Flame (malware)

{{short description|Modular computer malware discovered in 2012}}

{{distinguish|Stoned (computer virus)#Flame/Stamford|Flaming (Internet)}}

{{Infobox computer virus

| image =

| caption =

| common_name =

| technical_name =

| aliases = Flamer, sKyWIper, Skywiper

| family =

| classification =

| type = Malware

| subtype =

| isolation_date =

| origin =

| infection_vector =

| author = Equation Group

| ports_used =

| OS = Windows

| filesize = 20 MB

| language = C++, Lua

| discontinuation_date =

}}

Flame,{{efn|"Flame" is one of the strings found in the code, a common name for attacks, most likely by exploits}} also known as Flamer, sKyWIper,{{efn|The name "sKyWIper" is derived from the letters "KWI" which are used as a partial filename by the malware}} and Skywiper,{{cite web | url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=c6d8b8d6-db3e-4d63-b947-411739f9e7f6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments | title=Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East | publisher=Symantec | access-date=30 May 2012 | archive-url=https://web.archive.org/web/20120531022507/http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east | archive-date=31 May 2012 | url-status=live}} is modular computer malware discovered in 2012{{cite news | title=Flame: Massive Cyber-Attack Discovered, Researchers Say | first=Dave | last=Lee | url=https://www.bbc.com/news/technology-18238326 | work=BBC News | date=28 May 2012 | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120530232458/http://www.bbc.com/news/technology-18238326 | archive-date=30 May 2012 | url-status=live}}{{cite news | title=Flame: World's Most Complex Computer Virus Exposed | first1=Damien | last1=McElroy | first2=Christopher | last2=Williams | url=https://www.telegraph.co.uk/news/worldnews/middleeast/iran/9295938/Flame-worlds-most-complex-computer-virus-exposed.html | newspaper=The Daily Telegraph | date=28 May 2012 | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120530190924/http://www.telegraph.co.uk/news/worldnews/middleeast/iran/9295938/Flame-worlds-most-complex-computer-virus-exposed.html | archive-date=30 May 2012 | url-status=live}} that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.{{cite web | url=http://www.crysys.hu/skywiper/skywiper.pdf | title=sKyWIper: A Complex Malware for Targeted Attacks | date=28 May 2012 | publisher=Budapest University of Technology and Economics | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120528142705/http://www.crysys.hu/skywiper/skywiper.pdf | archive-date=28 May 2012 | url-status=dead}}{{cite web | url=http://www.certcc.ir/index.php?name=news&file=article&sid=1894&newlang=eng | title=Identification of a New Targeted Cyber-Attack | date=28 May 2012 | publisher=Iran Computer Emergency Response Team | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120529114540/http://www.certcc.ir/index.php?name=news&file=article&sid=1894&newlang=eng | archive-date=29 May 2012 | url-status=dead}}{{cite web | url=https://securelist.com/the-flame-questions-and-answers/34344/ | title=The Flame: Questions and Answers | first=Alexander | last=Gostev | date=28 May 2012 | work=Securelist | access-date=16 March 2021 | archive-url=https://web.archive.org/web/20120530214156/http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers | url-status=live | archive-date=30 May 2012}}

Its discovery was announced on 28 May 2012 by the MAHER Center of the Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab of the Budapest University of Technology and Economics. The last of these stated in its report that Flame "is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." Flame can spread to other systems over a local area network (LAN). It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

According to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines, with victims including governmental organizations, educational institutions and private individuals. At that time 65% of the infections happened in Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, with a "huge majority of targets" within Iran. Flame has also been reported in Europe and North America.{{cite web | url=http://mashable.com/2012/06/04/flame-malware/ | title=Meet Flame, the Nastiest Computer Malware Yet | author=Murphy, Samantha | date=5 June 2012 | publisher=Mashable.com | access-date=8 June 2012 | archive-date=8 June 2012 | archive-url=https://web.archive.org/web/20120608082238/http://mashable.com/2012/06/04/flame-malware/ | url-status=live }} Flame supports a "kill" command which wipes all traces of the malware from the computer. The initial infections of Flame stopped operating after its public exposure, and the "kill" command was sent.

