A newly discovered malicious code nicknamed “Flame,” found on computers across the Middle East and in Europe, set off the alarm bells of some cybersecurity firms, media outlets and the government of Iran this week. But it may not be as nasty as initial reports indicated, and the hype surrounding Flame may be partially the result of a U.N. agency, the International Telecommunications Union.
The malware’s behavior certainly seems alarming: Flame is capable of capturing and transmitting such sensitive user information from infected computers including emails, keystrokes, even audio by covertly activating selected machines’ built in microphones.
A bulletin from the Iranian national cyber security agency released on Monday claimed that Flame was behind several “recent incidents of mass data loss” in the country. On Wednesday, another Iranian military official claimed the malware had struck the country’s oil sector, but had been successfully removed and data recovered. Although Flame appears designed primarily for information gathering, not destruction, its presence means that other wiping programs could be installed on infected machines.
Iran’s Monday bulletin compared Flame to to the infamous Duqu and Stuxnet malware, the latter of which was in 2010 reported to have caused physical damage to Iranian nuclear plants by making computer-controlled centrifuges spin too fast.
Plus, Flame’s authorship remains an open question. A top Israeli official on Monday intimated that Israel could and would deploy such an attack on its adversary. By Wednesday, U.S. cybersecurity experts were suggesting to NBC News that Flame had “hallmarks of a U.S. cyber espionage operation,” giving the story had all the makings of an international whodunnit.
But several other leading cybersecurity experts have spoken up attempting to douse the hype surrounding the malware, which they argue is mostly smoke and mirrors.
“A weapon is designed to destroy something. Early analysis of Flame doesn’t show that to be a capability,” said Jeffrey Carr, CEO and founder of Taia Global, a boutique cybersecurity firm, in an email to TPM. “It’s strictly an info-stealing virus, albeit a massive one. Flame uses keylogging software as part of its toolkit which is comparable to Zeus and SpyEye - trojans that are often used in financial crimes and sometimes in cyber espionage as well.”
Carr would know: He’s an author of “Inside Cyber Warfare: Mapping the Cyber Underworld” and a top U.S. government contractor on cybersecurity issues.
On late Monday, he published an entry on his own blog, Digital Dao, disputing the analysis of another security firm, Russian-based Kaspersky Labs, which characterized Flame as a new type of cyber weapon.
Earlier, a Kaspersky security researcher posted a blog entry writing the malware could “might be the most sophisticated cyber weapon yet unleashed,” and that it “pretty much redefines the notion of cyberwar and cyberespionage.”
Kaspersky doubled-down on its assessment that Flame is a cyber weapon, with chief malware expert Vitaly Kamluk telling TPM via email that Flame differed from traditional malware used by cyber criminals in key ways.
“Traditional malware is usually small, robust and efficient,” Kamluk told TPM. “A cyberweapon is not designed to bring money, but to collect all types of information (including audio recordings, video captures and all kind of telemetry), destroy computer systems and industrial equipment. Developers of cyberweapon don’t care too much about its speed and robustness, but care about its flexibility, reliability and reusability.”
Another security firm, Hungarian based CrySys, agreed, writing in a report that Flame us “certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”
But Carr said that such descriptions, and the prospect of an invisible cyber war, may be overblown in this case.
“We’ve never seen a true cyber war between nation states and I doubt that we ever will,” Carr told TPM. “If one state causes harm to another using a cyber-based weapon (like Stuxnet), then the other state won’t limit its response to just a cyber attack. It’ll be justified in launching a kinetic attack as well under the Law of Armed Conflict.”
Further, Carr pointed out that the Flame attack was highly targeted, aimed at high-value targets, and that civilian computer users shouldn’t worry about their machines being infected.
Carr’s comments echoed those of noted Internet skeptic and writer Evgeny Morozov, who wrote a column for Slate explaining that true cyber weapons are actually quite expensive and time-consuming to produce, and that they are only likely to be deployed by those nations with enough conventional military force to back them up.
Carr’s assessment is also backed by comments made Monday by a spokesperson of Webroot, another small security firm that detected Flame back in 2007, who told PC World that the malware is “an over-engineered threat that doesn’t have a lot of new elements to it—essentially a 2007 era technology.”
Indeed, Carr told TPM that there’s nothing really that Iran, the United States, or any other country can really do to fully protect themselves against a piece of cyber espionage software like Flame.
“Targeted attacks by their very nature will bypass existing defenses,” Carr wrote. “Flame demonstrates the need to change our focus away from trying to keep adversaries out of our networks. That’s an impossible goal. We should instead focus on keeping our critical data from leaving which is not only possible but relatively inexpensive to do.”
On this accord, Kaspersky agrees, with Kamluk telling TPM via email: “From our perspective victims might be anywhere. If they were not successfully hit by Flame, that doesn’t mean that they can’t be hit by something else.”
It’s still unclear for now who is behind the virus. But Flame’s discovery, and subsequent labeling as a global cyber threat, may have more to do with a matter of international diplomacy rather than any sort of invisible cyber conflict.
Kaspersky Labs openly stated that it first detected Flame while searching for another piece of malware, nicknamed Wiper, on behalf of the United Nations International Telecommunications Union (ITU), an agency that manages the global usage of radio spectrum and sets standards for wireless Internet and mobile phone service (it’s responsible for the loose definition of 4G, for example).
Kaspersky is the leading collaborator in the ITU’s annual cybersecurity summit, ITU Telecom World, set for the fall of 2012.
One security researcher noted on Quora, that the ITU has for years hyped the threat of cyber weapons and cyber warfare to bolster support for its goal of passing an international cyber treaty that has been criticized by Web freedom activists and leading companies as a kind of global Web regulation.
The ITU did not respond to TPM regarding these points in time for publication of this article. But on late Tuesday, the agency did say that it was preparing to release a confidential warning memo to its 190 member states on Flame, which would be “the most serious (cyber) warning we have ever put out,” as ITU cyber security coordinator Marco Obiso told Reuters. Other cyber experts told Reuters that they thought the ITU was overreacting to the threat.