Security firm Kaspersky Lab recently announced the discovery of miniFlame, a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations.
Comparison of miniFlame with other malicious programs
miniFlame, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and was originally identified as a Flame module.
However, in September 2012, Kaspersky Lab’s research team conducted an in-depth analysis of Flame’s command control servers (CC) and from the analysis found that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware.
Analysis of miniFlame showed there were several versions created between 2010 and 2011, with some variants still being active in the wild.
The analysis also revealed new evidence of the cooperation between the creators of Flame and Gauss, as both malicious programs can use miniFlame as a “plug-in” for their operations.
Main findings:
• miniFlame, also known as SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside both Flame and Gauss.
• The cyber espionage tool operates as a backdoor designed for data theft and direct access to infected systems.
• Development of miniFlame might have started as early as 2007 and continued until the end of 2011. Many variations are presumed to be created. To date, Kaspersky Lab has identified six of these variants, covering two major generations: 4.x and 5.x.
• Unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller. According to Kaspersky Lab’s data, the number of infections is between 10-20 machines. The total number of infections worldwide is estimated at 50-60.
• The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.
Discovery
The discovery of miniFlame occurred during the in-depth analysis of the Flame and Gauss malware.
In July 2012 Kaspersky Lab’s experts identified an additional module of Gauss, codenamed “John” and found references to the same module in Flame’s configuration files.
The subsequent analysis of Flame’s command and control servers, conducted in September 2012, helped to reveal that the newly discovered module was in fact a separate malicious program, although it can be used as a “plug-in” by both Gauss and Flame. miniFlame was codenamed SPE in the code of Flame’s original CC servers.
Kaspersky Lab discovered six different variations of miniFlame, all dating back to 2010-2011.
At the same time, the analysis of miniFlame points to even earlier date when development of the malware was commenced – not later than 2007. miniFlame’s ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss.
Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same “cyber warfare” factory.
Functionality
The original infection vector of miniFlame is yet to be determined. Given the confirmed relationship between miniFlame, Flame, and Gauss, miniFlame may be installed on machines already infected by Flame or Gauss.
Once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine.
Additional info-stealing capabilities include making screenshots of an infected computer while it’s running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client.
miniFlame uploads the stolen data by connecting to its CC server (which may be unique, or “shared” with Flame’s CCs). Separately, at the request from miniFlame’s CC operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an internet connection.
Alexander Gostev, chief security expert at Kaspersky Lab, said “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack.
“First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage.
“The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss.”
SUDDENLY, Washington is extremely concerned about Chinese espionage.
Last month, the White House blocked a Chinese company from operating a wind farm near a sensitive Navy base in Oregon. Next, the House Intelligence Committee said two Chinese telecommunications firms were manufacturing equipment that could be used to spy on the United States, and Defense Secretary Leon E. Panetta told business leaders that the country faced the risk of a “cyber-Pearl Harbor” — an attack that could come from terrorist groups or a country like China. Finally, during Monday’s presidential debate, Mitt Romney warned that the Chinese were “stealing our intellectual property, our patents, our designs, our technology, hacking into our computers.”
There’s no question that American companies today are under surveillance: I’ve learned that the F.B.I. has obtained a video taken inside a hotel in China that shows Chinese agents rifling through an American businessman’s room, according to two sources familiar with the tape, which the F.B.I. has been playing as a warning for corporate security experts. But while the Chinese spying push is aggressive, American companies have been tapped, bugged and spied on for more than a hundred years. As often as not, the perpetrators have been other Americans — motivated not by patriotism for a foreign flag, but by simple profit.
In Placerville, Calif., a stockbroker named D. C. Williams took advantage of the latest high-tech telecommunications gear in an insider trading scam. The year was 1864. Mr. Williams, claiming to be in the stagecoach business, rented a room at a hotel called the Sportsman’s Hall, where the State Telegraph Company had offices. Sitting in his room, within earshot of the receiving equipment, Mr. Williams simply decoded the messages about business deals as they clattered in. When he tried to bribe the telegraph agent for exclusive access to news on an important mining lawsuit, the agent turned him in, and Mr. Williams was arrested.
Or take the case of John Broady, an audacious wiretapper who in the mid-1950s set up an eavesdropping nest at an apartment in Midtown Manhattan. Working with a source inside the phone company, he set up equipment capable of tapping and simultaneously recording 10 phone lines in the area. Among Mr. Broady’s clients was the drug company Pfizer, which hired him to tap the phones of its own employees and those of a competitor, Squibb.