Flame is linked to the Equation Group by Kaspersky Lab. However, Costin Raiu, the director of Kaspersky Lab's global research and analysis team, believes the group only cooperates with the creators of Flame and Stuxnet from a position of superiority: "Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."{{cite web | url=https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/ | author=Kaspersky Labs Global Research & Analysis Team | title=Equation: The Death Star of Malware Galaxy | archive-url=https://web.archive.org/web/20150217214225/https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ | archive-date=17 February 2015 | website=SecureList | date=16 February 2015 | postscript=none}}, Costin Raiu (director of Kaspersky Lab's global research and analysis team): "It seems to me Equation Group are the ones with the coolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."

Recent research has indicated that Flame is positioned to be remembered as one of the most significant and intricate cyber-espionage tools in history. Using a sophisticated strategy, Flame managed to penetrate numerous computers across the Middle East by falsifying an authentic Microsoft security certificate.{{Cite journal | last=Munro | first=Kate | date=2012-10-01 | title=Deconstructing Flame: the limitations of traditional defences | journal=Computer Fraud & Security | volume=2012 | issue=10 | pages=8–11 | doi=10.1016/S1361-3723(12)70102-1 | issn=1361-3723}}

In 2019, researchers Juan Andres Guerrero-Saade and Silas Cutler announced their discovery of the resurgence of Flame.{{Cite web | last=Zetter | first=Kim | title=Researchers Uncover New Version of the Infamous Flame Malware | url=https://www.vice.com/en/article/researchers-uncover-new-version-of-the-infamous-flame-malware/ | access-date=2020-08-06 | website=Vice.com | publisher=Vice Media | date=9 April 2019 | language=en}}{{Cite web | author=Chronicle Security | date=2019-04-12 | title=Who is GOSSIPGIRL? | url=https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0 | access-date=2020-07-15 | website=Medium | language=en | archive-date=22 July 2020 | archive-url=https://web.archive.org/web/20200722082746/https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0 | url-status=live }} The attackers used 'timestomping'(Changing of Timestamps and Dates in Files) to make the new samples look like they were created before the 'suicide' command. However, a compilation error included the real compilation date ({{circa|2014}}). The new version (dubbed 'Flame 2.0' by the researchers) includes new encryption and obfuscation mechanisms to hide its functionality.{{cite report | last1=Guerrero-Saade | first1=Juan Andres | last2=Cutler | first2=Silas | title=Flame 2.0: Risen from the Ashes | date=9 April 2019 | publisher=Chronicle Security | url=https://silascutler.com/uploads/Flame_2.0_Risen_from_the_Ashes.pdf | language=en | access-date=17 May 2024 | archive-date=1 June 2023 | archive-url=https://web.archive.org/web/20230601024518/https://silascutler.com/uploads/Flame_2.0_Risen_from_the_Ashes.pdf | url-status=live }}

History

Flame (a.k.a. Da Flame) was identified in May 2012 by the MAHER Center of the Iranian National CERT, Kaspersky Lab and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of Technology and Economics when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers.{{cite news | title=Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian Computers | first=Kim | last=Zetter | url=https://www.wired.com/threatlevel/2012/05/flame/ | newspaper=Wired | date=28 May 2012 | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120530213153/http://www.wired.com/threatlevel/2012/05/flame/ | archive-date=30 May 2012 | url-status=live}} As Kaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines from Middle Eastern nations. After discovering more pieces, researchers dubbed the program "Flame" after one of the main modules inside the toolkit {{mono|[FROG.DefaultAttacks.A-InstallFlame]}}.

According to Kaspersky, Flame had been operating in the wild since at least February 2010. CrySyS Lab reported that the file name of the main component was observed as early as December 2007. However, its creation date could not be determined directly, as the creation dates for the malware's modules are falsely set to dates as early as 1994.

