Security researchers said on Monday that they have found a direct link between the Stuxnet worm and the more-recently-discovered Flame espionage malware, indicating that the two teams cooperated and collaborated.
“We’re very confident that the Flame team shared some of their source code with the Stuxnet group,” Roel Schouwenberg, a senior researcher with the Moscow-based Kaspersky Lab, said in an online presentation about the company’s findings, according to a report in Computerworld. “It’s conclusive proof that the two worked together, at least once.”
Stuxnet, a powerful cyber weapon that crippled parts of Iran’s nuclear fuel enrichment effort, was first discovered in mid-2010, but researchers later traced its first variant, and first attack, to June 2009, the report said.
Most researchers agree that Flame goes back at least to 2010. According to Kaspersky, its analysis shows that Flame harks back to no later than the summer of 2008, perhaps earlier.
The two pieces of malware each included a module that appears to originate from the same source code, likely written by a single programmer. That module was used to infect Windows PCs through USB flash drives and exploited a vulnerability that was patched in June 2009, said Kaspersky.
Kaspersky dug into its detection logs last week to look for possible evidence of a link between Flame and Stuxnet, and found one.
“Flame was a kick-starter,” Schouwenberg said, explaining the use of the code similar to both Stuxnet and Flame. “In 2010, the Stuxnet group removed that [module], and each team went their separate ways.”
Samples of Flame found by researchers last month contained the same code. Differences are small but still significant, because they show that the Flame authors — who did their work before Stuxnet’s makers by Kaspersky’s timeline, probably shared the source code of the module, not just an executable file.
“[Flame’s developers] shared their intellectual property with Stuxnet, which is huge news,” said Schouwenberg. “In any kind of software endeavor, you don’t share your source code with just anyone. Source code is your ultimate possession. It’s your source of income, actually. So we’re really quite sure that the Flame team had to have approved the sharing of the code.”
Previously, Kaspersky and other security firms had said that the evidence showed the two groups were funded by the same organization. The latest revelation proves that, and more, Schouwenberg said.
“This shows that the Flame and Stuxnet operations were parallel projects,” he said. “And now we’re 100% sure that they worked together.”
Flame struck at least 600 specific computer systems in Iran, Syria, Lebanon, Egypt, Sudan, Saudi Arabia and the Palestinian Authority.
Kaspersky said the Flame virus was “about 20 times larger than Stuxnet,” and said it was a “cyber-espionage worm” designed to collect and delete sensitive information, primarily in Middle Eastern countries. Experts said it was aimed at stealing Iranian-Russian blueprints, presumably of nuclear facilities.
Iran later admitted that its oil industry was briefly affected by Flame, but claimed that Iranian experts had detected and defeated the virus.
U.S. computer security researchers said on Sunday that Flame has gotten orders to vanish, leaving no trace.
Anti-virus company Symantec said in a blog post that late last week that some Flame “command-and-control servers sent an updated command to several compromised computers.”
“This command was designed to completely remove (Flame) from the compromised computers,” said the statement.