recommended reading

Flame operators likely behind three other unidentified viruses

Pavel Ignatov/

The masterminds of the Flame malware campaign were at work on three other unidentified viruses, new research reveals. The findings offer further clues of the increasingly aggressive and broadening push by state-sponsored entities to deploy computer viruses on foreign networks, highlighting how the digital domain has grown increasingly militarized.

Flame is a computer espionage tool discovered this year that targeted computers in Iran and other countries in the Middle East. The structure of the virus bears similarities to Stuxnet, a worm that targeted Iranian nuclear systems and was widely believed to have been the handiwork of Israeli and U.S. entities.

Scrutiny of the command and control servers for Flame reveal that more than 10,000 machines were likely to have been infected with the malware and development work dated back as early as 2006. “Based on the code from the server, we know Flame was a project from a list of at least four,” according to a research note from Moscow-based antivirus company Kaspersky Lab. “The purpose and nature of the other three remain unknown.” The firm collaborated with antivirus provider Symantec, German CERT-Bund and security coalition group Impact Alliance.

One malware strain codenamed SPE is apparently “in the wild” because a handful of machines infected with it reached out to a sinkhole -- a network component where traffic gets diverted -- set up by Kaspersky to “talk” to machines infected with Flame.

The Kaspersky researchers also said that tools on the Flame command and control servers were similar to those used by the operators of Duqu, an espionage malware that has infected Sudanese and Iranian machines. “It appears that the people who managed the C&Cs [command and controls] are more familiar with RedHat systems. This reminds us of the Duqu C&Cs which were all based on RedHatCentOS,” according to a Kaspersky note. RedHat makes a variety of commercially available software.

The researchers said that while the Flame control panel interface was designed to look “generic and unpretentious,” much like the systems used by amateurish hacktivist groups to launch sloppy botnet attacks, signs abounded of a deliberately-executed campaign.

Three people, under the leadership of a particularly adept coder, were responsible for the development of the command and control operation. Any data scooped up relied heavily on encryption.

(Image via Pavel Ignatov/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.