Mr. Broady was ultimately undone by an anonymous tipster, most likely someone inside his organization. Bizarrely, at his trial he claimed there was a nefarious Chinese angle to his scam — he said he’d used the equipment to spy on a rogue Chinese Air Force general who’d stolen millions from his government. Mr. Broady said that someone who wanted to stop the investigation had killed one of his own agents in Mexico. “I didn’t want them to knock me off, like they did my man,” he said, breaking down in tears. “I have a wife and kids.” The jury thought it was an act, and Mr. Broady received a two- to four-year prison sentence.
In London in the fall of 2008, I met with Nick, a former British Special Forces soldier who has gone into the private espionage business — working for companies around the world to dig up dirt on their competitors or their own employees. Nick, who asked that I not use his last name, told me that they often used a simple strategy: they hired subcontractors to rent space in a building across the street from their competitor, and pointed laser microphones at conference rooms across the way. Voices in the rooms made slight vibrations in the windows, and Nick’s microphones could translate those back into sound that he could record.
Technology has changed the volume of information spies can purloin from corporate files, as well as the types of attacks possible from a distance. But the principle remains the same: spying is often easier than conducting one’s own research and development. This is certainly true from China’s perspective.
What has people in Washington really worried is the idea that such passive theft could turn into an active threat — not just snooping, but knocking out elevators or communications at a presidential event, or shutting down software controlling water supplies, electrical grids and nuclear power plants.
But while we deal with this new generation of spies, we shouldn’t forget the lessons learned battling the old. The best way to fight technology is not always with more technology — it’s with human beings. As Mr. Williams and Mr. Broady learned, the most dangerous threat to a high-tech snoop is an inside source who’s willing to come forward and expose the scheme. Law enforcement officials in the 19th and 20th centuries found ways to motivate those whistle-blowers. We must do the same.
Eamon Javers is a Washington correspondent for CNBC and the author of “Broker, Trader, Lawyer, Spy: The Secret World of Corporate Espionage.”
MONTREAL – Stealing secrets through cyber espionage may not have enough action for a spy like James Bond, but there can be less risk and “your own guys don’t get hurt,” a global security expert says.
Cyber spying is going to get more sophisticated and governments and businesses will continue to be targeted, said Steve Durbin, global vice-president of the Information Security Forum.
“If you go back to the original James Bond era, you used to have guys slugging around the streets trying to steal secrets,” Durbin said from New York.
“You don’t have that problem any more because you can set up a laptop or a computer in a living room and try to crack into systems around the world.”
Spying has always been around and now it’s just making use of the technology that’s out there,” he said.
Durbin calls it “clean espionage” and said more often than not it is state sponsored.
“This isn’t about blowing things up, although you can do that, clearly. It’s clean espionage rather than some of the dirtier elements of people slugging it out in Afghanistan, for example.”
This kind of espionage can use computer malware or exploit technology such as close-captioned TV cameras, GPS data, satellite feeds and telecom traffic, in addition to “feet on the street,” he said.
Durbin cites the Stuxnet virus as an example of clean espionage.
Stuxnet was tailored to disrupt Iran’s nuclear centrifuges and caused some setbacks within its uranium enrichment labs. It infected thousands of employees’ computers at the nuclear power reactor, Iranian officials have said. The United States and Israel are believed to be suspects.
An attack like that has more impact on the people being targeted than on your own forces, he said.
“So that’s attractive because not only is it effective, it is lower cost and your own guys don’t get hurt.”
China also has been accused by cyber security analysts of computer-based attacks focused on American oil, gas and other energy companies.
The U.K.-based Information Security Forum deals with security challenges that its corporate and public sector members are facing. It’s considered a global authority on information risk management and cyber security.
Durbin said infrastructure such as transportation, government national defence programs and networks, and energy and defence companies can all be targets.
Canada’s auditor general has said the federal government has been slow to boot up an effective response to the threat of cyber attacks on crucial systems.
The auditor general’s report said the shortcomings have left key networks — such as the one that ensures employment insurance benefits are delivered on time — exposed to attack.
Associate professor Tom Dean of Queen’s University said governments need to worry about what’s called advanced persistent threats.
They aren’t a standard virus or botnet that’s sending out spam email, said Dean, who teaches in the electrical and computer engineering faculty at Queen’s in Kingston, Ont.
“Advanced persistent threats from the more sophisticated actors, quite a few of which are state sponsored, are basically camping out and gathering information,” he said.
“That’s the biggest deal.”
