Flame: The Skype-Sniffing, Bluetooth-Enabled Super Spy Tool Is A Harbinger

Flame can listen in on Skype conversations, record keystrokes, steal files, and hack a smartphone's call records. Here's how it works--and how Flame evaded detection for years.

The news from cybersecurity researchers this Memorial Day sounded like a plot device from a science fiction movie. A hyper-secret surveillance program laid dormant on computers around the world for years, secretly turning on microphones, taking screenshots, copying files, recording keystrokes, fiddling with Bluetooth, and sending all the information off to unknown parties. Following an investigation request by the United Nations' International Telecommunications Union, the discovery of Flame--the world's most sophisticated known weapon of cyberwar--was made public. Many of the infected computers belonged to deliberately targeted home users; the exquisitely crafted software escaped evasion by the world's best antivirus software suites for years.

According to Alexander Gostev of Kaspersky Labs, one of the first experts to investigate Flame, the product “[sniffs] the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers. Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.” Other portions of Flame activate Bluetooth functionality and siphon name/phone number/address info from Bluetooth-enabled phones near infected computers. Flame was written using Lua, a programming language best known for its use in Angry Birds.

Due to Flame's information-gathering goals, complex construction, multiple redundancies to hide from virus and malware detectors, and the fact that it's not being used for financial gain, most experts are classifying the product as a cyberwar weapon. What makes Flame especially interesting (and creepy) is the fact that many infected computers are home PCs with Internet connections whose Skype conversations and documents folders were methodically spied on.

We still don't know (or aren't being told) both how Flame was released into the wild and what the primary infection methods are. An anonymous statement from Symantec claims most discovered cases are in the West Bank, Hungary, Iran, and Lebanon with smaller numbers of infected computers in Austria, Russia, Hong Kong, and the United Arab Emirates. The list of countries targeted seems to infer Israeli complicity in the cyberattack.

One Israeli official already made a wink-and-nod statement that could infer local involvement in Flame. In an interview with Israeli Army Radio, Strategic Affairs Minister Moshe Ya'alon said that “Those who view Iran as a significant threat are likely employing various means, including this one, to attack it. […] Israel has been blessed with elite technology, and these tools that we pride ourselves in open up all sorts of options for us.” However, Ya'alon's statement might also be a boastful piece of misinformation.

Researchers at the CrySyS Lab at Budapest University, who wrote one of the first technical reports on Flame (which they called sKyWIper), identified over a dozen unique words or strings of text used by the product's unknown programmers. These words were all English or Spanish, such as Boost, Flame, Flask, Euphoria, BUENO_FLAME_DLL_KEY, Headache, Beetlejuice, Microbe, and Weasel.

The CrySyS team, who did not leave their names on their technical report (and noted that they "carried out an investigation in collaboration with several parties involved in incident response ... Some of these parties involved may want to remain anonymous; therefore, references in the document are deliberately incorrect to avoid identification of the source of some information, data, sample, code, prototype, etc."), said the earliest date of infection appeared to be in Europe in December 2007, in the United Arab Emirates in April 2008, and in Iran in March 2010.

The Iranian Students' News Agency (via the New York Times) claimed in April that a related program called Wiper was used in mass attacks on the Iranian Oil Ministry. According to a Kaspersky statement, "The Flame cyberespionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code--nicknamed Wiper--we discovered [Flame]."

Although Kaspersky did not release details on specific infected computers, Gostev claims that victims include private “specific” individuals, educational institutions, and state-related organizations. Symantec's statement, meanwhile, cryptically says that many victims ”appear to be targeted for individual personal activities rather than the company they are employed by.” McAfee's Peter Szor and Guilherme Venere also discovered several Flame infections in the U.S.

Cyberwarfare--and corporate espionage--are two-way streets. Flame is an admirably complex piece of technology. Even if Israel or the United States isn't behind the project, it's still the pinnacle of covert cyberwarfare in 2012. However, today's high-tech novelty is tomorrow's routine weapon. As Flame is examined in detail and reverse-engineered, the product's unique aspects will be replicated and improved by other interested parties. This will mean a significant headache for computer security firms.

Programs, worms, and malware aren't created in vacuums. It's a very safe assumption that there are other products similar to Flame lurking on computers right now, surreptitiously spying on users' every move or deleting strategic files... and evading detection by the anti-virus programs personal and enterprise users rely on to keep themselves secure. Apart from the United States and Israel, China, Russia, France, the United Kingdom, India, Pakistan, Brazil, and a host of other foreign countries have their own cyberwarfare programs. Emerging cyberwarfare threats are a part of everyday life--from Flame to fears that China is placing backdoors in computer chips sold to the U.S. military. Then, of course, there are all the cyberweapons discovered on a regular basis that we don't hear about because governments and corporations wish to keep mum.

Flame is like something out of a science fiction movie, or a plot device from the latest Mission Impossible. High strangeness is a matter-of-fact assumption when dealing with cyberwarfare and technology these days. Today's spying on academics and Iranian oil facilities might just be tomorrow's creepy corporate information-gathering tool.

For more stories like this, follow @fastcompany on Twitter. Email Neal Ungerleider, the author of this article, here or find him on Twitter and Google+.

[Main Image: Flickr user Tom Lin, Top, Middle Images: Kaspersky Lab / Bottom Image: McAfee]

Add New Comment

1 Comments