Midterm Paper on Flame

Midterm Paper on Flame

Author’s Name

Institutional Affiliation

Midterm Paper on Flame

Abstract

This midterm paper focuses on addressing Flame as the selected significant cybersecurity event that has happened in the last 10 years. Flame was malicious software used for hacking classified information that occurred in 2012, causing substantial damage to intelligence in the Middle East. This paper examines the causes of Flame as an advanced cybersecurity incident, along with related threats. Furthermore, it delves into the vulnerabilities exploited by perpetrators, besides offering an account of its outcomes. The paper also considers changes to cybersecurity policy because of this malware attack.

Overview of the Cybersecurity Event

In 2012, hackers purportedly working with the United States National Security Agency partnering with the Israeli government developed and disseminated a nation-state-sponsored malicious hacker software called Flame, Skywiper, or Flamer(Holt, Bossler, & Seigfried-Spellar, 2017; Zetter, 2012). This modular computer malware was advanced spyware intended to conduct cyber-espionage in Middle Eastern nations. The primary target was Iran as the attackers were interested in the intelligence surrounding the country’s nuclear program (Nakashima, Miller, & Tate, 2012). Eisenstadt (2016) and Knapp and Langill (2014) affirm that the motive was espionage by stating that while Flame was possibly a more sophisticated derivative of Stuxnet (a 2010 malicious computer worm intended for sabotaging and destroying computer systems), its intention was cyber-espionage and network reconnaissance.

Flame was discovered by security researchers from Kaspersky’s Lab, National Computer Emergency Response Team of Iranian MAHER Center, and Cryptography and System Security Lab at Budapest University of Technology and Economics (Gostev, 2012; Hoffman, 2012; MAHER Center, 2012). All these researchers agree that Flame was the most advanced, complex, and sophisticated malware strain ever developed. Flame targeted computers that were running on Windows OS, whereby it infected specific computers in homes, universities, and government institutions and agencies mainly Middle Eastern countries (Holt, Bossler, & Seigfried-Spellar, 2017). This spyware worked as a cyber-espionage tool that granted backdoor access to files in any system connected to these computers, which enabled the remote recording of network traffic, video conversations, and audio files, data theft, and capturing of keystrokes (Gostev, 2012; Zetter, 2012). Skywiper’s complexity and utility also allowed it to activate Bluetooth functions of infected computers to allow the logging of data from nearby Bluetooth-enabled mobile devices. Also, this malware could easily be rubbed from the infected systems when it became public to eliminate evidence of any infections (Holt, Bossler, & Seigfried-Spellar, 2017).

Causes of the Cybersecurity Event

Flame was not caused by an accidental result but rather by two specific causes: the failure to maintain adequate controls and an active cyber-attack.

Inadequate Security Controls

The Middle Eastern counties whose computer systems were targeted and infected failed to implement and maintain sufficient, state-of-the-art controls on their systems. Experts from Kaspersky Lab, who discovered Flame, established capability and technical gaps between the U.S. arsenal and the tools utilized by other nation-state groups (Cimpanu, 2019). These gaps are an indication that the controls deployed by the Middle Eastern nations for detecting potential cyber-attacks and cyber threats were inadequate. Also, Knapp and Langill (2014) acknowledge that Skywiper/Flame had remained active for years before being discovered. During this time, it was being used in mining sensitive data and returning such data to contemporary and sophisticated command-and-control (C2) infrastructure with 80 domain names. Also, it utilized servers that shifted between multiple locations in Germany, Hong Kong, Latvia, Malaysia, Poland, Switzerland, the U.K., and Turkey (Knapp & Langill, 2014).

Before its discovery, Skywiper existed in multiple modules that include Flame, Gadget, Frog, Munch, Suicide, Telemetry and Gator, Weasel and Jimmy, and Viper. As Knapp and Langill (2015) suggest, each of these modules had its capabilities that remained undetected until 2012, when the Skywiper module was discovered. For instance, Flame could handle routine AutoRun infections. Gadget updated automatically, allowing malware to evolve and accept novel payloads and modules. Frog exploited payloads for password theft, Munch exploited payloads able to capture network traffic, and Viper exploited payloads capable of capturing screenshots. Suicide possessed self-determination capabilities, Telemetry and Gator handled command-and-control routines, and Weasel and Jimmy dealt with file and disk parsing (Knapp & Langill, 2014; Knapp & Langill, 2015; Rubenstein, 2014). While Skywiper combined all these capabilities to execute espionage, these security controls and systems of Middle Eastern countries never detected any of them. This provides evidence that the inadequacy of cybersecurity controls of these countries was one principal cause of Flame.

