This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-18324234#sa-ns_mchannel=rss&ns_source=PublicRSS20-sa
The article has changed 4 times. There is an RSS feed of changes available.
Version 2 | Version 3 |
---|---|
Flame: Attackers 'sought confidential Iran data' | Flame: Attackers 'sought confidential Iran data' |
(1 day later) | |
By Dave Lee Technology reporter, BBC News | By Dave Lee Technology reporter, BBC News |
The attackers behind the massive Flame malware were seeking to obtain technical drawings from Iran, researchers have said. | The attackers behind the massive Flame malware were seeking to obtain technical drawings from Iran, researchers have said. |
Analysis by Kaspersky Lab suggested that the huge majority of targets were within the country. | Analysis by Kaspersky Lab suggested that the huge majority of targets were within the country. |
The malware network, which was revealed last week, has since stopped operating. | The malware network, which was revealed last week, has since stopped operating. |
It was also revealed that the attackers used a number of complex fake identities in order to carry out their plans. | It was also revealed that the attackers used a number of complex fake identities in order to carry out their plans. |
The names, complete with fake addresses and billing information, were used to register more than 80 domain names used to distribute the malware. | The names, complete with fake addresses and billing information, were used to register more than 80 domain names used to distribute the malware. |
The identities had been registering the domains since 2008 - a sign that Flame had been collecting data for several years. | The identities had been registering the domains since 2008 - a sign that Flame had been collecting data for several years. |
Kaspersky Lab was able to compile statistics on the infection's spread by using a method known as "sinkholing". | Kaspersky Lab was able to compile statistics on the infection's spread by using a method known as "sinkholing". |
"Sinkholing is a procedure when we discover a malicious server - whether it is an IP address or domain name - which we can take over with the help of the authorities or the [domain] registrar," explained Vitaly Kamluk, a senior researcher at Kaspersky. | "Sinkholing is a procedure when we discover a malicious server - whether it is an IP address or domain name - which we can take over with the help of the authorities or the [domain] registrar," explained Vitaly Kamluk, a senior researcher at Kaspersky. |
"We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them." | "We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them." |
By using this method, they found the majority of infected targets were directed at Iran, with other high counts found in both Israel and Palestine. | By using this method, they found the majority of infected targets were directed at Iran, with other high counts found in both Israel and Palestine. |
The attackers had a "high interest in AutoCad drawings, in addition to PDF and text files", the researchers said. | The attackers had a "high interest in AutoCad drawings, in addition to PDF and text files", the researchers said. |
'Intelligence gathering' | 'Intelligence gathering' |
AutoCad is a popular design software package used by engineers and architects. | AutoCad is a popular design software package used by engineers and architects. |
"They were looking for the designs of mechanical and electrical equipment," said Prof Alan Woodward, a computing specialist from the University of Surrey. | "They were looking for the designs of mechanical and electrical equipment," said Prof Alan Woodward, a computing specialist from the University of Surrey. |
"This could be either to find out how far advanced some particular project was/is, or to steal some design(s) to sell on the black market. | "This could be either to find out how far advanced some particular project was/is, or to steal some design(s) to sell on the black market. |
"However, Iran isn't likely to have any intellectual property not available elsewhere. So, this suggests more a case of intelligence-gathering than onward selling on the black market." | "However, Iran isn't likely to have any intellectual property not available elsewhere. So, this suggests more a case of intelligence-gathering than onward selling on the black market." |
Further instances of infected machines were detected in the US, as well as in the UK and other parts of Europe. | Further instances of infected machines were detected in the US, as well as in the UK and other parts of Europe. |
However, the researchers pointed out this did not necessarily mean these countries were targets, as use of proxy servers can distort location data. | However, the researchers pointed out this did not necessarily mean these countries were targets, as use of proxy servers can distort location data. |
The source of the attacks is still unknown, but early analysis showed the malware's command and control centres (C&C) were hosted in a variety of locations. | The source of the attacks is still unknown, but early analysis showed the malware's command and control centres (C&C) were hosted in a variety of locations. |
The C&C centres were used to control the spread and operation of the attack, as well as collected the stolen data. | The C&C centres were used to control the spread and operation of the attack, as well as collected the stolen data. |
Flame's C&C centres moved regularly, with operations being hosted in Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland and the UK. | Flame's C&C centres moved regularly, with operations being hosted in Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, Switzerland and the UK. |
Stuxnet similiarities | Stuxnet similiarities |
The characteristics of Flame have seen it compared to past high-profile cyber-espionage attacks, most notably Stuxnet and Duqu. | The characteristics of Flame have seen it compared to past high-profile cyber-espionage attacks, most notably Stuxnet and Duqu. |
Stuxnet specifically targeted nuclear centrifuges in Iran, reports said. | Stuxnet specifically targeted nuclear centrifuges in Iran, reports said. |
A recent New York Times article said US President Barack Obama was responsible for directing the attack's operations. | A recent New York Times article said US President Barack Obama was responsible for directing the attack's operations. |
Kaspersky's Mr Kamluk acknowledged the similarities between Stuxnet and Flame. | Kaspersky's Mr Kamluk acknowledged the similarities between Stuxnet and Flame. |
"The geographical spread is very similar," he said. "It might be different attackers - however, the interests are all the same here." | |
Microsoft has issued a security advisory and update to fix a vulnerability in Windows which allowed Flame to masquerade as a Microsoft-written piece of software. | Microsoft has issued a security advisory and update to fix a vulnerability in Windows which allowed Flame to masquerade as a Microsoft-written piece of software. |