The Eternal Flame is something you’ll probably recognize as the ever burning fire in ancient Greece; but in fact it has deeper roots in the Middle East. The first
records of such custom are, interestingly enough, set in ancient Iran and Israel.
The security industry’s skies are now alight with
Flame, the latest discovery in the chain of super-grade cyber weapons targeting Iran.
Reported by Kaspersky, Flame is a high-yield reconnaissance tool that targets Internet-connected PCs in Iran and other targets, doubling as an intelligence collection mechanism using multiple channels and a penetration tool into corporate networks.
Stuxnet, which was really off-the-scale as it comes to advanced threats due to its unique ability to disrupt air-gapped industrial control networks, no one should have any illusion as to the extent of cyber espionage campaign led by western cyber-powers
against the Iranian regime.
Flame was developed a few years back, and was successfully deployed in the field. I bet the original life span projected for Flame was probably a few months, and the original set of targets was no more than a few dozen carefully selected critical infrastructure
resources; but it just worked. It roamed the sensitive networks unhindered and undetected, and its operators must have felt a bit like the NASA scientists that launched the 2003 Mars Rovers. Designed for a 90-day scientific mission in the harsh environment
of the red planet, these two tiny envoys of humanity kept going and going, and one of them –
Opportunity – is still surveying our heavenly neighbor after all these years. Flame must have been the same: an extremely targeted mission that developed into an ongoing campaign simply because it
Compared to Stuxnet, Flame is far more similar to the type of cyber attacks attributed by US officials to
China, although here it’s focused on covert intelligence gathering while many APTs are part of a mass-scale industrial espionage campaign designed to gain economic advantage. It hits
computers connected to the Internet – which means it was never designed to attack military targets as they often use segregated networks. To attack a military network you need something more – often a USB infection like in Stuxnet or the worm that attacked
the Pentagon in 2008 and required a 14-month
clean up operation.
How Flame got into its target victims is still unclear, but the likely method is spear phishing pinpointing specific employees or a drive-by-download hijack of a popular site frequented by the target population.
There are hundreds of examples for the use of spear phishing in an APT; an example for the second method is the highly targeted
attack against the website of the Israeli Institute for National Security Studies, which penetrated deep and caused visitors to be infected with the Poison Ivy remote administration tool. The INSS is a prominent Israeli think tank in the field of national
security, headed by a retired general who until recently was Israel's Director of Intelligence. Its publications are read by thousands of people from the intelligence, military and government communities, mostly in Israel, US and other western nations. Having
their PCs remotely controlled by the attacker is a bad idea for all those concerned.
Lets remember that Cyber reconnaissance efforts like Flame are a natural extension of good old
human-based intelligence networks and, in a way, the clandestine behind-enemy-lines field work that sets the infrastructure for
signal intelligence operations. It’s the digital equivalent of a state- sponsored covert reconnaissance operation. Unlike a physical operation conducted by spies or paramilitary troops, where people might
actually get caught, here it’s a far cleaner operation with less traces leading to the origin and more ways to camouflage the exact identity of the attacker.
There’s one other thing you can bet on: there are other, far more advanced cyber espionage campaigns set in the field, and more than one actor is staging them against the Iranians. Flame is visible now, but the rest of the virtual iceberg is well hidden.