Flame: The Most Sophisticated Cyber Espionage Tool Ever Made

Aaron Gershwin
HackerNoon.com
4 min readJun 26, 2019

--

In April 2012 Iranian officials started disconnecting their oil terminals from the internet. It was not the first time they had to isolate their machinery. In 2010 Stuxnet malware was uncovered, which brought chaos to their nuclear plants, and disabled and degraded about one thousand uranium enrichment centrifuges. Stuxnet was rightly dubbed the most complex piece of code ever written.

https://www.howtoremoveit.info/remove-flame-malware/ img: flame%20pic.jpg

But this time they uncovered something entirely different. Flame malware is said to have infected more than a thousand machines in the Middle East, with a vast majority in Iran. Unlike Stuxnet, the intention was not to corrupt or destroy, but to gather information. Furthermore, the code itself was easily modifiable in real time, with controlled spreading capabilities, and over 80 Command and Control (C&C) servers.

Flame developers had no monetary gains in mind, at least not direct ones, and a reasonable guess would be to pin this to a nation-state operation. The appearance of such malware like Stuxnet, Duqu, and Flame detach cyber warfare from a movie screen and reveal the broad, and frightening, capabilities to use programming for warlike purposes. Let’s dive in to see what makes Flame unique and a severe threat to privacy and cyber security.

What is Flame?

Flame is an extremely sophisticated attack tool kit. Its functions exceed the boundaries of viruses, worms, or Trojans. However, it exhibits worm-like behavior when it comes to replication and infection of a local network; Trojan behavior because it opens a backdoor to an infected system, enabling remote access and control; and Spyware in its primary goal to collect information.

https://infiniteunknown.net/2012/06/14/flame-steals-data-even-when-computers-are-not-connected-to-the-internet/ img: Install-Flame.jpg

Unlike most of the malware out there, Flame is extraordinarily big, reaching up to 20MB in size. Most malware developers strife to be undetected for as long as possible, thus creating small, undetectable software. This was not the case with Flame. Even though it remained undetected for at least a few years, it was developed with the capacity to add additional functions per unique situation. Furthermore, LUA programming language, which is frequently used in game development, was also deployed to code high order logic functions.

The ultimate Telos of Flame

To narrow it down, Flame is Spyware. Its ultimate goal is to gather private information. Let’s go point by point what Flame can do:

  • Flame can exploit internal device microphone and record conversations, as well as nearby noises;
  • Flame has a key logger function, monitoring users activities by logging keyboard clicks;
  • Can turn the infected device into a Bluetooth beacon, which will scan other Bluetooth devices nearby stealing private information, including phone numbers from contact folders;
  • Exploit device camera, taking screenshots of users activities, including email and instant messaging communications. An interesting fact is that it will take screenshots every fifteen seconds if it notices a particular communication application is used, and switch to 60-second cycles if not;
  • There’s also a sniffer component, which will monitor local networks activity and gather usernames and password hashes;
  • All information can be sent to C&C servers in an encrypted and compressed form since it has several encryption and compression methods;
https://www.wired.com/2012/05/flame/ img: Flame-Infection-Methods.jpg
  • Can be updated remotely. Furthermore, different modules can be installed on request, making this software modifiable depending on the configuration of the machine it infects, highly unusual behavior for malware;
  • Can replicate itself and delete itself and all gathered information on Kill command. Moreover, the spread of malware can be limited and controlled, while most malware spread rapidly without boundaries.

Some more features are in there, but these are the main components that allowed Flame to do its work. Plugin-like features that permitted installation of different modules on request is the reason behind the 20MB size.

Flames aftermath

First of all, There is a relevant political context to be taken into consideration when talking about Flame or Stuxnet. Both of these attacks targeted the Middle East, specifically Iran. There’s a widespread opinion that Equation group is behind it and that both campaigns were the joint effort of American and Israeli governments. However, I wouldn’t want to go into speculation, but the lack of monetary gain and clear political goals point there’s a nation-state behind it.

https://www.wired.com/2012/05/flame/ img: Flame-Infection-Map_Kaspersky.jpg

Second, Flame reveals the high level of sophistication when it comes to espionage. Having Google or Facebook scraping their user’s data is one thing, but specific targeting, stealth, penetration of sophisticated security systems, — this brings cyber espionage to a whole new level. Furthermore, Flame was able to exploit zero-day vulnerabilities of Microsoft systems, and pretend to be a regular Microsoft update, pointing to security flaws in the major worldwide operating system.

Third, Flame is not gone. Currently, Flame 2.0 is discussed because of considerable similarities to the original code. Furthermore, due to a high modification level, it might’ve been that the modules have been transformed in such a way, and stronger encryption has been applied, for it to be an original piece of code in different packaging. So far, Flame remains the most sophisticated cyber espionage tool ever made.

--

--

Aaron Gershwin
HackerNoon.com

Freelance cyber security copywriter with a decade of experience in IT