Skip Links

Stuxnet and Flame share code, development teams

Kaspersky Lab says early version of Stuxnet has a Flame module

By , Network World
June 11, 2012 12:38 PM ET

Network World - The recently discovered Flame cyber-espionage malware has a direct connection to the Stuxnet malware used to attack programmable logic controllers at Iranian nuclear facilities two years ago, according to Kaspersky Lab, which says Flame and Stuxnet share some technical code that reveals a common development effort of some sort.

The early version of Stuxnet has a Flame module, said Roel Schouwenberg, senior researcher at Kaspersky Lab, who joined with colleague Vitaly Kamluk to share Kaspersky's latest findings today about what the security firm says reveals a direct relationship between those who developed the cyber-weapon Stuxnet and those who developed the Windows-based cyber-espionage tool Flame. He called them "two parallel operations" that were coordinated in some form.

BACKGROUND: Iran's discovery of malware turning into political hot potato

Extinguishing Flame malware

In recent revelations now rocking the political world, The New York Times reported that President Barack Obama ordered use of the Stuxnet cyber-weapon to attack Iran, charges the White House hasn't refuted. This has triggered a special investigation to find out where in the administration a leak about Stuxnet occurred.

Now, Kaspersky's assertions that Stuxnet and the more-recently discovered Flame -- which Iran's computer-response team in May claimed was found on computers infecting its oil-ministry computers -- are connected, the stakes may be raised even further in the political world.

In a briefing today, Kaspersky researchers emphatically said they stand by the assertion that the early version of Stuxnet, Stuxnet.A, has a "Flame module" (which they're referring to as "Resource 207"), which was used as a transport mechanism, specifically for USB spreading and an autorun function in Windows and a privilege-escalation vulnerability (which has since been patched by Microsoft). Kaspersky was commissioned by the United Nations' division the International Telecommunication Union to analyze Flame. The ITU has issued an alert to the world's countries about Flame, calling it dangerous.

Kaspersky Lab now thinks the Flame malware predated the Stuxnet platform, and that source code from Flame was shared with the developers of Stuxnet, and that both may be coordinated through the same entity.

Schouwenberg said it's important for the future of the cybersecurity community that the world understand the nature of these cyber-weapons.

Stuxnet two years ago was targeting Iranian infrastructure to slow down the programmable logic controllers at facilities where the U.S. believes Iran is trying to develop a nuclear weapon. But as The New York Times noted in its article, Stuxnet began to run wild in cyberspace, apparently not under control of its creators, which The New York Times says is the U.S. and Israel working in a cyber-weapon co-development project.

If Stuxnet hadn't been able to do certain "safety checks, it could have caused a power outage in the U.S.," Schouwenberg asserted.

Kaspersky Lab's assertion is that Stuxnet and Flame share some common source code and that this indicates cooperation between development teams may be greeted with some skepticism.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News