Computer experts consider it the cause of an attack in April 2012 that caused Iranian officials to disconnect their oil terminals from the Internet.{{cite news | title=Computer Worm That Hit Iran Oil Terminals 'Is Most Complex Yet' | first=Nick | last=Hopkins | url=https://www.theguardian.com/world/2012/may/28/computer-worm-iran-oil-w32flamer | newspaper=The Guardian | date=28 May 2012 | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120531004924/http://www.guardian.co.uk/world/2012/may/28/computer-worm-iran-oil-w32flamer | archive-date=31 May 2012 | url-status=live}} At the time the Iranian Students News Agency referred to the malware that caused the attack as "Wiper", a name given to it by the malware's creator.{{cite news | title=Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet | first=Thomas | last=Erdbrink | url=https://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amid-cyberattack.html | newspaper=The New York Times | date=23 April 2012 | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120531000136/http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amid-cyberattack.html?_r=1 | archive-date=31 May 2012 | url-status=live}} However, Kaspersky Lab believes that Flame may be "a separate infection entirely" from the Wiper malware. Due to the size and complexity of the program—described as "twenty times" more complicated than Stuxnet—the Lab stated that a full analysis could require as long as ten years.

On 28 May, Iran's CERT announced that it had developed a detection program and a removal tool for Flame, and had been distributing these to "select organizations" for several weeks. After Flame's exposure in news media, Symantec reported on 8 June that some Flame command and control (C&C) computers had sent a "suicide" command to infected PCs to remove all traces of Flame.{{cite web | url=https://www.bbc.co.uk/news/technology-18365844 | title=Flame malware makers send 'suicide' code | date=8 June 2012 | work=BBC News | access-date=8 June 2012 | archive-date=24 August 2012 | archive-url=https://web.archive.org/web/20120824202112/http://www.bbc.co.uk/news/technology-18365844 | url-status=live }} All copies of the program and any related files were deleted.{{Cite web |title=Flame |url=https://www.radware.com/security/ddos-knowledge-center/ddospedia/flame/#:~:text=In%20June%202012,%20many%20of,on%20all%20Flame-infected%20machines. |access-date=2024-09-25 |website=www.radware.com}}

According to estimates by Kaspersky in May 2012, initially Flame had infected approximately 1,000 machines, with victims including governmental organizations, educational institutions and private individuals. At that time the countries most affected were Iran, Israel, the Palestinian Territories, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.

A sample of the Flame malware is available at [https://github.com/phoenixlzx/flame-sourcecode GitHub].

Operation

class="wikitable" style="float: right; margin:24px; margin-top: 0px; "

! |Name

Description

+List of code names for various families of modules in Flame's source code and their possible purpose

Flame

|Modules that perform attack functions

Boost

|Information gathering modules

Flask

|A type of attack module

Jimmy

|A type of attack module

Munch

|Installation and propagation modules

Snack

|Local propagation modules

Spotter

|Scanning modules

Transport

|Replication modules

Euphoria

|File leaking modules

Headache

|Attack parameters or properties

Flame is an uncharacteristically large program for malware at 20 megabytes. It is written partly in the Lua scripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection.{{cite web | url=http://blog.fireeye.com/research/2012/05/flamerskywiper-analysis.html | title=Flamer/sKyWIper Malware: Analysis | last=Kindlund | first=Darien | date=30 May 2012 | publisher=FireEye | access-date=31 May 2012 | archive-url=https://web.archive.org/web/20120602005310/http://blog.fireeye.com/research/2012/05/flamerskywiper-analysis.html | archive-date=2 June 2012 | url-status=live}} The malware uses five different encryption methods and an SQLite database to store structured information. The method used to inject code into various processes is stealthy, in that the malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications. The internal code has few similarities with other malware, but exploits two of the same security vulnerabilities used previously by Stuxnet to infect systems.{{efn|MS10-061 and MS10-046}} The malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software. Additional indicators of compromise include mutex and registry activity, such as installation of a fake audio driver which the malware uses to maintain persistence on the compromised system.

Flame is not designed to deactivate automatically, but supports a "kill" function that makes it eliminate all traces of its files and operation from a system on receipt of a module from its controllers.

