Flame: Attackers ‘sought confidential Iran data’

Updated on: 2012-06-05 || Source: bbc.com

The attackers behind the massive Flame malware were seeking to obtain technical drawings from Iran, researchers have said.

Analysis by Kaspersky Lab suggested that the huge majority of targets were within the country.

The malware network, which was revealed last week, has since stopped operating.

It was also revealed that the attackers used a number of complex fake identities in order to carry out their plans.

The names, complete with fake addresses and billing information, were used to register more than 80 domain names used to distribute the malware.

The identities had been registering the domains since 2008 - a sign that Flame had been collecting data for several years.

Kaspersky Lab was able to compile statistics on the infection's spread by using a method known as "sinkholing".

"Sinkholing is a procedure when we discover a malicious server - whether it is an IP address or domain name - which we can take over with the help of the authorities or the [domain] registrar," explained Vitaly Kamluk, a senior researcher at Kaspersky.

"We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them."

By using this method, they found the majority of infected targets were directed at Iran, with other high counts found in both Israel and Palestine.

The attackers had a "high interest in AutoCad drawings, in addition to PDF and text files", the researchers said.

'Intelligence gathering'

AutoCad is a popular design software package used by engineers and architects.

"They were looking for the designs of mechanical and electrical equipment," said Prof Alan Woodward, a computing specialist from the University of Surrey.

"This could be either to find out how far advanced some particular project was/is, or to steal some design(s) to sell on the black market.

"However, Iran isn't likely to have any intellectual property not available elsewhere. So, this suggests more a case of intelligence-gathering than onward selling on the black market."

Further instances of infected machines were detected in the US, as well as in the UK and other parts of Europe.

However, the researchers pointed out this did not necessarily mean these countries were targets, as use of proxy servers can distort location data.

The source of the attacks is still unknown, but early analysis showed the malware's command and control centres (C&C) were hosted in a variety of locations.

The C&C centres were used to control the spread and operation of the attack, as well as collected the stolen data.

Flame's C&C centres moved regularly, with operations being hosted in Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland and the UK.

Stuxnet similiarities

The characteristics of Flame have seen it compared to past high-profile cyber-espionage attacks, most notably Stuxnet and Duqu.

Stuxnet specifically targeted nuclear centrifuges in Iran, reports said.

A recent New York Times article said US President Barack Obama was responsible for directing the attack's operations.

Kaspersky's Mr Kamluk acknowledged the similarities between Stuxnet and Flame.

"The geographical spread is very similar," he said. "It might be different attackers, however the interests are all the same here."

Microsoft has issued a security advisory and update to fix a vulnerability in Windows which allowed Flame to masquerade as a Microsoft-written piece of software.

News

Blackphone 2 'privacy' Android handset revamped
Security firm Silent Circle has revamped its smartphone that helps people manage personal data.
Chinese smartphones mount massive web attack
More than 650,000 Chinese smartphones have been unwittingly enrolled in a massive attack that overwhelmed a web
Hilton investigates hack claims
The Hilton hotel group has said it is investigating claims its US shops and gift stores may be the source of
Twitter website 'blocked' in Turkey
Twitter users in Turkey report that the social media site has been blocked in the country.

SIGN UP FOR NEWSLETTER

Sign up to received our free newsletter!
Name:
E-mail ID:

MOST READ

Views: 5189 Times
Semi Transparent Backgrounds READ MORE
Views: 2834 Times
Pebble smartwatch hit with further delays, won't be stuffing a stocking near you READ MORE
Views: 2594 Times
Researchers use spoofing to 'hack' into a flying drone READ MORE
Views: 6011 Times
How to Encrypt Your Email READ MORE
Views: 7414 Times
Windows 8 (5 Tricks) READ MORE

Home|IT News|Computer Tips|Video Tutorials|Download Softwares|Subjects|Contact Us
Copyright © 2018. Jumbo Education (Information Technology). All rights reserved.
Free counter and web stats

Large Visitor Globe