Cybergate: Stuxnet and Flame are Related

Monday, June 11, 2012

Joel Harding


According to an Associated Press report here, contrary to previous reports that Stuxnet and Flame were unrelated, the authors of Stuxnet and Flame apparently worked together at one point.

There is evidence that “does suggest that very early on there was some sharing”.

According to an ABC News Report by Lee Ferran and Kirit Radia here, a block of code was shared between the two programs, sometime around 2009.

If this is the case we might begin looking for evidence of more code from Operation Olympic Games floating around in cyberspace.  Flame provides a framework for future warfare in cyberspace, as proposed by eScan Blog here.

According to the report:

"Its only objective is to gather intelligence i.e. data . Usernames, password hashes, url-cache, network drives, Cached passwords, Bluetooth devices, Instant Messenger traffic, Browser traffic et al. And it also comes with its own SQLLite database."

Flame appears to capture information useful for future exploits, much like hacking 101, but on steroids.

Stuxnet seems to capitalize on detailed information about targeted systems, in this case, the nuclear enhancement facility near Natanz, Iran at 33°43′N 51°43′E.

It does not appear that Flame is used to feed information to Stuxnet, so for what is the information obtained by Flame used?

Ah, that is the $64,000 dollar question.  There appears to be other programs floating around therefore, using the information obtained by Flame.  We know the information obtained by Flame comes from systems connected with the internet, so offline facilities, such as Natanz, should not provide any information. 

I can speak only for the US, where the vast majority of military equipment is not connected to the internet, they are on separate networks.  I am assuming Iranian systems are the same. This leaves critical infrastructure, such as electrical facilities, power sources, transportation and such, which can all have military applications.  

As I am careful to state, time and again, the targets must be used solely by the military to comply with the Laws of Armed Conflict.  From experience we have seen that Iran might not apply their targeting criteria so studiously, especially when they have proclaimed their nuclear program is entirely for civilian use.  

When targeting electrical systems that supply power to the military, it is difficult to avoid civilian bleedover.  It will be interesting to observe what the Iranians will target.

When will we begin calling it Cybergate?

Cross-posted from To Inform is to Influence

Possibly Related Articles:
Viruses & Malware
SCADA malware Iran Military Cyberwar Attacks Stuxnet Industrial Control Systems Law of Armed Conflict Flame W32.Flamer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked