Meet Flame, the Trojan Horse That “Redefines Notion of Cyberwar and Cyberespionage”

Last year, the United States and Israel were blamed for building Stuxnet, a computer worm allegedly designed to attack and control Iran’s critical infrastructure. Now a new tool believed to have been built with the backing of as yet unnamed nation states has been discovered in computers across the Middle East—only this time it is being used for surveillance, not sabotage.

Security researchers from the Kaspersky Lab yesterday revealed they had found and analyzed a Trojan-horse tool called “Flame,” which they dramatically described as “one of the most complex threats ever discovered” that “pretty much redefines the notion of cyberwar and cyberespionage.” 

Unlike Trojans deployed by criminals to steal money from bank accounts, Flame infects a system and scours it for intelligence contained in emails, documents, and messages. Once installed on a targeted computer, it can secretly take screenshots and even record audio from a microphone, sending this information back to its “master” under cover of an encrypted channel.

After conducting in-depth research into Flame, the Kaspersky researchers estimate it has affected “thousands of victims worldwide” and targeted specific individuals, including people working in academia or for private companies. It was found in Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.

The geography of the targeted countries, paired with the complexity of Flame’s design, led the researchers say that—though they did not name any suspects—there is “no doubt” a nation state sponsored the research that went into it. As Evgeny Morozov wrote on Future Tense yesterday, developing cyberweapons “requires a lot of resources, time, and operational secrecy.”

Law enforcement agencies are known to have used Trojan tools to carry out Flame-like surveillance functions—as was revealed in Germany by savvy computer hackers in 2011. Even the FBI, which along with other Western nations has held behind-closed-doors meetings about computer infiltration, has developed its own Trojan horse. But what appears most significant about Flame is that it has been deployed on a large scale—not just to target a cluster of terror suspects, but for widespread and indiscriminate intrusion of computer systems across an entire region.

According to Kaspersky’s analysis, Flame can infect computers through local area networks or be unwittingly picked up from websites or through email phishing, infecting “several dozen” computers at a time and siphoning their data simultaneously.

Once the stolen data have been analysed by the unknown controller of Flame, computers containing “interesting” data stay infected and are spied on. Flame is removed from those deemed not worth the time. The controllers can simply send an update to an infected computer that secretly deletes all traces of it. So, effectively, this means that large numbers of unsuspecting, entirely innocent individuals have had their computers infected, their documents copied, then the Trojan removed—and they will never know or find out they have been targeted in the first place.