France Accuses US of Using Flame Malware to Hack President’s Network

The French government has accused the United States of using Flame malware to break into the computer networks inside France’s presidential palace, the Elysee.

The French government has accused the United States of using Flame malware to break into the computer networks inside France’s presidential palace, the Elysee.

Newsmagazine l’Express reported the intrusion occurred days before the presidential elections in May when Nicolas Sarkozy was ousted by Francois Hollande. The magazine said the attackers were able to search computers belonging to Sarkozy’s closest advisor, Xavier Musca, and steal political and strategic secrets.

The United States Embassy in Paris has denied any involvement in hacking its ally.

“We categorically refute allegations of unidentified sources,” Mitchell Moss, Embassy spokesman, told l’Express. “France is one of our best allies. Our cooperation is remarkable in the areas of intelligence, law enforcement and cyber defense. It has never been so good and remains essential to achieve our common fight against extremist threat.”

L’Express quoted an anonymous source reportedly close to the investigation said that hack likely stemmed from France’s numerous political and economic agreements with countries in the Middle East, and how those would be impacted during a potential political transition in the country, the magazine reported.

“You can be on very good terms with a ‘friendly’ country and still want to guarantee their unwavering support—especially during a transition period,” the source said.

The attackers reportedly found their targets on Facebook, identifying people working inside the presidential palace and connecting with them on the social network. The social engineering laid the groundwork for the next phase of the attack; the victims were then sent links to a fake Elysee intranet page where their login credentials were stolen.

Once the attackers had legitimate credentials, l’Express reported, they installed the Flame malware and were able to pivot inside the network until landing on Musca’s machine. Sarkozy, reportedly, did not have a PC.

Department of Homeland Security secretary Janet Napolitano did not deny the U.S. was involved. She told l’Express: “We have no greater partner than France, we have no greater ally than France. We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones.”

Flame, along with Stuxnet, has been linked to a joint U.S.-Israel operation targeting certain machines in Middle East countries such as Iran, Sudan, Syria and Lebanon. The malware is used for espionage and contains many capabilities, including the ability to log keystrokes, monitor network traffic, take screenshots of victims’ computers, record audio or video and send stolen data to Flame command and control servers. Flame also was discovered to be using a collision attack to forge a Microsoft digital certificate used to sign the malware as legitimate.

In October, Kaspersky Lab identified MiniFlame as a secondary surveillance tool deployed only after an initial Flame compromise. MiniFlame conducts in-depth surveillance on particular targets once an initial round of stolen data is analyzed and prime targets are identified, said Alexander Gostev, chief security expert at Kaspersky.

At the time it was reported, there were only 20 MiniFlame infections detected; in comparison, Flame, which pre-dates Stuxnet, had infected 700 machines. Most of the MiniFlame infections were found in Lebanon, Kaspersky researchers said, while Flame targeted computers in Iran, Israel, Sudan and Syria.

Suggested articles

Discussion

  • Anonymous on

    Was Flame actually linked to the US? All the reporting I've seen says the US dropped some hints to Israel on how to make Stuxnet work so they wouldn't bomb Iran. Why the certainty that the US was involved in later intrusions?

  • sml156 on

    They were not after secrets they were just looking for pirated copies of Jerry Lewis movies

  • Methos1963 on

    There were elements of the Flame code that gave the impression that the US and/or Israel were the authors.  The US has never denied nor confirmed that they were involved.  I've not heard why the French believe it was the US that intentionally infected thier networks, as opposed to accidental infection via the French's contact with other nations.

  • Ben on

    It could be China.

    Anyone can redirect the attack from an infected US server or any PC in US to attack and plant malware into French Presidential networks.

    Flame was probably disassembled and customised by chinas red army.

  • Anonymous on

    I pooped! Seriously though. There has to some other implications that makes them firmly believe that the US was involved. Everyone knows about botnets, redirects, tunnels, vpn's and the like. It is highly possible that it originated from another country and directed through the US and then back to France.

  • Sig226 on

    Didn't the US announce sometime ago that hacking US government networks will be considered an act of war and could result in a military response?

    Door swings both ways ?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.