Précis - Research conducted by Kaspersky Lab claims to have detected at least three Flame-related cyber-espionage tools, one of which is currently in-the-wild.

What? The Flame malware, described by Kaspersky Lab as one of the most complex and advanced cyber-espionage tools to be discovered, originally came to light in May 2012 when a large scale campaign targeting Middle East countries, predominantly Iran, was revealed. Flame infiltrates networks and collects sensitive data which is sent to Command and Control (C&C) servers in many different parts of the world, and is thought to have been operational since March 2010. Its predecessor, Stuxnet, caused severe disruption to Iran's nuclear processing capabilities in 2009.                                       

So what? Research performed by Kaspersky Lab, in conjunction with ITU's IMPACT, CERT - Bund/BSI and Symantec, analysed a number of the C&C servers used by Flame's creators and found that at least three additional Flame-related malicious programs (IP, SP and SPE) were created, of which SPE is known to be operating in-the-wild. The research also found that: •the development of Flame's C&C platform started as early as December 2006;

  • the C&C servers were disguised to look like a common Content Management System; and
  • there is no sign that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.

The complexity of Flame and its targeted use led Kaspersky Lab to conclude that Flame is a nation-state sponsored cyber-espionage tool, and this most recent research suggests that the cyber-espionage campaign is more extensive than previously thought. Recent statements made by high ranking officials and agencies in both the US and the UK add weight to the official legitimisation / extension of the "pre-emptive defence" concept to the cyber arena, whilst falling short of actual claims of responsibility.