Published June 11, 2012
The programmers behind Stuxnet and Flame -- the two most important and powerful cyberweapons ever created -- worked together during their development and even shared source code, researchers have found.
Identified two weeks ago, Flame is a highly sophisticated virus tailor-made for cyber-espionage. Experts now believe they have proof linking it to Stuxnet, a computer worm dissected in 2009 and 2010 that wreaked havoc on Iran’s nuclear facilities.
“We are now 100 percent sure that the Flame and Stuxnet groups worked together,” Roel Schouwenberg, a senior researcher at Kaspersky Lab, said during a press conference. “The fact that the Flame group shared their source code with the Stuxnet group shows they cooperated at least once.”
Even though the two viruses are built on completely different platforms and most likely developed independently, they shared key pieces of code during the development process, the security firm explained.
"What we have found is very strong evidence that the Stuxnet/Duqu and Flame cyberweapons are connected," Alexander Gostev, Kaspersky Lab’s Chief Security Expert said in a statement.
The finding in question relates to “Resource 207,” a module found in earlier versions of Stuxnet that bears a list of “striking resemblance” to Flame, including “names of mutually exclusive objects, the algorithm used to decrypt strings and similar approaches to file naming.”
Kaspersky believes the two teams worked independently but collaborated from time to time. One theory is that Stuxnet was used for sabotage while Flame was for general cyberespionage and they didn’t want the two to mix, the researchers explained.
"We think that these teams are different, two different teams working with each other, helping each other at different stages,” said the firm’s chief malware expert Vitaly Kamluk.
Iran's military revealed last month that the country's key oil industry was briefly affected by the powerful Flame virus, which has unprecedented data-snatching capabilities and can eavesdrop on computer users.
The full extent of the disruptions isn't clear, but Iran was forced to cut Internet links to the country's main oil export terminal, presumably to try to contain the virus.
It would be the latest high-profile virus to penetrate Iran's computer defenses in the past two years.