Stuxnet and Flame share code, development teams

The recently discovered Flame cyber-espionage malware has a direct connection to the Stuxnet malware used to attack programmable logic controllers at Iranian nuclear facilities two years ago, according to Kaspersky Lab, which says Flame and Stuxnet share some technical code that reveals a common development effort of some sort.

The early version of Stuxnet has a Flame module, said Roel Schouwenberg, senior researcher at Kaspersky Lab, who joined with colleague Vitaly Kamluk to share Kaspersky's latest findings today about what the security firm says reveals a direct relationship between those who developed the cyber-weapon Stuxnet and those who developed the Windows-based cyber-espionage tool Flame. He called them "two parallel operations" that were coordinated in some form.

BACKGROUND: Iran's discovery of malware turning into political hot potato

In recent revelations now rocking the political world, The New York Times reported that President Barack Obama ordered use of the Stuxnet cyber-weapon to attack Iran, charges the White House hasn't refuted. This has triggered a special investigation to find out where in the administration a leak about Stuxnet occurred.

Now, Kaspersky's assertions that Stuxnet and the more-recently discovered Flame -- which Iran's computer-response team in May claimed was found on computers infecting its oil-ministry computers -- are connected, the stakes may be raised even further in the political world.

In a briefing today, Kaspersky researchers emphatically said they stand by the assertion that the early version of Stuxnet, Stuxnet.A, has a "Flame module" (which they're referring to as "Resource 207"), which was used as a transport mechanism, specifically for USB spreading and an autorun function in Windows and a privilege-escalation vulnerability (which has since been patched by Microsoft). Kaspersky was commissioned by the United Nations' division the International Telecommunication Union to analyze Flame. The ITU has issued an alert to the world's countries about Flame, calling it dangerous.

Kaspersky Lab now thinks the Flame malware predated the Stuxnet platform, and that source code from Flame was shared with the developers of Stuxnet, and that both may be coordinated through the same entity.

Schouwenberg said it's important for the future of the cybersecurity community that the world understand the nature of these cyber-weapons.

Stuxnet two years ago was targeting Iranian infrastructure to slow down the programmable logic controllers at facilities where the U.S. believes Iran is trying to develop a nuclear weapon. But as The New York Times noted in its article, Stuxnet began to run wild in cyberspace, apparently not under control of its creators, which The New York Times says is the U.S. and Israel working in a cyber-weapon co-development project.

If Stuxnet hadn't been able to do certain "safety checks, it could have caused a power outage in the U.S.," Schouwenberg asserted.

Kaspersky Lab's assertion is that Stuxnet and Flame share some common source code and that this indicates cooperation between development teams may be greeted with some skepticism.

Kaspersky's assertions to say there's a definite connection between Stuxnet and Flame simply because some common source code was found "is a bit of a stretch," said Chris Bronk, professor and fellow in information technology at Rice University, who's attending a cybersecurity conference in Orlando this week. He said other anti-malware vendors will eventually weigh in with their analysis on this, and more needs to be heard.

But he acknowledged if it turns out to be true, as The New York Times asserts and the White House has so far not denied, that the U.S. has put malware code for use in covert action out in the wild, then you end up educating the public in general on how to do this, he pointed out.

Covert action against U.S. adversaries such as Iran using modern-day cyber-weapons can be debated as appropriate or not. In cyber-espionage, "the outcomes may be preferable to wars," Bronk said, the kind of wars where kinetic weapons such as bombs are used to blow things up physically.

But as information about what the U.S. may have done in this area of cyber-weapons becomes more known, the result is that it puts the U.S. in an awkward position in "trying to stand as a pillar for secure cyberspace," another stance the U.S. government tries to take, Bronk pointed out.

In an editorial in The New York Times, Mikko Hypponen, researcher at F-Secure, expressed disappointment about the turn of affairs that seems to show the U.S., with Israel, engaging in covert cyberattacks against infrastructure of another country. He wrote that American officials have opened a Pandora's box, and they will likely regret the decision.

"The downside for owning up to cyberattacks is that other governments can now feel free to do the same," Hypponen wrote. "And the U.S. has the most to lose from attacks like these." He wonders whether anything can now hold what could be an escalating and dangerous game.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

More videos

Blog Posts