Flame was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority.{{cite web | url=http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx?Redirected=true | title=Microsoft releases Security Advisory 2718704 | publisher=Microsoft | date=3 June 2012 | access-date=4 June 2012 | archive-date=7 June 2012 | archive-url=https://web.archive.org/web/20120607215605/http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx?Redirected=true | url-status=live }} The malware authors identified a Microsoft Terminal Server Licensing Service certificate that inadvertently was enabled for code signing and that still used the weak MD5 hashing algorithm, then produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft. A successful collision attack against a certificate was previously demonstrated in 2008,{{cite conference | url=http://www.win.tue.nl/hashclash/rogue-ca/ | title=MD5 considered harmful today: creating a rogue CA certificate | last1=Sotirov | first1=Alexander | last2=Stevens | first2=Marc | last3=Appelbaum | first3=Jacob | last4=Lenstra | first4=Arjen | last5=Molnar | first5=David | last6=Osvik | first6=Dag Arne | last7=de Weger | first7=Benne | date=30 December 2008 | event=25th Annual Chaos Communication Congress in Berlin | access-date=4 June 2011 | archive-date=25 March 2017 | archive-url=https://web.archive.org/web/20170325033522/http://www.win.tue.nl/hashclash/rogue-ca/ | url-status=live }}

but Flame implemented a new variation of the chosen-prefix collision attack.{{cite web | url=http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-new-cryptographic-attack-variant-in-flame-spy-malware | title=CWI Cryptanalist Discovers New Cryptographic Attack Variant in Flame Spy Malware | first=Marc | last=Stevens | publisher=Centrum Wiskunde & Informatica | date=7 June 2012 | access-date=9 June 2012 | archive-url=https://web.archive.org/web/20170228155805/http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-new-cryptographic-attack-variant-in-flame-spy-malware | archive-date=2017-02-28}}

class="wikitable collapsible collapsed" style="float: left;"

! style="background: #efefef;" scope="col" width="150" |Property

! style="background: #efefef;" scope="col" width="300" |Value

Compromised Microsoft certificate using the weak MD5 algorithm, and the unintended code-signing usage

Version

|V3

Serial number

|3a ab 11 de e5 2f 1b 19 d0 56

Signature algorithm

|bgcolor="#faa"|md5RSA

Signature hash algorithm

|bgcolor="#faa"|md5

Issuer

Valid from

|Thursday, 10 December 2009 11:55:35 AM

Valid to

|Sunday, 23 October 2016 6:00:00 PM

Subject

Public key

|30 82 01 0a 02 82 01 01 00 fa c9 3f 35 cb b4 42 4c 19 a8 98 e2 f4 e6 ca c5 b2 ff e9 29 25 63 9a b7 eb b9 28 2b a7 58 1f 05 df d8 f8 cf 4a f1 92 47 15 c0 b5 e0 42 32 37 82 99 d6 4b 3a 5a d6 7a 25 2a 9b 13 8f 75 75 cb 9e 52 c6 65 ab 6a 0a b5 7f 7f 20 69 a4 59 04 2c b7 b5 eb 7f 2c 0d 82 a8 3b 10 d1 7f a3 4e 39 e0 28 2c 39 f3 78 d4 84 77 36 ba 68 0f e8 5d e5 52 e1 6c e2 78 d6 d7 c6 b9 dc 7b 08 44 ad 7d 72 ee 4a f4 d6 5a a8 59 63 f4 a0 ee f3 28 55 7d 2b 78 68 2e 79 b6 1d e6 af 69 8a 09 ba 39 88 b4 92 65 0d 12 17 09 ea 2a a4 b8 4a 8e 40 f3 74 de a4 74 e5 08 5a 25 cc 80 7a 76 2e ee ff 21 4e b0 65 6c 64 50 5c ad 8f c6 59 9b 07 3e 05 f8 e5 92 cb d9 56 1d 30 0f 72 f0 ac a8 5d 43 41 ff c9 fd 5e fa 81 cc 3b dc f0 fd 56 4c 21 7c 7f 5e ed 73 30 3a 3f f2 e8 93 8b d5 f3 cd 0e 27 14 49 67 94 ce b9 25 02 03 01 00 01

