Cyber espionageExperts: Flame represents a new level of state-sponsored cyber attacks

Published 1 June 2012

The latest cyber espionage malware, Flame, represents a new level of sophistication in state-sponsored cyberattacks; experts note that Flame circumvented anti-virus programs, and remained undetected between two and five years; one expert says: “[Flame] uses multiple exploit combinations so it is pretty significant that it hid itself, but maybe the best ones have not been discovered yet”; another expert says: “The failure to detect Flame means simplistic signature-based detection is obsolete”

Organizations must adapt their approach to cyber security according to the U.K.-based Information Security Forum (ISF).

The warning comes in the wake of the latest state-sponsored cyber attack, Flame, which is regarded as one of the most complicated and potentially damaging computer viruses yet created. Designed specifically for the purposes of cyber espionage, the attack has already affected Middle Eastern states, Iran, the West Bank, Syria, and Egypt.

According to the ISF, cyber attacks of this nature are becoming increasingly sophisticated as state-sponsored espionage, activism (online activists), and cybercrime move up a gear. This level of sophistication will only grow and grow on a global scale.

Steve Durban, Global VP at ISF, says we are in the process of seeing a cyber cold war develop:

The cyber arms race we’re currently seeing will lead to a cyber cold war. This latest attack shows that nations are already in the process of developing more sophisticated ways to attack using cyberspace and will just go on to improve their capabilities and firepower over the next few years. Nations that haven’t already developed this capability will do so, especially when they see the damage it can cause.
“As the future becomes more uncertain, organizations must prepare for the unpredictable so they have the resilience to withstand unforeseen, high-impact events.
Organizations that fail to prepare for such attacks will suffer the most — whether that’s financially, reputational damage, or physical damage, for example, to industrial control systems, there will be some level of impact.

The ISF advises organizations to develop cyber resilience to help prepare for such attacks and to protect the integrity of both company systems and data.

We advise our Members to implement a level of cyber security governance, develop a clear and comprehensive risk strategy and response plan, and ensure the matter of cyber security is supported at the very highest level,” Durban said. “Information security is no longer the dirty work done by the IT department in dusty server-filled rooms, it’s a boardroom issue. If organizations don’t recognize this and fail to adapt their business processes, they will suffer what may be very serious consequences now or in the future.”

Cyber experts agree with Durban on the fact that the Flame represents a new level of cyber war:

  • Sergei Shevchenko says in his blog that “A large code [as in Flame] often means more code to emulate or the usage of higher-level languages that are much harder to emulate or their emulation is simply not supported. Without an ability to follow the execution logic programmatically, an anti-virus product might not be able to detect a well-protected sample effectively.”
  • Wieland Alge, general manager EMEA at Barracuda Networks, said: “The scariest and most shocking aspect is the length of time that Flame has remained undetected. Kaspersky’s own security experts estimate that Flame has been infecting systems and stealing data for several years, possibly as long as five years.”
  • Rob Rachwald, director of security strategy at Imperva, said: “It’s no secret that there is a huge industry devoted to bypassing anti-virus. Flame, we hope, will help serve as a key event that compels organizations to rethink their security spend.”
  • Gil Shwed, CEO and founder of Check Point, said: “This is one of the most significant attacks I have seen, there is not much new but it took known techniques and used them together. It uses multiple exploit combinations so it is pretty significant that it hid itself, but maybe the best ones have not been discovered yet.”
  • SCMagazine concludes: “The failure to detect Flame means simplistic signature-based detection is obsolete.”