Link between Flame and Stuxnet points to US connection

The creators of the Flame and Stuxnet malware cooperated at least once during the early stages of development, security researchers have found

The creators of the Flame and Stuxnet malware cooperated at least once during the early stages of development, security researchers have found.

A link between the two suggests a connection between Flame and US involvement.

At the time of its discovery, there was no strong evidence of Flame being developed by the same team that delivered Stuxnet and Duqu, because of different approaches to development.

However, in-depth research by the team from security firm Kaspersky Lab that discovered Flame in May, in an investigation prompted by the International Communications Union (ITU), has revealed the development teams cooperated at least once during the early stages.

Resource 207

Kaspersky Lab discovered that a module from the early 2009 version of Stuxnet, known as “Resource 207”, comprises a Flame plug-in, according to a blog post by researchers.

The latest analysis shows this particular file has a lot in common with the code used in Flame, such as the algorithm used to decrypt strings and the similar approaches to file naming.

Most sections of code appear identical or similar in the respective Stuxnet and Flame modules, which leads to the conclusion that the exchange between Flame and the Duqu/Stuxnet teams was done in a form of source code, not in binary form.

This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed; and that in 2009, the source code of at least one module of Flame was used in Stuxnet.

This module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.

The Flame module in Stuxnet also exploited a vulnerability (MS09-025) which was unknown at the time and which enabled escalation of privileges.

Subsequently, the Flame plug-in module was removed from Stuxnet in 2010 and replaced by several different modules that used new vulnerabilities.

Starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new “zero-day” vulnerabilities.

“Despite the newly discovered facts, we are confident that Flame and Tilded [Stuxnet/Duqu] are completely different platforms, used to develop multiple cyber-weapons," said Alexander Gostev, chief security expert at Kaspersky Lab.

"However, the new findings – that reveal how the teams shared source code of at least one module in the early stages of development – prove the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected," Gostev said.

US connection

News organisations, including Reuters and The New York Times, have reported that the US and Israel were behind Stuxnet. 

Stuxnet was uncovered in 2010 after it damaged centrifuges used to enrich uranium at a facility in Natanz, Iran.

The latest research linking Stuxnet and Flame could bolster the belief of many security experts that Stuxnet was part of a substantial US-led cyber programme still active in the Middle East and perhaps other parts of the world, according to Reuters.

Other private security companies are now racing to uncover the secrets of Flame and could soon confirm the latest findings of Kaspersky Lab, Reuters said, which would also confirm that the US is involved in cyber espionage.

In the past, the US has strongly criticised China, Russia and other nations for repeated incursions in cyber espionage.

Read more on Hackers and cybercrime prevention