Enhance key usage

|bgcolor="#faa"|Code Signing (1.3.6.1.5.5.7.3.3)
Key Pack Licenses (1.3.6.1.4.1.311.10.6.1)
License Server Verification (1.3.6.1.4.1.311.10.6.2)

Authority identifier

|KeyID=5b d0 70 ef 69 72 9e 23 51 7e 14 b2 4d 8e ff cb | Certificate Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.| Certificate SerialNumber=00 c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40

Subject key identifier

|6a 97 e0 c8 9f f4 49 b4 89 24 b3 e3 d1 a8 22 86 aa d4 94 43

Key usage

|Digital Signature
Certificate Signing
Off-line CRL Signing
CRL Signing (86)

Basic constraints

|Subject Type=CA
Path Length Constraint=None

Thumbprint algorithm

|sha1

Thumbprint

|2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70

Deployment

Like the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over a local network or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

Unlike Stuxnet, which was designed to sabotage an industrial process, Flame appears to have been written purely for espionage.{{cite news | title=New Massive Cyber-Attack an 'Industrial Vacuum Cleaner for Sensitive Information' | first=Reuven | last=Cohen | url=https://www.forbes.com/sites/reuvencohen/2012/05/28/new-massive-cyber-attack-an-industrial-vacuum-cleaner-for-sensitive-information/ | newspaper=Forbes | date=28 May 2012 | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120531015321/http://www.forbes.com/sites/reuvencohen/2012/05/28/new-massive-cyber-attack-an-industrial-vacuum-cleaner-for-sensitive-information/ | archive-date=31 May 2012 | url-status=live}} It does not appear to target a particular industry, but rather is "a complete attack toolkit designed for general cyber-espionage purposes".{{cite news | title=Massive 'Flame' Malware Stealing Data Across Middle East | first=Chloe | last=Albanesius | url=https://www.pcmag.com/article2/0,2817,2404951,00.asp | newspaper=PC Magazine | date=28 May 2012 | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120530184457/http://www.pcmag.com/article2/0,2817,2404951,00.asp | archive-date=30 May 2012 | url-status=live}}

Using a technique known as sinkholing, Kaspersky demonstrated that "a huge majority of targets" were within Iran, with the attackers particularly seeking AutoCAD drawings, PDFs, and text files.{{cite web | url=https://www.bbc.com/news/technology-18324234 | title=Flame: Attackers 'sought confidential Iran data' | author=Lee, Dave | date=4 June 2012 | work=BBC News | access-date=4 June 2012 | archive-date=4 June 2012 | archive-url=https://web.archive.org/web/20120604181833/http://www.bbc.com/news/technology-18324234 | url-status=live }} Computing experts said that the program appeared to be gathering technical diagrams for intelligence purposes.

A network of 80 servers across Asia, Europe and North America has been used to access the infected machines remotely.{{cite news | title=Flame virus: Five facts to know | url=https://www.indiatimes.com/internet/flame-virus-five-facts-to-know-25730.html | newspaper=The Times of India | agency=Reuters | date=29 May 2012 | access-date=30 May 2012 | archive-url=https://archive.today/20240526001855/https://www.webcitation.org/6834SlYre?url=http://articles.timesofindia.indiatimes.com/2012-05-29/security/31887318_1_stuxnet-flame-kaspersky-lab | archive-date=26 May 2024 | url-status=live}}

Origin

On 19 June 2012, The Washington Post published an article claiming that Flame was jointly developed by the U.S. National Security Agency, CIA and Israel's military at least five years prior. The project was said to be part of a classified effort code-named Olympic Games, which was intended to collect intelligence in preparation for a cyber-sabotage campaign aimed at slowing Iranian nuclear efforts.{{Cite news | url=https://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html | title=U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say | newspaper=The Washington Post | date=19 June 2012 | access-date=20 June 2012 | author=Nakashima, Ellen | archive-date=18 July 2012 | archive-url=https://web.archive.org/web/20120718101813/http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html | url-status=live }}

