This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-18324234#sa-ns_mchannel=rss&ns_source=PublicRSS20-sa
The article has changed 4 times. There is an RSS feed of changes available.
| Version 2 | Version 3 |
|---|---|
| Flame: Attackers 'sought confidential Iran data' | Flame: Attackers 'sought confidential Iran data' |
| (1 day later) | |
| By Dave Lee Technology reporter, BBC News | By Dave Lee Technology reporter, BBC News |
| The attackers behind the massive Flame malware were seeking to obtain technical drawings from Iran, researchers have said. | The attackers behind the massive Flame malware were seeking to obtain technical drawings from Iran, researchers have said. |
| Analysis by Kaspersky Lab suggested that the huge majority of targets were within the country. | Analysis by Kaspersky Lab suggested that the huge majority of targets were within the country. |
| The malware network, which was revealed last week, has since stopped operating. | The malware network, which was revealed last week, has since stopped operating. |
| It was also revealed that the attackers used a number of complex fake identities in order to carry out their plans. | It was also revealed that the attackers used a number of complex fake identities in order to carry out their plans. |
| The names, complete with fake addresses and billing information, were used to register more than 80 domain names used to distribute the malware. | The names, complete with fake addresses and billing information, were used to register more than 80 domain names used to distribute the malware. |
| The identities had been registering the domains since 2008 - a sign that Flame had been collecting data for several years. | The identities had been registering the domains since 2008 - a sign that Flame had been collecting data for several years. |
| Kaspersky Lab was able to compile statistics on the infection's spread by using a method known as "sinkholing". | Kaspersky Lab was able to compile statistics on the infection's spread by using a method known as "sinkholing". |
| "Sinkholing is a procedure when we discover a malicious server - whether it is an IP address or domain name - which we can take over with the help of the authorities or the [domain] registrar," explained Vitaly Kamluk, a senior researcher at Kaspersky. | "Sinkholing is a procedure when we discover a malicious server - whether it is an IP address or domain name - which we can take over with the help of the authorities or the [domain] registrar," explained Vitaly Kamluk, a senior researcher at Kaspersky. |
| "We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them." | "We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them." |
| By using this method, they found the majority of infected targets were directed at Iran, with other high counts found in both Israel and Palestine. | By using this method, they found the majority of infected targets were directed at Iran, with other high counts found in both Israel and Palestine. |
| The attackers had a "high interest in AutoCad drawings, in addition to PDF and text files", the researchers said. | The attackers had a "high interest in AutoCad drawings, in addition to PDF and text files", the researchers said. |
| 'Intelligence gathering' | 'Intelligence gathering' |
| AutoCad is a popular design software package used by engineers and architects. | AutoCad is a popular design software package used by engineers and architects. |
| "They were looking for the designs of mechanical and electrical equipment," said Prof Alan Woodward, a computing specialist from the University of Surrey. | "They were looking for the designs of mechanical and electrical equipment," said Prof Alan Woodward, a computing specialist from the University of Surrey. |
| "This could be either to find out how far advanced some particular project was/is, or to steal some design(s) to sell on the black market. | "This could be either to find out how far advanced some particular project was/is, or to steal some design(s) to sell on the black market. |
| "However, Iran isn't likely to have any intellectual property not available elsewhere. So, this suggests more a case of intelligence-gathering than onward selling on the black market." | "However, Iran isn't likely to have any intellectual property not available elsewhere. So, this suggests more a case of intelligence-gathering than onward selling on the black market." |
| Further instances of infected machines were detected in the US, as well as in the UK and other parts of Europe. | Further instances of infected machines were detected in the US, as well as in the UK and other parts of Europe. |
| However, the researchers pointed out this did not necessarily mean these countries were targets, as use of proxy servers can distort location data. | However, the researchers pointed out this did not necessarily mean these countries were targets, as use of proxy servers can distort location data. |
| The source of the attacks is still unknown, but early analysis showed the malware's command and control centres (C&C) were hosted in a variety of locations. | The source of the attacks is still unknown, but early analysis showed the malware's command and control centres (C&C) were hosted in a variety of locations. |
| The C&C centres were used to control the spread and operation of the attack, as well as collected the stolen data. | The C&C centres were used to control the spread and operation of the attack, as well as collected the stolen data. |
| Flame's C&C centres moved regularly, with operations being hosted in Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland and the UK. | Flame's C&C centres moved regularly, with operations being hosted in Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland and the UK. |
| Stuxnet similiarities | Stuxnet similiarities |
| The characteristics of Flame have seen it compared to past high-profile cyber-espionage attacks, most notably Stuxnet and Duqu. | The characteristics of Flame have seen it compared to past high-profile cyber-espionage attacks, most notably Stuxnet and Duqu. |
| Stuxnet specifically targeted nuclear centrifuges in Iran, reports said. | Stuxnet specifically targeted nuclear centrifuges in Iran, reports said. |
| A recent New York Times article said US President Barack Obama was responsible for directing the attack's operations. | A recent New York Times article said US President Barack Obama was responsible for directing the attack's operations. |
| Kaspersky's Mr Kamluk acknowledged the similarities between Stuxnet and Flame. | Kaspersky's Mr Kamluk acknowledged the similarities between Stuxnet and Flame. |
| "The geographical spread is very similar," he said. "It might be different attackers - however, the interests are all the same here." | |
| Microsoft has issued a security advisory and update to fix a vulnerability in Windows which allowed Flame to masquerade as a Microsoft-written piece of software. | Microsoft has issued a security advisory and update to fix a vulnerability in Windows which allowed Flame to masquerade as a Microsoft-written piece of software. |