The French government has accused the United States of using Flame malware to break into the computer networks inside France’s presidential palace, the Elysee.
Newsmagazine l’Express reported the intrusion occurred days before the presidential elections in May when Nicolas Sarkozy was ousted by Francois Hollande. The magazine said the attackers were able to search computers belonging to Sarkozy’s closest advisor, Xavier Musca, and steal political and strategic secrets.
The United States Embassy in Paris has denied any involvement in hacking its ally.
“We categorically refute allegations of unidentified sources,” Mitchell Moss, Embassy spokesman, told l’Express. “France is one of our best allies. Our cooperation is remarkable in the areas of intelligence, law enforcement and cyber defense. It has never been so good and remains essential to achieve our common fight against extremist threat.”
L’Express quoted an anonymous source reportedly close to the investigation said that hack likely stemmed from France’s numerous political and economic agreements with countries in the Middle East, and how those would be impacted during a potential political transition in the country, the magazine reported.
“You can be on very good terms with a ‘friendly’ country and still want to guarantee their unwavering support—especially during a transition period,” the source said.
The attackers reportedly found their targets on Facebook, identifying people working inside the presidential palace and connecting with them on the social network. The social engineering laid the groundwork for the next phase of the attack; the victims were then sent links to a fake Elysee intranet page where their login credentials were stolen.
Once the attackers had legitimate credentials, l’Express reported, they installed the Flame malware and were able to pivot inside the network until landing on Musca’s machine. Sarkozy, reportedly, did not have a PC.
Department of Homeland Security secretary Janet Napolitano did not deny the U.S. was involved. She told l’Express: “We have no greater partner than France, we have no greater ally than France. We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones.”
Flame, along with Stuxnet, has been linked to a joint U.S.-Israel operation targeting certain machines in Middle East countries such as Iran, Sudan, Syria and Lebanon. The malware is used for espionage and contains many capabilities, including the ability to log keystrokes, monitor network traffic, take screenshots of victims’ computers, record audio or video and send stolen data to Flame command and control servers. Flame also was discovered to be using a collision attack to forge a Microsoft digital certificate used to sign the malware as legitimate.
In October, Kaspersky Lab identified MiniFlame as a secondary surveillance tool deployed only after an initial Flame compromise. MiniFlame conducts in-depth surveillance on particular targets once an initial round of stolen data is analyzed and prime targets are identified, said Alexander Gostev, chief security expert at Kaspersky.
At the time it was reported, there were only 20 MiniFlame infections detected; in comparison, Flame, which pre-dates Stuxnet, had infected 700 machines. Most of the MiniFlame infections were found in Lebanon, Kaspersky researchers said, while Flame targeted computers in Iran, Israel, Sudan and Syria.