21 September 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 361,712Views 36Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Eternal Flame: A super-grade cyber weapon

30 May 2012  |  4069 views  |  0

The Eternal Flame is something you’ll probably recognize as the ever burning fire in ancient Greece; but in fact it has deeper roots in the Middle East. The first records of such custom are, interestingly enough, set in ancient Iran and Israel.

The security industry’s skies are now alight with Flame, the latest discovery in the chain of super-grade cyber weapons targeting Iran. Reported by Kaspersky, Flame is a high-yield reconnaissance tool that targets Internet-connected PCs in Iran and other targets, doubling as an intelligence collection mechanism using multiple channels and a penetration tool into corporate networks.

After Stuxnet, which was really off-the-scale as it comes to advanced threats due to its unique ability to disrupt air-gapped industrial control networks, no one should have any illusion as to the extent of cyber espionage campaign led by western cyber-powers against the Iranian regime.

Flame was developed a few years back, and was successfully deployed in the field. I bet the original life span projected for Flame was probably a few months, and the original set of targets was no more than a few dozen carefully selected critical infrastructure resources; but it just worked. It roamed the sensitive networks unhindered and undetected, and its operators must have felt a bit like the NASA scientists that launched the 2003 Mars Rovers. Designed for a 90-day scientific mission in the harsh environment of the red planet, these two tiny envoys of humanity kept going and going, and one of them – Opportunity – is still surveying our heavenly neighbor after all these years.  Flame must have been the same: an extremely targeted mission that developed into an ongoing campaign simply because it worked.

Compared to Stuxnet, Flame is far more similar to the type of cyber attacks attributed by US officials to China, although here it’s focused on covert intelligence gathering while many APTs are part of a mass-scale industrial espionage campaign designed to gain economic advantage. It hits computers connected to the Internet – which means it was never designed to attack military targets as they often use segregated networks. To attack a military network you need something more – often a USB infection like in Stuxnet or the worm that attacked the Pentagon in 2008 and required a 14-month clean up operation.

How Flame got into its target victims is still unclear, but the likely method is spear phishing pinpointing specific employees or a drive-by-download hijack of a popular site frequented by the target population.

There are hundreds of examples for the use of spear phishing in an APT; an example for the second method is the highly targeted attack against the website of the Israeli Institute for National Security Studies, which penetrated deep and caused visitors to be infected with the Poison Ivy remote administration tool. The INSS is a prominent Israeli think tank in the field of national security, headed by a retired general who until recently was Israel's Director of Intelligence. Its publications are read by thousands of people from the intelligence, military and government communities, mostly in Israel, US and other western nations. Having their PCs remotely controlled by the attacker is a bad idea for all those concerned.

Lets remember that Cyber reconnaissance efforts like Flame are a natural extension of good old human-based intelligence networks and, in a way, the clandestine behind-enemy-lines field work that sets the infrastructure for signal intelligence operations. It’s the digital equivalent of a state- sponsored covert reconnaissance operation. Unlike a physical operation conducted by spies or paramilitary troops, where people might actually get caught, here it’s a far cleaner operation with less traces leading to the origin and more ways to camouflage the exact identity of the attacker.

There’s one other thing you can bet on:  there are other, far more advanced cyber espionage campaigns set in the field, and more than one actor is staging them against the Iranians. Flame is visible now, but the rest of the virtual iceberg is well hidden. 


This 2003 Rover is still roaming Mars after all these years! TagsSecurity

Comments: (0)

Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3693 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3029 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22054 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3729 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts