Mikko Hypponen, chief research officer at security provider F-Secure, believes that evidence is mounting that tech giant Microsoft may have been infiltrated by U.S. government operatives.
Hypponen's theory was prompted by a series of events surrounding the recently discovered "Flame" malware.
The W32.Flamer virus, also known as Flame, Flamer, and Skywiper, had initially been widely compared to the infamous Stuxnet and Duqu infections after being detected in high concentrations in Iran, and to a lesser extent in Israel, Palestine, Sudan, Syria, and several other nations.
New York Times' writer David Sanger recently published a piece detailing the U.S. government's development Stuxnet as a cyber weapon, and the leaking of the government's classified project subsequently spurred an official investigation by the Department of Justice.
Researchers at Kaspersky Lab noted that one of the primary modules used in Flame is identical to that of code found in their analysis of the Stuxnet virus. The code, used in the Resource 207 module that employs the Windows autorun feature, allows both pieces of malware to spread by way of removable USB memory sticks.
Kaspersky's analysis provided further confirmation that Stuxnet and Flame were authored by the same programmers, though there are indications they may have ultimately been developed by separate teams. These events lead Hypponen to see a pattern emerging.
“The announcement that links Flame to Stuxnet and the conclusive proof that Stuxnet was a US tool means that Flame is also linked to the US government,” said Hypponen.
Furthermore, the Flame malware was accompanied by a spoofed Microsoft Digital Certificate and utilized a spoofed Microsoft Windows update, which leads Hypponen to speculate that Microsoft may have been infiltrated by U.S. government operatives in order to successfully pull off the operation.
“They didn't hack Microsoft, no-one has broken into Microsoft, but by repurposing the certificate and modifying it with unknown hash collision technologies, and with the power of a supercomputer, they were able to start signing any program they wanted as if it was from Microsoft. If you combine that with the mechanism they were using to spoof MS Update server they had the crown jewels," Hypponen explained.
“This makes you think that this breach of Microsoft's update system was done by the Americans and most likely a US agency, someone like the NSA,” Hypponen postulated.
Like Duqu, Flame appears to be designed as an intelligence gathering tool rather than a method of payload delivery like Stuxnet, which targeted Siemens Programmable Logic Controllers (PLCs), and is thought to have caused severe damage to Iranian uranium enrichment facilities.
“It's plausible that if there is an operation under way and being run by a US intelligence agency it would make perfect sense for them to plant moles inside Microsoft to assist in pulling it off, just as they would in any other undercover operation. It's not certain, but it would be common sense to expect they would do that," Hypponen theorized.
Hypponen says that if there has indeed been insiders at Microsoft who assisted in manipulating the company's products to spread the Flame malware, that it was probably done without the company's knowledge or consent.
“I don't think Microsoft was in on it, that it was helping the US government and I don't believe that because it looks very bad for Microsoft. I find it very hard to believe that Microsoft's top management would have approved that,” Hypponen concluded.
Microsoft has not commented on Hypponen's statements.
“That must make Microsoft mad as hell that its most critical system, used by 900 million of its customers, was breached by fellow Americans,” said Hypponen.