Flame: A glimpse into the future of war

Claims of cyberwar are overblown, but things are definitely heating up in regard to international conflicts where malware is replacing drone strikes.

Elinor Mills
Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

8 min read

If you roll your eyes at the term "Digital Pearl Harbor," you have my sympathy. We've been warned about the specter of an enemy attack via bits and bytes for several decades, with no real evidence that this is a realistic possibility and not mere hype.

Still, a new worm that's been spying on infected computers in the Middle East has been called a "cyberweapon," and while we're not talking outright combat, it's clear that malware is increasingly playing a part in geopolitical diplomacy and conflict.

This week brought news of not the first, nor the second, but the third known piece of advanced malware that appears to be government or nation-state sponsored. We have Stuxnet, its simpler cousin Duqu, and now we have "Flame." These three pieces of malware are hard evidence of cyberspying and, in the case of Stuxnet, sabotage of Iran's nuclear program with malware to preempt a military strike, according to a New York Times article based on reporter David Sanger's new book.

The article, which relies on information from unnamed U.S. government sources, confirms long-held speculation that Stuxnet (and likely Duqu) was developed by the U.S., probably in collaboration with Israel. (Israel has denied involvement in both Stuxnet and Flame, while the U.S. has not outright distanced itself from either. Meanwhile, the U.S. Cyber Emergency Response Team says there's no evidence that Flame is related to Stuxnet or Duqu or that it targets industrial control systems. (PDF) And the Department of Homeland Security declined to answer questions about Flame beyond providing this statement: "DHS was notified of the malware and has been working with our federal partners to determine and analyze its potential impact on the U.S.")

How ironic but not at all surprising that Americans have been the ones most vocal in raising the alarms about cyberwar and yet the U.S. may have launched the first cyberstrikes. The U.S. may be a leader in cyber-geopolitical affairs, but it's also a huge target. The U.S. government and private companies have been under attack in the form of electronic espionage, primarily from China, experts and victims say. Source code and other sensitive data has been pilfered in stealth cybermaneuvers conducted against Google, RSA, defense contractors, critical infrastructure operators, and others based on company statements, research in recent government reports, and info from security firms like Symantec and McAfee.

It will take months if not years for researchers to fully dissect Flame, which has been called "the most sophisticated cyberweapon yet unleashed." Infections have been concentrated in Iran and other Middle Eastern countries, and it seems designed mostly for spying. It leaves a backdoor on computers and can be instructed to spread itself via USB thumb drive, network shares, or a shared printer spool vulnerability. It uses various methods of encryption and data compression and has at least 20 different components that are used to command it to do things like sniff network traffic, take screenshots, record audio conversations, log keystrokes, and gather information from nearby Bluetooth devices. Experts believe more modules are in the wild. There are more than 80 command-and-control servers being used to send instructions to infected computers.

The malware isn't an entirely new beast really, and the individual functions aren't uncommon. But the size of the program, the fact that it has so many different functions, and its modularity make it fairly unique. An attacker can mix and match components at will. Flame may have remained hidden for as long as five years. And it could be only the tip of the iceberg; there's no reason to think there haven't been other pieces of malware that have thus far escaped detection, or that have been detected but kept under wraps. Flame's emergence isn't game changing necessarily, but it does give an indication of how far geopolitically motivated malware has come and who might be ahead in that "arms race," as well as give a glimpse of what the future holds.

"Everybody has known for 10 years in government circles that cyberespionage is profitable and that it is happening at an enormous pace. This is confirmation for the public that very sophisticated attacks are prevalent," said Stewart Baker, former assistant secretary of policy at the Department of Homeland Security and now a partner practicing cyberlaw in the Washington, D.C., office of Steptoe & Johnson.

"For most intelligence agencies and governments what is interesting is the specifics of the techniques that are being used. I'm sure there are agencies that are learning a lot from them," Baker warned. "This is bad for sophisticated countries that have secrets to protect, like the U.S. and Western Europe, and for the Chinese and Russians too. And it's probably good for countries like North Korea and Iran that are going to go to school with this tool."

"Stuxnet, Conficker, and Duqu and now with Flame added to that, it suggests we're in a new era here," agreed Scott Borg, director of the nonprofit research institute U.S. Cyber Consequences Unit. "I'm not at all surprised by Flame."

Borg has been following this stuff for a long time. Even before Stuxnet hit the news two years ago, Borg made prescient remarks to the effect that Israel's weapon of choice would be malware that would give the country the ability to interfere with Iran's nuclear program without launching a massive military strike, he identified the uranium enrichment centrifuges as the most likely target and suggested that a contaminated USB stick would be a likely vehicle for sneaking the program into a building, among other predictions that came true with Stuxnet.