An Active Cyber-Attack

The second major cause of Flame was an active spyware attack by hackers allegedly working collaboratively with the United States and Israeli governments (Holt, Bossler, & Seigfried-Spellar, 2017; Zetter, 2012). The active attack was aimed at conducting cyber-espionage, mine data, and gather or steal intelligence about the Iranian nuclear program (Nakashima, Miller, & Tate, 2012). So, Flame was a malicious program planted in target machines to perform cyber-reconnaissance, siphon system information, hijack administrative accounts, grant high-level privileges to the hackers, and physically attack the target systems (Gostev, 2012; Zetter, 2012). So, besides espionage and network reconnaissance intents, physical attacks on targeted systems was also a motive behind this malware. The fact that Flame was a dynamic, smart, and sophisticated attack toolkit development by governments (Bahtiyar, 2016) means that its other cause was an active attack by governments against other governments. Flame’s modular and dynamic nature means that it can evolve into weaponized malware for use in executing more aggressive future cyber-attacks, hence necessitating advanced defense mechanisms for cyber-space protection (Bahtiyar, 2016; Knapp & Langill, 2015).

The Associated Threats

Flame related to three major threats. The first was a national security threat. The NSA and Israeli governments collaborated in using Flame to conduct cyber-espionage against Iran and other Middle Eastern countries, collect intelligence about Iranian nuclear efforts, and organize a cyber-sabotage campaign against the nuclear program (Nakashima, Miller, & Tate, 2012). This potentially raised national security concerns as the targeted nations could act in retaliation against the cyber-espionage. Cyber-reconnaissance tends to trigger national security threats, especially when sensationalized by the media (Rubenstein, 2014).

The second was the cyber warfare threat. Cyber-espionage conducted using Flame stimulated enmity between the involved parties, which could culminate in cyber warfare intents in the long run. Also, Bahtiyar (2016) and Knapp and Langill (2015) submit that the modular nature of Flame means that it can advance into weaponized malware that can be used in contemporary cyber warfare. For these reasons, politicians have been directing public policy towards combating cyber-espionage to inhibit the perceived cyber-war threat that remains high following the Flame-based attack (Rubenstein, 2014).

The last threat is that of unwanted cyber-surveillance. Flame’s architecture allowed it to be wiped from the infected systems, hence eliminating proof of any infections (Holt, Bossler, & Seigfried-Spellar, 2017). What this means is that the malware could be used to perform unwarranted cyber-surveillance without anyone noticing. This threat can become rampant in the future if such malware versions are deployed in spying stealthily on actors involved in classified government, military, and intelligence developments in different countries, which also has the potential of exacerbating the cyber warfare threat.

The Vulnerabilities Exploited

The hackers using Flame to conducted cyber-espionage exploited four vulnerabilities. The first includes the technical vulnerability of targeted systems that were because of inadequate security controls. Also, technical vulnerabilities emanated from the fact that the computer technology of targeted countries depended largely on foreign-made hardware and software, which made it virtually defenseless, hence exposing it to extreme vulnerabilities (Loiko, 2012). The second involved cryptography vulnerabilities where Flame used zero-day exploits of Windows operating system similar to those exploited by Stuxnet (Bahtiyar, 2016; Goyal et al., 2012; Knapp & Langill, 2014). This allowed Flame architects to exploit weaknesses in terminal server products of Microsoft and inadequate key-management decisions by the firm’s engineers to generate cryptographic seals that falsely certified Flame as a Microsoft product (Fillinger, 2013; Goodin, 2012). Thirdly, Flame exploited AutoRun vulnerabilities similar to Stuxnet to infect the USB sticks of targeted machines. Finally, it exploited print spooler vulnerability similar to Stuxnet, which allowed it to spread to computers rapidly on local networks (Zetter, 2012).

The Outcomes of the Cybersecurity Event

The principal impact of Flame was that it led to the loss of intelligence and highly classified information that was stolen remotely from Iran and other Middle Eastern countries. Another impact was that its discovery exposed governments’ engagements in sponsoring the development of sophisticated malware that can target industries such as the energy industry. The last impact was that Flame sensitized software architects and engineers from companies such as Microsoft to adopt more proactive design security measures to ensure the security of their update and certificate generation mechanisms (Goodin, 2012).

