame’s architecture is modular in nature, allowing its functionality to be extended when its operators deem it necessary. Unusually for malware authors, who tend to aim at very small codebases, Flame carries its own interpreter for running Lua scripts (the same computer language used to create the game Angry Birds).
Theoretically, this means Flame could also be used for even more damaging tasks than spying. It would be a simple task to use the interpreter to run delivered scripts that target computers with instructions to wipe the entire hard drive, for example.
In April, computers in the Iranian oil ministry had sensitive data wiped off them by unknown attackers. It was in the course of investigating such attacks that Kaspersky discovered Flame, after being approached by the UN telecommunications agency.
Blogger’s source claims Flame used to spy on Israeli war minister
Richard Silverstein (quoted in my feature) told me that, in addition to Palestinians in the West Bank, Flame has even been used by Israel to spy on its own citizens. His insider Israeli source claims the Shabak, Israel’s secret police service, used Flame to spy on war minister Ehud Barak’s chief of staff.
According to Silverstein, this was part of an internecine feud between Barak and former Israeli military chief Gabi Ashkenazi (“Barak acknowledges Israeli cyberwarfare capability for the first time, Shin Bet “flamed” Israeli defense official’s computer,” 7 June 2012).
If the Shabak was willing to use Flame to spy on one of its own government ministers, it seems likely they would also use it to spy on Palestinian activists and Israeli dissidents.
The scale of Flame in context
Finally, a little context on the highly-targeted nature of Flame, which is thought to have targeted “thousands” of computers (although we can’t really know for sure, because it was able to uninstall itself and cover its tracks).
In April this year, the “Flashfake” trojan infected over half a million Mac OS X computers, Kaspersky reported. In 2001, the Code Red worm infected around 350,000 computers, and in 2000 the Love Bug spread to around 50 million people unfortunate enough to open an email with the subject line “ILOVEYOU.”
Flame, meanwhile, does not travel over the Internet unless instructed to do so. This feature may reflect a lesson learned from Stuxnet, which was not meant to spread beyond Iran’s nuclear facility, but got out of control and escaped.