Researchers Connect Flame to U.S.-Israel Stuxnet Attack
The sophisticated espionage toolkit known as Flame is directly tied to the Stuxnet superworm that attacked Iran’s centrifuges in 2009 and 2010, according to researchers who recently found that the main module in Flame contains code that is nearly identical to a module that was used in an early version of Stuxnet.
Researchers at Russia-based Kaspersky Lab discovered that a part of the module that allows Flame to spread via USB sticks using the autorun function on a Windows machine contains the same code that was used in a version of Stuxnet that was unleashed on computers in Iran in 2009, reportedly in a joint operation between the U.S. and Israel. The module, which was known as Resource 207 in Stuxnet, was removed from subsequent versions of Stuxnet, but it served as a platform for what would later develop into the full-fledged Flame malware that is known today.
The researchers believe the attackers may have used the Flame module to kickstart their Stuxnet project before taking both pieces of malware into different and separate directions. They’ve detailed the similarities between the modules in Flame and Stuxnet in blog post.
“This could be in my opinion, together with the MD5 collision attack, maybe the biggest discoveries to date about Flame,” said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. The MD5 collision attack refers to a discovery last week that Flame used a previously unknown variant of a collision attack in its efforts to sign a malicious file with a fraudulent digital certificate to trick victim machines into thinking the file was legitimate and trusted code from Microsoft.