The Most Sophisticated Cyberweapon Yet?

By Chris Wood, Senior Analyst

"It pretty much redefines the notion of cyberwar and cyberespionage."

That's a quote from experts at the Russia-based antivirus firm Kaspersky Lab regarding malware they recently discovered while trying to determine what was deleting sensitive information from computers across the Middle East for the UN's International Telecommunication Union. While searching for that code, nicknamed Wiper, the group discovered a new, more insidious, malware codenamed Worm.Win32.Flame.

More on that new malware, simply dubbed "Flame," in a moment. First, some background on the state of cyberwar today. For starters it's important to recognize that although no cyberwar has ever been declared, cyberwarfare is now a part of life. The war is pervasive and we are all vulnerable to attack.

It's impossible to say who fired the first "shot" in this war, but the US government has certainly stepped up the fight. The New York Times recently came out with a report detailing how President Obama accelerated cyberattacks (begun during the Bush administration) on the computer systems that run Iran's nuclear enrichment facilities. The worm that the US (in conjunction with Israel) created to carry out the attacks accidentally became public in the summer of 2010; a programming error allowed it to escape its target in Iran, and it was discovered by computer security experts. They named it Stuxnet.

The cat was out of the bag. But it was still just speculation at the time that the US and Israel were behind the worm. In the weeks that followed, Iran's Natanz plant was hit by a newer version of Stuxnet, and then another after that. According to David Sanger of the New York Times, "The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium."

As far as we know, Stuxnet was the US's first sustained use of cyberweapons; the attacks marked the first time that a computer worm was used to cause physical damage, prompting many to call Stuxnet the most sophisticated piece of malware that had ever been crafted.

Enter Flame.

According to the experts at Kaspersky Lab, "Flame can easily be described as one of the most complex threats ever discovered. It's big and incredibly sophisticated." It's a back door, a Trojan, and has wormlike features, which allow it to replicate in a local network and on removable media if instructed. At almost 20MB in size when fully deployed, it dwarfs Stuxnet (which is 50 times larger than the typical worm) in size. And it's been infecting systems in parts of the Middle East and North Africa for at least two years.

Flame is a sophisticated attack toolkit that spies on the users of infected systems by sniffing network traffic, taking screenshots, recording keystrokes, and even recording audio conversations by turning on computer microphones remotely. Another impressive feature of Flame is its ability to use enabled Bluetooth devices to collect information about discoverable devices near the infected machine. The malware is also a platform capable of receiving and installing various modules for different goals. It allows operators to upload further plugins which expand Flame's functionality through a back door. There are about 20 modules in total; the purpose of most of them is still being investigated.

While Flame is similar to Stuxnet in that both are the product of highly advanced programming and detailed expertise in many specialized areas which use specific software vulnerabilities to target selected systems, it differs from Stuxnet in some important ways. Stuxnet was designed specifically for the purpose of infiltrating and wreaking havoc on the centrifuges at Iran's Natanz nuclear enrichment facility. At least part of Flame's purpose appears to be more broad-based in nature - as a general purpose tool for cyberespionage. Once Flame captures the data it's looking for, it compresses and encrypts the information and then holds it until it has a reliable connection to send it to its command and control servers.

By virtue of its general cyberespionage purpose, Flame is much more widespread than Stuxnet. Researchers have detected Flame on hundreds of computers throughout the MENA region and suspect that the total number of infections could be more than a thousand. The top affected areas are Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.

It's not yet known who is behind Flame, since no information in the code has been discovered that can tie it to its authors. But, like Stuxnet, Kaspersky Lab believes it is the product of a nation-state.

[Ed. Note: Some computer security firms say that Kaspersky has hyped Flame, and that it's too early to call it a cyberweapon. Whether the skepticism is warranted or a result of jealousy remains to be seen. But what can't be contested are the skills of the researchers at Kaspersky Lab.]

At this point you might be saying, "Well that's both kind of scary and cool, but so what? What's the point? How does it affect me?"

The point is that the genie is out of the bottle, and there's no going back. Unlike in a traditional war, in a cyberwar it's the more developed nations that are the most vulnerable to attack. When Flame was designed, the programmers did not employ "code obfuscation," which is a fancy way of saying that they didn't try to disguise the code in any way that would make it difficult to reverse engineer, like a commercial software developer would have. According to Fred Guterl from Scientific American, "Stuxnet code was not protected against reverse engineering, either, but this is less of problem because its purpose is narrow and hence the programming is less useful as a weapon than the more general-purpose Flame." This, coupled with the fact that the US has recently been so brazen in its cyberwar efforts, virtually ensures an increase in cyberattacks against the US government and US businesses.

Alan Paller, director of research at the SANS Institute, said that the revelation of US involvement in Stuxnet dramatically altered the cybersecurity landscape:

"The public airing of the US involvement in Stuxnet is going to make others bolder about launching similar attacks against the country using the same kind of tactics and cyber weapons. We are now going to be the target of massive attacks."

The takeaway for US businesses should be that they need to pay more attention to securing their networks.

The takeaway for investors should be that with the proliferation and increasing sophistication of cyberthreats, there will be growing demand to protect against it. As the weapons in this cyberwar evolve, so too must the defenses against them. And that's big business.

As Intel CEO Paul Otellini said, "We have concluded that security has now become the third pillar of computing, joining energy-efficient performance and Internet connectivity in importance."

Otellini hit the nail on the head. And investors are already capitalizing on the huge growth that will come in this area over the coming decades. Estimates of the total market opportunity vary widely, but to get some sense, Canalys recently announced the results of its latest enterprise security forecasts, which indicate that the market is expected to grow to about $23 billion worldwide this year. Steady, double-digit growth is projected for years to come.

Casey Research