Threat Management, Threat Intelligence, Malware, Network Security, Security Strategy, Plan, Budget

The Flame virus: Implications versus speculation

News sources and social media sites are in a blaze, the one mandatory pun, over the new malware being identified as Flame.

Also known as Skywipe, Flame is the latest in a number of high-profile cyber attacks that have targeted Middle Eastern computers. First identified by Kaspersky Lab, Flame is being described as a nation-state-built cyber weapon with cyber espionage as its primary function.

There are well-founded debates over whether the malware should be called a cyber weapon, but the main focus of this article is what Flame means for the cyber space community, regardless of its classification.

According to Kaspersky, the malware has been active since at least March 2010. The Laboratory of Cryptography and System Security (CrySyS Lab) dates the malware to as early as December 2007. Flame is unique in its complex and holistic approach to collecting vast amounts of information from specific computer systems. Some key things to know about Flame:

  • Possibly linked to Stuxnet and Duqu, likely as a different team from the same nation-state.
  • Modular-based, allowing it to be adapted and updated.
  • Has a command-and-control network of 50 to 80 domains registered in regions throughout the world.
  • Shares the MS10-061 print spool vulnerability exploit with Stuxnet.
  • Removable storage or phishing emails are likely the injection method of the attack.
  • Captures and exports audio communication, screen shots and keystrokes from infected systems.
  • Implements stealthier code injection and anti-virus avoidance techniques than Duqu.
  • More than 600 specific targets infected -- with the majority in Palestine/Iran.

As analysis is done on Flame, it will undoubtedly become more apparent whether it is linked to Stuxnet/Duqu.

However, some similarities already stand out. The use of the MS10-061 exploit and stealthier injection techniques show that Flame's team used lessons learned from Stuxnet/Duqu.

This is a good example of the difference in the cyber space domain compared to other war-fighting domains. Once a cyber capability is launched, it is immediately open to anyone else to use, modify and build upon through lessons learned. This is one implication of cyber attacks, such as Flame and Stuxnet, that have yet to be fully understood. Figuring out the true second and third orders of effect of a cyber attack is incredibly challenging, but an important task.

The reports of attribution have already begun with one site claiming that a senior Israeli source confirmed the Jewish state's involvement in the use of Flame. Despite the apparent bias of the website, the claim of attribution from a senior Israeli source will have real-world implications. Attribution is incredibly hard to apply in the cyber space domain, and even the most appealing pieces of evidence can be purposely misleading.

Anti-forensic techniques, as well as planted evidence, can cause a cyber attack to take on the appearance of whatever the attackers want. Moreover, there are a variety of reasons a source, individual or national, would want to claim attribution for such a large cyber attack. Despite the truth of any claims or evidence though, the perception of attribution applied to a nation-state cyber attack can put tension on nation-state relationships, have an effect on cyber deterrence, and cause real-world socio-political issues.

“Figuring out the true second and third orders of effect of a cyber attack is incredibly challenging, but an important task.”

– Robert Lee, U.S. Air Force Cyberspace Officer

One of the most interesting points of Flame, though, is not its similarity to other pieces of malware and speculative attribution, but the amount of data it was able to steal. A large amount of information gathered means a large amount of information that must be processed to be used properly. This processing requires specifically trained personnel in order to capitalize on the captured intelligence.

The Stuxnet and Duqu teams could have been relatively small, keeping the fewest number of people possible “in the know.” Comparatively, the Flame team would be much larger with more people privy to at least some aspects of the operation. This means that regardless of which nation-state launched Flame, it is willing to accept larger risks for the opportunities and intelligence Flame has generated.

As the analysis on Flame continues, it is important to note the competence and dedication of various security researchers and companies.

The cyber community across the globe as a whole is a motivated and generally educated group. Actual implications of a cyber attack and employment of advanced malware are varied, and many will remain forever unknown. However, understanding key aspects and implications allows the cyber community to avoid weak speculation that detracts from forming well-based analysis and decisions. This better understanding allows the focus of the community to instead be placed on lessons learned and to move forward appropriately.


Robert Lee is a U.S. Air Force cyberspace officer currently stationed in Germany under the Air Force Intelligence Surveillance and Reconnaissance Agency.

Editor's note: This paper and Lee's views do not represent the Air Force, Department of Defense, or any agency within the U.S. government. The opinions held in this paper are his alone, and this paper was written outside of a military capacity.

Robert M. Lee

Robert M. Lee is the CEO and co-founder of the ICS cybersecurity technology and services firm Dragos. He gained his start in the U.S. Air Force as a Cyber Warfare Operations Officer where he spent most of his career at the National Security Agency where he built and led a first-of-its-kind mission hunting and analyzing state actors targeting ICS. He is also a Senior Instructor at the SANS Institute where he authored the Forensics 578 course on Cyber Threat Intelligence and the ICS 515 course on ICS network monitoring and incident response. He may be found on Twitter @RobertMLee

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.