Kaspersky Lab has published an update in its investigation of the Flame cyber-espionage campaign, which the security experts discovered in May.
The research, which Kaspersky conducted in partnership with IMPACT, CERT-Bund/BSI and Symantec, identified traces of three previously undiscovered
Specifically, Symantec has highlighted forensic analysis of two of the command-and-control (C&C) servers behind the W32.Flamer attacks that targeted the Middle East earlier this year.
Here's what the group found after analyzing the C&C servers:
- The two servers were set up on March 25, 2012, and May 18, 2012.
- The servers controlled at least a few hundred compromised computers over the next few weeks of their existence.
- The server set up in March collected almost 6 GB of data from
compromised computers in a little over a week. The May server only
received 75MB of data, as it was used to distribute one command module
to the compromised computers.
As for the three Flame-related programs, Kaspersky said at least one of them is currently operating in the wild, though no one has yet identified it. There isn't any evidence
that the Flame C&Cs were used to control other known malware such as
Stuxnet or Gauss.
Kaspersky posted the detailed Flame analysis on its Securelist blog. Essentially,
the attackers used a web application that enabled them to upload
packages of code, deliver them to compromised computers, and then
download packages containing stolen client data.
The researchers believe that this malware has
allegedly been under development by a group of at least four developers
since at least December 2006. They also found that the same servers have probably been
used for more attacks than just the ones in this report, and that the hackers
used multiple encryption techniques while trying to securely wipe data
from the servers on a periodic basis.
That suggests the group behind the W32.Flamer
attacks is quite sophisticated. In fact, Kaspersky concluded its report by noting that the findings reinforce "our initial conclusions that Flame is a nation-state sponsored attack."
This item first appeared on ZDNet's Zero Day blog under the headline "Kaspersky Lab: Flame cyber-espionage campaign dates back to 2006."