China, Russia, areas in the Balkans, and former Soviet republics are considered suspects in state-sponsored cyber spying, he said.
Dean said there is potential for a destructive cyber attack but that would be “an act of war.”
Man of mystery … Jean-Philippe Wispelaere admitted during his trial that he thought of himself as James Bond.
One of the weirdest espionage cases in Australian history just got weirder.
A US intelligence officer is writing a book about how a psychic was used to track bumbling spy and former Brighton schoolboy Jean-Philippe Wispelaere during a secretive operation more than a decade ago.
Wispelaere was a low-level imagery analyst who should probably never have got through the security vetting process.Â
Scott Carmichael, an author and senior security and counter-intelligence investigator at the US Defence Intelligence Agency, worked on the Wispelaere case in 1999. He is writing a book about how he used a psychic to identify Wispelaere after the former Australian Defence Intelligence Organisation analyst tried to sell stolen US documents to Singaporean embassy officials in Thailand.
While Wispelaere had given his email address to the embassy during negotiations to sell 1382 classified documents for hundreds of thousands of dollars, US authorities were not sure of his identity or whether he would make contact with the embassy again.
The Australian National University graduate eventually did make contact. He was then tricked by the Federal Bureau of Investigation into travelling to the US, where he was arrested, and sentenced to 15 years in federal prison in 2001.
The 41-year-old was released earlier this year and snubbed Australia, the country where he was raised and where his mother still lives, for Canada, his country of birth.
Wispelaere in his year 12 Brighton Secondary College School photograph.
Mr Carmichael stated, via email, that the use of psychics to identify ”unknown subjects” had been common among US intelligence agencies in the 1980s and was used until 1995.
It had been phased out by the time of the Wispelaere case, but Mr Carmichael said he decided to get in contact with psychic Angela Ford to conduct an operation that was not authorised by DIA.
”The agency was out of the psychic business,” Mr Carmichael said. ”It seemed that I was out of luck. But I persisted. It was a purely personal endeavour to determine whether Angela could develop – through paranormal means – useful information about the walk-in event.”
Ms Ford said in an email that she had been told little detail about the case during her contact with Mr Carmichael, but had been able to establish that the man had called himself Baker, was an Australian, and was muscular and aged in his 20s.
She determined Wispelaere had tried to sell US documents at the Singaporean embassy in Bangkok, but she was confused as to why he had said he was involved with US imagery when he was an Australian.
Wispelaere, a steroid abuser and gym junkie, had used the name Jeff Baker when he approached the embassy, and had claimed to be an American.
”I was working many cases at this time and I was kept in the dark on all of them,” Ms Ford said.
”I couldn’t know anything about the cases I was working on because that would be cheating.”
US Naval Institute Press publicist Judy Heise confirmed Mr Carmichael was preparing a manuscript on the Wispelaere case and had previously had a book published by the company. She also confirmed his position with the DIA.
Clive Williams, a former intelligence analyst and army officer, said he was not aware of psychics ever being used in Australian operations. The visiting fellow at the Australian National University’s Strategic and Defence Studies Centre, and adjunct professor at Macquarie University’s Centre for Policing, Intelligence and Counter-terrorism, said he did not think the US had ever had much success with their psychic programs.
Professor Williams said he often found the published accounts of those who had worked in intelligence agencies questionable.
”Wispelaere’s espionage case was not very complicated. In fact, it was quite straightforward from an investigative perspective,” he said.
”Wispelaere was a low-level imagery analyst who should probably never have got through the security vetting process.
”There is a cottage industry of writers who claim that bin Laden is not dead, the Israelis were behind the World Trade Centre attack, etc. Of course, it is often very hard to prove the opposite case and may be limited by releasability of information.”
9 Jul Jean-Philippe Wispelaere was falling apart. The East Brunswick boy who had tried to commit suicide as a seven-year-old had grown into an unstable young man and, faced with life in a US prison on espionage charges, began to implode.
6 Jul A Melbourne spy who spent more than a decade in a US federal prison after being convicted of espionage charges has snubbed Australia, the country he once considered home.
Bloomberg reports that China’s Supreme People’s Court was due to begin hearing AMSC Inc.’s copyright infringement case against Sinovel Wind Group Co. last Friday.
AMSC, a Devens-based maker of wind-turbine components, is seeking $6 million in damages from Sinovel, which is accused of stealing trade secrets from the local company through a rogue employee.
It’s one of four cases totaling $1.2 billion AMSC is seeking against Sinovel.
Sinovel stopped accepting contracted shipments from AMSC in March 2011.
