Let us stipulate that governments of all political affiliations are trying to steal information from one another. This is called espionage and it has been happening for thousands of years and the only things that have changed are the tactics and the technology. The discovery of the Flame malware–which looks to be the digital equivalent of a spy’s black bag–doesn’t change any of this, but it does raise one big question, and that is not who is writing tools like Flame, but who isn’t?
The world is a messy place right now, with economies melting down in Europe, wars sprouting up all over and heinous human rights violations and massacres of civilians by oppressive governments becoming a daily drumbeat. Things are ugly in a lot of places and politicians and government officials around the globe find themselves needing to use any and every tool at their disposal in order to gain some small advantage over their opponents, be they foreign or domestic.
It should come as no surprise then that they’re perfectly willing to use offensive security tools as part of their data-gathering and espionage operations. To get an idea of how long operations like these have been going on, read the story of The Cuckoo’s Egg, which details the exploits of a German hacker hired by the KGB to attack military, university and defense contractor networks in the U.S. to steal data related to nuclear and satellite defense systems. That was in 1986.
Malware such as Flame–if it truly was designed as a spy toolkit, as researchers believe– offer a number of advantages for governments and intelligence agencies that human assets and other tools do not. People, even highly trained and skilled ones, have weaknesses such as emotions, monetary and physical needs and biases and that can compromise their ability to do their jobs. They also have the unfortunate ability to speak, which means they may betray their mission or employers, either intentionally or accidentally.
Malware has none of these limitations. You pick a set of targets, surveill them for weaknesses, exploit those weaknesses and install the malware and then sit back and wait for the data to start flowing. Of course, you need someone to write the attack tool in the first place, but there are plenty of good hackers available for that task. And because attribution is so difficult for malware–even highly specialized tools such as Stuxnet–the chances of an attack being pinned conclusively on a given country are quite low. Speculation may point to one potential or another, but proving who unleashed something like Flame is no small task.
That’s the beautiful thing about attacks like this for those on the offensive side: Not only do they have plausible deniability, they have actual deniability. Unless someone comes forward years down the road and says, Hey, I wrote Flame/Stuxnet/Duqu on contract for Israel/America/Iran, we’ll likely never know for sure where these tools originated. The best we can hope for is a good technical analysis and inferences of authorship based on target lists, and that’s not much use in the real world. The majority of known victims for Flame so far are in Iran, Israel and Palestine, three countries that have more than their share of enemies, so the list of potential attackers is long.
Figuring out who wrote Flame may be important for the intelligence agencies and forensics investigators in the victim countries and organizations, but for the rest of the world it’s just an interesting morsel of information. The most interesting piece here is that Flame, in some form, likely has been active for five years, and possibly longer, without being identified for what it was. That’s a fairly impressive feat for any piece of malware. As analysis has continued on Flame, researchers have found that the malware has a huge number of modules and pieces, but that it seems solely focused on gathering and exfiltrating data. It wasn’t designed to sabotage a nuclear facility or anything that exotic; just straight up theft.
And so perhaps the early lesson from the Flame malware episode is that not every operation requires an ultra-sophisticated tool. Sometimes, a boring, bloated piece of malware like Flame will do just fine.