Flame Virus: Cyber-War Spearhead Or Spyware? – Interview

Interview with Oleg Demidov – cyber security expert at the Russian Center for Policy Studies, the PIR Center.

By Yekaterina Kudashkina and Yuri Tavrovsky

There are new cyber attacks, it seems that there is an age of cyber warfare approaching very rapidly. But if we look at it from an analytical perspective.

Thank you very much for this opportunity to present my opinion the Flame. It is very timely topic now because on the one hand there is still much debate about the previous, the so called, Supervirus Stuxnet and on the other hand it is closely, intimately linked with the political tensions in the Middle East and Iranian nuclear program. But to understand better what this Flame is about we should keep some distance both the Stuxnet issue and from the issue of the Iranian nuclear program, and Iranian and US political tensions.

So, first of all the Flame according to my own expert view and according to PIR Center’s position is not a cyber weapon, it is just a highly sophisticated cyber espionage tool. And these two notions make a principal difference in fact because when you speak about cyber warfare or a cyber weapon, it basically means that it is some kind of malware with code which is able to cause physical damage of critical infrastructure or at least a damage of computer systems, I mean hardware. None of that takes place in the case of the Flame because the Flame is just a very sophisticated and diversified in technical sense tool of collecting information from computer systems. Its maximum potential of causing some harm is just erasing the data when it is necessary and it is not the ultimate goal of the virus, to erase the data, but it is just a mean it uses to remain uncovered and continue on its cyber espionage activity. So, that’s the first principal thing about the Flame. It is just a cyber espionage tool and not the cyber weapon.

The second thing is that it is maybe the most technically advanced virus to the moment and here I fully agree with the analysis by Mr. Kaspersky whose laboratory in fact uncovered and found this virus just a little bit more than a week ago. It consists of more than twenty modules which are quite different both in their code and in their purpose. Each module is responsible for this or that particular function. Some of them provide such tools as interference in audio records, control over what is typed with the help of keyboard and so on. Some of them are responsible for erasing data when it is necessary. Some of them are responsible for some other functions but that’s not just the main thing. The main thing is that it is not just a virus which performs only one function, it is a highly sophisticated collection of modules with a multifunctional toolset.

And maybe the final point which is principal and crucial when we speak about the Flame is that despite of very alarmist views and assessments of the virus and very alarmist approach which is now widely spread both in the media and among the experts to the question who created the Flame we do not share the opinion that it could be created exclusively with the help of a state or by state sponsored actors. The thing is that all the instruments and modules, and highly diversified functions its code uses, it is really grand, as it was said many times. In total, when the twenty modules are installed in a system which is attacked by the virus, its total size is over 20 MB of installed malicious code.

But at the same time this is just a collection of means and instruments, and modules which just bring together the functions which existed before. None of the modules by itself, regarded as a separate piece of code, brings anything revolutionary to the industry of viruses. It is just a very good, highly diversified and very advanced multifunctional collection of pieces of a malicious code brought together by some experts. In fact a high level tool of hackers who would like to integrate their tools and instruments could also do it despite the fact that still, if we are talking about a team of independent hackers or activists, we should recognize that it should be a very high level team.

Still there is no any direct evidence or indication that would allow us to say that they are closely linked to some governmental structures or that they are state sponsored actors. This is a very attractive point of view to associate the Flame creators with some state sponsored actors because the Flame is hard to analyze beyond the context of Iranian nuclear program and the tensions in the Middle East, and the pressure maintained by the United States of America on Iran and its activities in the nuclear area and so on. But still, this link between the Flame, its creators and some Western state sponsored actors just cannot be proved in fact. It is just a hypothesis but anyone who tells you that he had some evidence able to prove it, it is not truth. You cannot prove it anyway.

What kind of political change might the appearance of this complicated and as far as I understand a very expensive creation bring to the local politics? As far as I understand it was in place for the past two years and it is only now being detected. So, does that imply that what we are witnessing now is a total change in the security structures of the world, is my understanding correct? Or perhaps it is also a little bit too alarmist?

It is a very interesting and thought provoking question, and my idea is that when we speak about some tectonic shifts in the international security architecture provoked by such superviruses as the Flame and so on, it relates in fact more to the Stuxnet case, than to the case of the Flame because the Stuxnet is indeed a cyber weapon and indeed it is the tool threatening the whole existing system of international security. And when we analyze and when we hear some really alarmist and rather gloomy ideas expressed by some experts, for example only a few days ago Mr. Kaspersky warned us about the possible cyber apocalypse in the future, his speech was dedicated in fact to the information hysteria around the Flame but in fact it all relates more to the Stuxnet-like a programs because they are cyber weapons and they are able to damage and to bring down critical infrastructures, not only critical computer infrastructure but I mean a critical infrastructure in the energy sector, some nuclear plants or transport logistics and so on.

The most dangerous thing and the greatest threat to the international security which is now arising from the cyber space is the situation when the tools like the Stuxnet and the tools like the Flame are used by some actor which remains unknown and are used together. For example you introduce the Flame or a Flame-like highly sophisticated cyber espionage tool into computer nets of a country you would like to gather the information about, you use it for several years, your program remains undetected and you gather a critical volume of information about some strategic projects conducted by the state, for example its nuclear program or its rocket program, or its program of development of some kinds of critical infrastructures and so on.

After that when you are provided with the information which is hardly to be collected using any other means, unless you don’t have a very diversified spy network which is not available to many states without using the cyber espionage tools, in this case you have the volume of data which is exclusive and sensitive to use the next tool, to use a very specifically targeted cyber weapon which would hit particularly these or those types of infrastructures, types of strategic objects that you have previously collected information about. This link could really be terrible when you the Flame-like and Stuxnet-like programs together in combination when they are all part of some grand operation against any state actor or something like that.

And using such tools and methods as means to spot someone’s for example nuclear program, this is just a too brightened and evident example to be ignored, that’s why I refer to it once again, using such combination of tool would just induce a full-scale erosion in the existing architecture and system of international security because there are no any legal or political tools to counter it. You have no any solid normative regulation of information security or using the cyber warfare on the international level in fact. All you have is just some tools of international cooperation or information exchange which are able to cope with some kinds of cyber crime activities but not in the case when such high level tools are used and exactly not in the case when they are used in combination which seems to be likely in the case of using the Stuxnet and the Flame, despite the fact that, I repeat, we still do not have any practical evidence to prove that they were used both by the same state sponsored actor.

Talking of Russia, what is Russia doing perhaps to increase its own security in this sphere?

In fact Russia at the moment is one of the most active actors on the international arena in introducing some new ideas and some proposals concerning all these issues. For example less than a year ago, in November 2011 Russia’s project Concept of a Convention on International Information Security was issued and was presented by our former Minister of Mass Communication Igor Shchegolev at London Cyber Space Conference. The ambition of the Concept of a Convention is to create the first ever really global transnational legal framework, basic legal framework for not just cooperation in information security sphere but a creation of some legally binding instruments which would prevent any state or state sponsored actors from elaborating, creating and releasing some new destructive tools, of kinds of cyber weapons like the Stuxnet.