According to the New York Times article, the Bush administration turned to malware as an alternative to launching a military strike against Iran and the Obama administration continued with the operation, which was code-named Olympic Games. However, while malware might save lives in the short term, it doesn't mean it's necessarily the safer and smarter choice in the long run, Borg and other experts say.

"Cyber can be a much better alternative," Borg said, noting that the Russian cybercampaign against Georgia in 2008 targeted communication and media sites with Distributed Denial of Service attacks and spared them from air strikes. "That's an example where a cyberstrike was less destructive and a more humane way to carry out a mission," he said.

But there's nothing to stop an aggressor from using both online and offline attacks. "If you are planning drone strikes, what better intelligence could you ask for than a tool that will turn on a camera and microphone of a machine in your enemy's possession to let you know who is there and what is going on?" Borg said.

One big problem with Flame is that the malware authors didn't use code obfuscation, which means it can easily be dissected and re-used by any organization with some advanced programming skills and experience, which would include a large number of nation-states and terrorist groups, according to Borg. Stuxnet can be (and likely has been) reverse engineered, but its limited functions make it less of a danger. "That's a terrible mistake" on the part of the creators, Borg said. "This is a general purpose tool. It has a lot of modules that will do a lot of things... This is not a good thing to have released into the world in a form that is decipherable."

Even though Flame doesn't initially appear to be designed for sabotage, there may be components in the wild that would give it that function. "If it's that sophisticated, it can probably have physical manifestations as well," said Greg Garcia, principal of the Garcia Cyber Partners consulting firm and a former assistant secretary of cybersecurity at the Department of Homeland Security. "It could have consequences that are even broader and potentially more deadly than a drone strike if you think about infiltrating and corrupting control systems that are managing critical operations, whether it's electrical grids, water purification, or transportation systems."

Garcia speculated that Flame could have been meant to send a message, a sort of muscle flexing exercise. "It might be probes for the purpose of reducing confidence in the information systems of certain networks," he said. "We're watching you and you're not safe." But Borg doesn't buy the psychological ops theory. "It doesn't fit the way it was deployed, the thoroughness of the way it was erased (from machines to cover its tracks), the limited number of machines" it infected, he said.

Borg declined to speculate which country is behind Flame but said he suspects it was created by "friendly forces." "The countries capable of writing these kinds of tools, the short list is: China, Russia, U.S., Britain, Germany, Israel, and probably Taiwan," he said. The code, which at 20 megabytes is huge compared with Stuxnet and other malware, most likely required hundreds of people to be working on it for many months, he said.

The very elements that make cyberattacks launched by groups like Anonymous and other hackers problematic as forms of political protest -- the inability to prove who did it and for anyone to take credit for it -- make these cyberactions by governments problematic too. These stealth cyberattacks not only may result in unintended consequences and victims but they also may fail to serve as a deterrent or as bargaining sticks.

"Do the same rules (of war) apply in cyberspace?" Columbia University computer science professor Steven Bellovin wonders in a blog post. "One crucial difference is the difficulty of attribution: It's very hard to tell who launched a particular effort. That in turn means that deterrence doesn't work every well."

Each new cyberthreat or incident launched by a purported government or nation-state will set the course for this debate. The Internet is redefining our lives and actions in unexpected ways -- e-commerce has put storefronts out of business, e-mail has made fax machines obsolete, smartphones have changed the face of photography and personal communications, and Facebook has evolved the notion of a "friend." New digital capabilities can also help people do more harm to each other in times of conflict or avoid physical suffering.

"We have been talking in the government and the Department of Defense about what constitutes cyberoffense in the 21st century and what are the boundaries," said Garcia of Garcia Cyber Partners. "I think those boundaries are going to be slowly defined by default and in practice, and maybe this is going to be one of those indicators."

Don't expect the Stuxnet-Duqu-Flame triumvirate to scare anyone straight though. The perception of threat or possibility for danger in cybersecurity hasn't been enough in the past to merit much action on the part of responsible parties, be they electricity providers or the untold corporate networks that are hacked daily. "There is no shortage of information that says we have a problem," said Herb Lin, chief scientist at the Computer Science and Telecom Board at The National Academies. "People like me have been complaining about the fact that Stuxnet was possible for 20 years and nobody listened. Is this enough of a wakeup call? Maybe. But there have been a lot of other wakeup calls and people just put the snooze button back on."

No doubt, more theories about Flame will be coming out in the future as additional technical information is unveiled. Kaspersky Labs has scheduled an online news conference for 6 a.m. PT on Monday to reveal new forensics it has done on the malware's command-and-control infrastructure used for communication between the attackers and the infected computers. Stay tuned.