Stuxnet and Flame share code, development teams

The recently discovered Flame cyber-espionage malware has a direct connection to the Stuxnet malware used to attack programmable logic controllers at Iranian nuclear facilities two years ago, according to Kaspersky Lab, which says Flame and Stuxnet share some technical code that reveals a common development effort of some sort.

The early version of Stuxnet has a Flame module, said Roel Schouwenberg, senior researcher at Kaspersky Lab, who joined with colleague Vitaly Kamluk to share Kaspersky's latest findings today about what the security firm says reveals a direct relationship between those who developed the cyber-weapon Stuxnet and those who developed the Windows-based cyber-espionage tool Flame. He called them "two parallel operations" that were coordinated in some form.

BACKGROUND: Iran's discovery of malware turning into political hot potato

In recent revelations now rocking the political world, The New York Times reported that President Barack Obama ordered use of the Stuxnet cyber-weapon to attack Iran, charges the White House hasn't refuted. This has triggered a special investigation to find out where in the administration a leak about Stuxnet occurred.

Now, Kaspersky's assertions that Stuxnet and the more-recently discovered Flame -- which Iran's computer-response team in May claimed was found on computers infecting its oil-ministry computers -- are connected, the stakes may be raised even further in the political world.

In a briefing today, Kaspersky researchers emphatically said they stand by the assertion that the early version of Stuxnet, Stuxnet.A, has a "Flame module" (which they're referring to as "Resource 207"), which was used as a transport mechanism, specifically for USB spreading and an autorun function in Windows and a privilege-escalation vulnerability (which has since been patched by Microsoft). Kaspersky was commissioned by the United Nations' division the International Telecommunication Union to analyze Flame. The ITU has issued an alert to the world's countries about Flame, calling it dangerous.

Kaspersky Lab now thinks the Flame malware predated the Stuxnet platform, and that source code from Flame was shared with the developers of Stuxnet, and that both may be coordinated through the same entity.

Schouwenberg said it's important for the future of the cybersecurity community that the world understand the nature of these cyber-weapons.

Stuxnet two years ago was targeting Iranian infrastructure to slow down the programmable logic controllers at facilities where the U.S. believes Iran is trying to develop a nuclear weapon. But as The New York Times noted in its article, Stuxnet began to run wild in cyberspace, apparently not under control of its creators, which The New York Times says is the U.S. and Israel working in a cyber-weapon co-development project.

If Stuxnet hadn't been able to do certain "safety checks, it could have caused a power outage in the U.S.," Schouwenberg asserted.

Kaspersky Lab's assertion is that Stuxnet and Flame share some common source code and that this indicates cooperation between development teams may be greeted with some skepticism.

Kaspersky's assertions to say there's a definite connection between Stuxnet and Flame simply because some common source code was found "is a bit of a stretch," said Chris Bronk, professor and fellow in information technology at Rice University, who's attending a cybersecurity conference in Orlando this week. He said other anti-malware vendors will eventually weigh in with their analysis on this, and more needs to be heard.

But he acknowledged if it turns out to be true, as The New York Times asserts and the White House has so far not denied, that the U.S. has put malware code for use in covert action out in the wild, then you end up educating the public in general on how to do this, he pointed out.

Covert action against U.S. adversaries such as Iran using modern-day cyber-weapons can be debated as appropriate or not. In cyber-espionage, "the outcomes may be preferable to wars," Bronk said, the kind of wars where kinetic weapons such as bombs are used to blow things up physically.

But as information about what the U.S. may have done in this area of cyber-weapons becomes more known, the result is that it puts the U.S. in an awkward position in "trying to stand as a pillar for secure cyberspace," another stance the U.S. government tries to take, Bronk pointed out.

In an editorial in The New York Times, Mikko Hypponen, researcher at F-Secure, expressed disappointment about the turn of affairs that seems to show the U.S., with Israel, engaging in covert cyberattacks against infrastructure of another country. He wrote that American officials have opened a Pandora's box, and they will likely regret the decision.

"The downside for owning up to cyberattacks is that other governments can now feel free to do the same," Hypponen wrote. "And the U.S. has the most to lose from attacks like these." He wonders whether anything can now hold what could be an escalating and dangerous game.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place