Israel Matzav: Confirmed: Flame and Stuxnet developed by related groups

Monday, June 11, 2012

Confirmed: Flame and Stuxnet developed by related groups

Based on similarities in their code, the Russian Kaspersky Labs, which discovered Flame, confirms that Flame and Stuxnet were developed by groups that worked together. Flame was actually developed first. Flame has been used to gather intelligence from computer systems, particularly in Iran, while Stuxnet was used to force Iranian nuclear centrifuges to destroy themselves. As noted on this blog on Sunday, while the Obama administration has attempted to take credit for developing Stuxnet to enhance the President's reelection bid, Stuxnet was likely developed by the Mossad, possibly in coordination with the IDF's unit 8200. It would therefore follow that Flame was a Mossad and/or IDF project.

There were two independent developer teams, with Flame development preceding Stuxnet and each team developing its own code platform since 2007-2008 at the latest, the researchers said. Both projects were state-sponsored, and Stuxnet was specifically designed to sabotage Iran's nuclear program, experts believe.

In addition, a previously undiscovered elevation-of-privilege Windows exploit is in Stuxnet.A, an early variant of the malware, Roel Schouwenberg, senior researcher at Kaspersky Lab, said in a Web conference with reporters.

"We have a new old Zero-Day," he said, referring to an attack that exploits a previously unknown and unpatched vulnerability. "It was a Zero-Day at the time of creation and most likely at the time of deployment." That brings to five the number of Zero-Day exploits Stuxnet used. The exploit, created in February 2009, is "strikingly similar" to one that was patched by Microsoft in June 2009, researchers said.

Stuxnet.A, which dates to about June 2009, contains a module known as "Resource 207, which is an encrypted dynamic-link library file that has an executable file that Kaspersky researchers say shares code with Flame. Resource 207 was not in Stuxnet.B, which came out in 2010. The primary functionality of the code in Stuxnet is to distribute the infection from one machine to another via removable USB drives and exploit the vulnerability in Windows kernel to obtain escalation of privileges within the system, according to a Kaspersky news release. The code responsible for distributing malware via USB drives is completely identical to the one used in Flame, the researchers said. They both use the Autorun function in Windows.

Initially, Kaspersky researchers speculated that the projects were parallel but were hesitant to say they were developed or commissioned by the same party. Now a more definite link has been established and a timeline is more clear.

"We firmly believe the Flame platform predates the Stuxnet platform. It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going," Schouwenberg said. "The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now we are 100 percent sure that the Stuxnet and Flame groups worked together."

Read the whole thing.

In a blog post, Kaspersky discusses the missing link.

Despite the fact that Stuxnet has been the subject of in-depth analysis by numerous companies and experts and lots has been written about its structure, for some reason, the mysterious “resource 207” from 2009 has gone largely unnoticed. But it turns out that this is the missing link between Flame and Stuxnet, two seemingly completely unrelated projects.

...

In October 2010, our automatic system received a sample from the wild. It analyzed the file thoroughly and classified it as a new Stuxnet variant, Worm.Win32.Stuxnet.s.

With Stuxnet being such a big thing, we looked at the sample to see what it was! Sadly, it didn’t look like Stuxnet at all, it was quite different. So we decided to rename it to Tocy.a and thought “silly automatic systems!”.

When Flame was discovered in 2012, we started looking for older samples that we might have received. Between samples that looked almost identical to Flame, we found Tocy.a.

Going through the sample processing system logs, we noticed it was originally classified as Stuxnet. We thought, how was it possible? Why did the system think that this Flame sample was related to Stuxnet? Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to “resource 207” from Stuxnet. It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection.

Going back to the story, this is how we discovered the incredible link between Flame and Stuxnet.

Read the whole thing.

ABC News adds.

After Stuxnet's discovery, a Congressional report in December 2010 put the U.S. and Israel on a short list of countries believed to be capable of carrying out that attack -- a list that also included Russia, China, the U.K. and France. A month later, The New York Times reported Stuxnet may have been the result of a joint U.S., Israeli project to undermine Iran's nuclear program.

Five different U.S. government agencies declined to comment to ABC News about allegations they were involved in Flame and the Israeli government has reportedly denied any link to the virus.

News of the new connection between the two programs came just days after a U.S.-based cyber security firm, Symantec, reported Flame appears to have been given a "suicide" command that would wipe any trace of it from an infected computer.

I don't believe that Israeli denial for a minute. Our government just doesn't like to look guilty so it wouldn't say 'no comment' like the Americans. For example, to this day, Israel has never officially admitted that it destroyed the Syrian nuclear plant in 2007. And we've never told anyone whether we have nuclear weapons, even though I'm sure you all think that we do.

But don't tell Forbes that. They think the CIA did it. Heh.

Labels: CIA, cyberwar, Flame, IDF, Mossad, Stuxnet