Kaspersky's Problematic "Flame" Analysis

Countries infected by Flame (SecureList 28MAY12)

I'm beginning to wonder what's going on over at Kaspersky Labs. Eugene Kaspersky has begun sounding like Richard Clarke with his warning about mega-cyber disasters during his keynote address at the AUSCERT IT security conference. Then there's his repeating of the Russian government mantra that a cyber weapons treaty is needed (it's not). Now Kaspersky Labs has called a virus whose only purpose is to steal data a "cyber weapon". Come on, guys. You've done some terrific research in the past with DuQu. Now all of a sudden, it seems like you've become evangelists for a Russian government strategy to raise the stakes in cyber war rhetoric. Espionage is not warfare and never has been. Hence a tool created solely to conduct cyber espionage cannot also be legitimately called a cyber weapon.

You've also wrongly simplified the scope of cyber actors out there to three when it has never been that cut and dried:

Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group.

You've conveniently failed to mention an important fourth category: mercenary hacker crews - principally from Russia and the Commonwealth of Independent States - who steal IP and sell it to both corporations and governments. Crews that would love a tool like Flame and who, in my opinion, are the most likely actors involved in using such a tool. If you'd be forthcoming with more information - such as Flame's Command and Control server URLs - a lot more could be learned about who may be behind this virus.

UPDATE (31 MAY 2012): See my related article "Flame, Russia and the ITU: A Geopolitical Agenda?"

Add to Cart

Related Product :