Changes to Cybersecurity Policy Due to the Event

After the Flame attack, no significant changes have been made in cybersecurity management and policy. The only change is the shift in cybersecurity policy on cyber warfare and cyber-espionage. Specifically, Flame sensitized and awakened cybersecurity policymakers to refocus their attention on combating cyber-espionage to curb cyber-warfare emergence (Rubenstein, 2014). Being wary that Flame and similar malware and spyware can be weaponized, these policymakers are pushing for policies that limit domestic and overseas cyber-espionage activities. Policy experts in intelligence in some countries are also considering outsourcing intelligence services to streamline their cybersecurity management functions.

Conclusion

Following the Flame occurrence, three lessons can be learned. Firstly, governments can be behind the development and deployment of sophisticated malware for cyber-espionage, network reconnaissance, and cyber-based intelligence theft. Secondly, not all software updates and OS upgrades are genuine as some could be high-tech spyware like Flame disguised in software updates. Companies like Microsoft should take this lesson seriously. Lastly, companies, institutions, and countries need to always keep their C2 infrastructure up-to-date to increase the chances of detecting when similar malware is trying to infect their systems. Concisely, Flame sensitizes governments to be proactive and tech-savvy in securing their intelligence, classified data files, and confidential government information from theft by other governments.

References

Bahtiyar, Ş. (2016). Anatomy of targeted attacks with smart malware. Security and Communication Networks, 9(18), 6215-6226.

Cimpanu, C. (December 12, 2019). A decade of hacking: The most notable cyber-security events of the 2010s. ZDNet: CBS Interactive. Retrieved March 06, 2020, from https://www.zdnet.com/article/a-decade-of-hacking-the-most-notable-cyber-security-events-of-the-2010s/.

Eisenstadt, M. (2016). Iran’s lengthening cyber shadow. Policy Paper No. 34. Washington Institute for Near East Policy.

Fillinger, M. J. (2013). Reconstructing the cryptanalytic attack behind the Flame malware (Doctoral dissertation, University of Amsterdam).

Goodin, D. (June 04, 2012). “Flame” malware was signed by rogue Microsoft certificate. Wired Media Group. Retrieved March 06, 2020, fromhttps://arstechnica.com/information-technology/2012/06/flame-malware-was-signed-by-rogue-microsoft-certificate/.

Gostev, A. (May 28, 2012). The Flame: Questions and answers. AO Kaspersky Lab. Retrieved March 5, 2020, from https://securelist.com/the-flame-questions-and-answers/34344/.

Goyal, R., Sharma, S., Bevinakoppa, S., & Watters, P. (2012). Obfuscation of Stuxnet and Flame malware. Latest Trends in Applied Informatics and Computing, 150, 154.

Hoffman, V. C. (May 30, 2012). Meet Flame, the Ebola virus of malware. CIO: IDG Communications, Inc. Retrieved March 5, 2020, from https://www.cio.com/article/2371366/meet-flame–the-ebola-virus-of-malware.html.

Holt, T. J., Bossler, A. M., & Seigfried-Spellar, K. C. (2017). Cybercrime and digital forensics: An introduction. Routledge.

Knapp, E. D., & Langill, J. T. (2014). Industrial network security: Securing critical infrastructure networks for smart grid, SCADA, and other Industrial Control Systems, 2 Ed. Syngress.

Knapp, E. D., & Langill, J. T. (2015). Hacking industrial control systems. In Industrial Network Security, 171–207. Doi:10.1016/b978-0-12-420114-9.00007-1.

Loiko, S. L. (May 31, 2012). Russia computer experts who detected Flame malware issue warning. The Los Angeles Times. Retrieved March 06, 2020, from https://www.latimes.com/world/la-fg-russia-flame-cyberwar-20120531-story.html.

MAHER Center. (May 30, 2012). Identification of a new targeted cyber-attack. Iran Computer Emergency Response Team. Retrieved March 5, 2020, from https://www.webcitation.org/682bfkhaU?url=http://www.certcc.ir/index.php?name=news&file=article&sid=1894&newlang=eng.

Nakashima, E., Miller, G., & Tate, J. (June 19, 2012). U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say. The Washington Post. Retrieved March 06, 2020, from https://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html.

Rubenstein, D. (2014). Nation state cyber espionage and its impacts. Washington University in St. Louis.

Zetter, K. (May 28, 2012). Meet “Flame” the massive spy malware infiltrating Iranian computers. Wired. Retrieved March 5, 2020, from https://www.wired.com/2012/05/flame/.