Huffpost UK Tech uk
Michael Rundle Headshot

Flame: Imperva's Rob Rachwald On The Cheapest, Simplest Superweapon Ever Devised

Posted: Updated:
Flame was discovered in May 2012
Flame was discovered in May 2012

When the massive international cyber attack known as Flame was discovered at the end of May 2012, it was called, without irony, the first online superweapon.

The problem with that word is that, in the past, superweapons were hard to make, expensive to maintain and could only be wielded by governments.

With Flame none of those things are true, says Rob Rachwald, director of security at Imperva, an international data protection firm.

He points out that for all the wonder that greeted Flame's discovery, nobody seemed to notice its deadliest features: it was cheap. It set a precedent. And when similar viruses start to proliferate we could all have a really big problem.

"You had people writing about how it was structured, what it did and so forth," Rachwald told the Huffington Post. "But nobody really sat back and asked the question 'what is the bigger political picture'."

The obsession with Flame's technical prowess was understandable, at first. As drips and drabs of information emerged from security firms like Kaspersky and Semantec over several weeks, the weapon only seemed to grow more impressive.

Flame was highly virulent and targeted specifically at Iranian Oil Ministry computers. It could send audio and video recorded on a computer's cameras back to its creators, find and compromise nearby devices and download contact details via Bluetooth, build maps of nearby persons and buildings, install "apps" on itself to build new functions. It could even commit suicide if discovered.

Most quickly agreed that only a government could carry out the attack - even the UN said so - and eventually the US was named by the Washington Post and the New York Times as having accelerated its cyber warfare programme even as unnamed officials quoted by the paper declined to admit to creating Flame itself. The US government has officially denied involvement in Flame.

"It shows just how countries can use the cyber option as one of the lead options for deterrents," Rachwald said. "Meaning in this case for espionage. Stuxnet was designed for sabotage, Flame didn't do any sabotage, all it did was report on information."

Like most malware attacks simple prevention methods could have stopped Flame in its tracks, and now most security packages can stop it. But the potential for similar, deadlier attacks still exists. And since Flame cost its creators a relatively small amount of money to make there is almost no telling who will be behind the next one.

Yes, developing flame took time and expertise, but compared to traditional weapons - guns and bombs - the effort to impact ratio makes it very attractive to small nations and terror cells.

"If you're in another country - take the Congo - you have to be looking at this and saying 'well jeez, what does this mean for my cyber security efforts'?" Rachwald said.

"If Flame only cost the US under $10m, I can buy and F18 for $25m or I can devise a virus for $5m. Hmm. What should I be doing?"

The point, Rachwald says, is that it now makes much more sense for a small nation to invest in cyber weapons like Flame than military hardware. This broadens the threat and powering a new arms race. And in using it, Rachwald said, the US has lost the moral high ground.

"They tried to follow what's going on in China and Russia and it completely backfired," Rachwald said.

"In the past you'd always associated China and Russia associated with these sorts of things and the US was very quiet about it. But now US officials have come forward [in the New York Times] and said we wrote the most sophisticated piece of malware ever done."

There is also, Rachwald says, "the PR value". Flame is attractive to governments not just because of the cost, but because relative to guns and bombs it seems benign, even cheeky.

"If you attack someone with a virus the best thing that newspapers can do is put up a picture of source code. That's a lot more desirable than having pictures of dead kids put up on a news story."

And it's not just governments. Rachwald points out that if a version of a Flame-like virus could potentially be wielded in civilian life.

"Could you build a very complicated piece of malware that could go after a CEO, or a high-level technical people who have good schematics of future airplanes and other cool bits of technology?," he asked.

"If yes there is a big implication for people in industry or people in government about the elaborate links that governments can go to to acquire this through malware."

This new threat comes at a time when law enforcement is just starting to get a hold of how 'hacktivist' groups like Anonymous and LulzSec operate. As in any arms race, however, law enforcement is rarely anything other than reactive to new threats. In the hands of these kinds of hackers, a virus like Flame could do untold damage.

"Anonymous and LulzSec went on a pretty good rampage," he said:

"They were responsible for about half of the data taken from US companies and government last year. Then suddenly the FBI infiltrates them, turns one guy into an informant, and pretty much busts up the whole thing and now Anonymous at least in the US is quieted down quite a bit. … The rampage compared to a year ago is nowhere close."

Governments wielding weapons like Flame will have to play defence as well as offence, Rachwald said. Because as history has shown, even if you're the first to use a superweapon you're probably not going to be the last to acquire its power.

If you set a fire, you have to know you can put it out, he says.

"[When it was found] Flame was a novelty," he said. "And I think the novelty makes it interesting. But the problem with being novel is we got too preoccupied with that - and we didn't ask the question about what impact it will have."

For other security professionals, however, the threat of something like Flame can be overstated - at least for the average user. Especially since the vast majority of malware attacks are still easily preventable if basic precautions are taken - including Flame, which many virus protection software packages can now prevent.

Patricia Titus, chief information security officer at Symantec, said: "We're all paying attention to things like Flame and we're losing focus on good, basic cyber security and hygiene.

"Eighty percent of malware attacks could have been prevented by using good hygiene - patching your systems, keeping your signature definitions updated."

"We can't lose sight of what really absorbs our resources, and that is a malware infection or an attack coming in from an unprotected website. Basic security hygiene is not being done."

Around the Web

Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian - Wired

Flame built by government - Kaspersky