[ISN] Cyber-Spying Flame Attackers Operated On 'Need To Know' Basis

From: InfoSec News <alerts_at_private>
Date: Tue, 18 Sep 2012 00:15:09 -0500 (CDT)
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240007486/cyber-spying-flame-attackers-operated-on-8216-need-to-know-8217-basis.html

By Kelly Jackson Higgins
Dark Reading
Sept 17, 2012

New research published separately today by Kaspersky Lab and Symantec 
and in conjunction with CERT-Bund/BSI, and the International 
Telecommunications Union-IMPACT, shows that the sophisticated Flame 
cyberespionage campaign dates back to 2006 and confirms earlier 
suspicions of the existence of other related malware -- with three other 
related malware families out there, one of which is still in the wild.

Flame, which was first discovered by researchers this spring, is an 
information-stealing and spying tool that has been tied to Stuxnet, 
which sabotaged Iran's Natanz nuclear facility. It's basically a 
virtual, digitized spy tool that does what a human spy would do: 
recording phone calls, snapping photos, and siphoning information.

Researchers today confirmed their hypotheses that Flame just scratched 
the surface of the cyberespionage campaign most likely being conducted 
by a nation state. Published reports have pointed to the U.S. and Israel 
as playing a part in both Stuxnet and Flame, but neither Kaspersky Lab 
nor Symantec will comment on that.

Among the new findings about Flame is that it's not the newest version 
of malware used by the command-and-control server that was investigated 
by both Kaspersky and Symantec, and that the attackers took great pains 
to cover their tracks in order to evade detection. "They want to great 
lengths to hide things. Not only was the data stolen encrypted ... so no 
one could see it, but the fact that periodically everything on the 
server gets deleted, and the Wiper module would delete the malware off 
the client. Quite a bit of care was taken in covering their tracks," 
says Kevin Haley, director of Symantec Security Response. "That's 
indicative of a spy kind of thing."

[...]


--
#HITB2012KUL - The 10TH ANNUAL HITB Security Conference in Malaysia
with no keynotes, no labs - just three tracks filled with our most
popular speakers from the last decade: http://conference.hitb.org/
Received on Mon Sep 17 2012 - 22:15:09 PDT

This archive was generated by hypermail 2.2.0 : Mon Sep 17 2012 - 22:12:29 PDT