The U.S. and Israel jointly developed the Flame spyware as a means of "preparing the battlefield" for further digital espionage against Iran, the Washington Post said today (June 19) in a lengthy article that relied on anonymous sources.
"Cyber collection against the Iranian program is way further down the road than this," a former American intelligence officer told the post, implying that covert computer intelligence gathering is today much more sophisticated than Flame.
When it was discovered in late May, Flame, also known as Skywiper or Flamer, was deemed the most complex piece of malware ever found. Further research determined that Flame's creators forged a Microsoft digital certificate using an entirely new method of cracking cryptography.
But Flame was also found to be at least two or three years old, raising the question of what its developers had been up to since.
In fact, Flame is at least five years old, the Post's sources told the newspaper, and was created during the Bush administration as part of the same "Olympic Games" initiative that later developed Stuxnet.
Stuxnet was the computer worm that infected and crippled the Iranian uranium-processing facility at Natanz in the summer of 2010, setting back the Islamic Republic's nuclear program by several months.
Two years of speculation about Stuxnet's origin were settled on June 1 when the New York Times published a story establishing that the U.S. and Israel jointly developed the worm. Instead of denying the allegations, the U.S. government launched an investigation into the leak.
While Stuxnet specifically targeted the Natanz facility, Flame is general-purpose, using any method it can — keystroke logging, secret audio recording, surreptitious Bluetooth and Wi-Fi snooping, silent screenshots — to spy upon users of infected computers.
Flame also doggedly maps the often-isolated networks it infects, and transmits the information to its handlers by infecting USB drives in the expectation that the drives will later be plugged into Internet-connected computers.
Flame's highly modular structure allows it to be adapted to any number of possible scenarios, yet it has been found on less than 1,000 computers, almost all of them located in the Middle East.
The Post's sources hinted that the National Security Agency was involved in developing both Flame and Stuxnet, and that the CIA was involved in deploying them. Both agencies analyzed the data collected by Flame, the Post said.
Given the timeline, it seems likely that Flame was used to map the network at Natanz in 2008 or 2009 while Stuxnet was still in development.
Flame was only exposed, the Post article says, when Israel used it earlier this year to spy upon computers at Iran's oil ministry. Several computers spontaneously erased their contents, tipping off the Iranians that something was amiss and prompting them to ask for help from the Russian and Hungarian security firms that went on to discover and analyze Flame.
Some security experts think that Flame's self-destruct features may have malfunctioned in that instance, deleting important Windows system files in the process.
Similarly, American officials told the Times that Stuxnet only "escaped" Natanz because Israeli coders had modified its code to re-infect USB drives plugged into the Natanz network.