Kaspersky Lab: Flame cyber-espionage campaign dates back to 2006

Kaspersky Lab and its partners have found traces of at least three Flame-related malicious programs, one of which is operating in the wild.
Written by Rachel King, Contributor

Kaspersky Lab has published an update in its investigation of the Flame cyber-espionage campaign, which the security experts discovered in May.

Conducted in partnership with IMPACT, CERT-Bund/BSI and Symantec, findings pointed towards traces of three previously undiscovered malicious programs.

Specifically, Symantec has highlighted forensic analysis of two of the command-and-control servers behind the W32.Flamer attacks that targeted the Middle East earlier this year.

After analyzing the C&C servers, here are the main findings:

  • The servers were set up on March 25, 2012, and May 18, 2012, respectively.
  • The servers controlled at least a few hundred compromised computers over the next few weeks of their existence.
  • The server set up in March collected almost 6 GB of data from compromised computers in a little over a week, while the May server only received 75MB of data as it was used to distribute one command module to the compromised computers.

As for the three Flame-related programs, at least one of them is said to be currently operating in the wild, but there isn't any evidence that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.

Further details about how the command-and-control technique took place with these servers are explained on Symantec's blog. Essentially, the attackers used a web application that enabled them to upload packages of code, deliver them to compromised computers, and then download packages containing stolen client data.

But going back further, researchers believes that this malware has allegedly been under development by a group of at least four developers since at least December 2006.

Additionally, researchers believe these servers have probably been used for more attacks than just the ones in this report, and the hackers used multiple encryption techniques while trying to securely wipe data from the servers on a periodic basis.

Thus, researchers argue that means the group behind the W32.Flamer attacks is quite sophisticated. Therefore, the malware and C&C servers must be "tied to well funded group" that has a lot of resources at its disposal.

Editorial standards