Monday, May 28, 2012

Kaspersky's Problematic "Flame" Analysis

Countries infected by Flame (SecureList 28MAY12)
I'm beginning to wonder what's going on over at Kaspersky Labs. Eugene Kaspersky has begun sounding like Richard Clarke with his warning about mega-cyber disasters during his keynote address at the AUSCERT IT security conference. Then there's his repeating of the Russian government mantra that a cyber weapons treaty is needed (it's not). Now Kaspersky Labs has called a virus whose only purpose is to steal data a "cyber weapon". Come on, guys. You've done some terrific research in the past with DuQu. Now all of a sudden, it seems like you've become evangelists for a Russian government strategy to raise the stakes in cyber war rhetoric. Espionage is not warfare and never has been. Hence a tool created solely to conduct cyber espionage cannot also be legitimately called a cyber weapon.

You've also wrongly simplified the scope of cyber actors out there to three when it has never been that cut and dried:
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group.
You've conveniently failed to mention an important fourth category: mercenary hacker crews - principally from Russia and the Commonwealth of Independent States - who steal IP and sell it to both corporations and governments. Crews that would love a tool like Flame and who, in my opinion, are the most likely actors involved in using such a tool. If you'd be forthcoming with more information - such as Flame's Command and Control server URLs - a lot more could be learned about who may be behind this virus.

UPDATE (31 MAY 2012): See my related article "Flame, Russia and the ITU: A Geopolitical Agenda?"

4 comments:

  1. Well yes but ...

    But isn't espionage a form of "economic warfare"?

    ReplyDelete
  2. And then there's your post from march 20th of this year:
    http://jeffreycarr.blogspot.ca/2012/03/open-source-offensive-methodology-to.html

    Indeed, it is an insult to the skills and creativity of individuals to claim that it takes the resources of a nation state to produce complex software. Leaving aside the complex software produced by commercial 'for-profit' organizations, there is a lot of open source software that has been developed 'in spare time'. Further, there is code that generates code - and some of that generated code is very complex and rococo.

    ReplyDelete
  3. "War" and "warfare" are used way too much, in my opinion. Rather than economic warfare, I'd call it competitiveness.

    ReplyDelete
  4. An infostealer tool is a weapon in the same sense a FLIR recon and targetting pod attached to a fighter-bomber plane is a weapon. There is already something cyber out there, which targets and attacks Flamer-identified targets and probably causes some "collateral damage".

    Eugene Kaspersky is very nice to warn of a need for a cyber-weapons treaty. Russia will suffer the least in a cyberwar: not net, no mobile phones, let's go drink vodka! They will keep heroicly fighting the foreign invaders of their sacred lands, even if there is no longer a link to their higher command, just like in the war-time novel "Volokolamsk Highway".

    Infinitely large Mother Russia is inconquerable in any way or shape, so KL needs not worry for himself and his people, but for the well-being of the entire planet - therefore a cyber-weapons limiting treaty is needed and needs to be kept up with UN inspections!

    On the other hands, noticing there is no net and no mobile, developed people like finns and americans will jump from windows of skyscrapers. USA is the most vulnerable to cyber strikes, many there will think the Rapture has started when e-war arrives to their shores.

    ReplyDelete