According to Kaspersky's chief malware expert, "the geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it." Kaspersky initially said that the malware bears no resemblance to Stuxnet, although it may have been a parallel project commissioned by the same attackers.{{cite news | title=Flame Virus: Who is Behind the World's Most Complicated Espionage Software? | url=https://www.telegraph.co.uk/technology/news/9296827/Flame-virus-who-is-behind-the-worlds-most-complicated-espionage-software.html | newspaper=The Daily Telegraph | date=29 May 2012 | access-date=29 May 2012 | archive-url=https://web.archive.org/web/20120531044449/http://www.telegraph.co.uk/technology/news/9296827/Flame-virus-who-is-behind-the-worlds-most-complicated-espionage-software.html | archive-date=31 May 2012 | url-status=live}}

After analysing the code further, Kaspersky later said that there is a strong relationship between Flame and Stuxnet; the early version of Stuxnet contained code to propagate via USB drives that is nearly identical to a Flame module that exploits the same zero-day vulnerability.{{cite web | url=http://www.kaspersky.com/about/news/virus/2012/Resource_207_Kaspersky_Lab_Research_Proves_that_Stuxnet_and_Flame_Developers_are_Connected | title=Resource 207: Kaspersky Lab Research Proves that Stuxnet and Flame Developers are Connected | date=11 June 2012 | publisher=Kaspersky Lab | access-date=13 June 2012 | archive-date=16 November 2021 | archive-url=https://web.archive.org/web/20211116092936/https://www.kaspersky.com/about/press-releases | url-status=live }}

Iran's CERT described the malware's encryption as having "a special pattern which you only see coming from Israel".{{cite news | title=Iran Confirms Attack by Virus That Collects Information | first=Thomas | last=Erdbrink | url=https://www.nytimes.com/2012/05/30/world/middleeast/iran-confirms-cyber-attack-by-new-virus-called-flame.html?_r=1&hp | newspaper=The New York Times | date=29 May 2012 | access-date=30 May 2012 | archive-url=https://web.archive.org/web/20120606185713/http://www.nytimes.com/2012/05/30/world/middleeast/iran-confirms-cyber-attack-by-new-virus-called-flame.html?_r=2&hp | archive-date=6 June 2012 | url-status=live}} The Daily Telegraph reported that due to Flame's apparent targets—which included Iran, Syria, and the West Bank—Israel became "many commentators' prime suspect". Other commentators named the U.S. as possible perpetrators. Richard Silverstein, a commentator critical of Israeli policies, claimed that he had confirmed with a "senior Israeli source" that the malware was created by Israeli computer experts. The Jerusalem Post wrote that Israel's Vice Prime Minister Moshe Ya'alon appeared to have hinted that his government was responsible, but an Israeli spokesperson later denied that this had been implied.{{cite news | url=https://www.washingtonpost.com/business/technology/flame-cyberweapon-written-using-gamer-code-report-says/2012/05/31/gJQAkIB83U_story.html | title=Flame cyberweapon written using gamer code, report says | author=Tsukayama, Hayley | date=31 May 2012 | newspaper=The Washington Post | access-date=31 May 2012 | archive-date=2 June 2012 | archive-url=https://web.archive.org/web/20120602061626/http://www.washingtonpost.com/business/technology/flame-cyberweapon-written-using-gamer-code-report-says/2012/05/31/gJQAkIB83U_story.html | url-status=live }} Unnamed Israeli security officials suggested that the infected machines found in Israel may imply that the virus could be traced to the U.S. or other Western nations.{{cite news | last1=Dareini | first1=Ali Akbar | last2=Murphy | first2=Dan | last3=Satter | first3=Raphael | last4=Federman | first4=Josef | date=May 30, 2012 | title=Iran: 'Flame' virus fight began with oil attack | language=en | work=Yahoo! News | agency=Associated Press | url=https://www.yahoo.com/news/iran-flame-virus-fight-began-oil-attack-184818332--finance.html }} The U.S. has officially denied responsibility.{{cite news | url=https://www.bbc.co.uk/news/technology-18277555 | title=Flame: Israel rejects link to malware cyber-attack | work=BBC News | date=31 May 2012 | access-date=3 June 2012 | archive-date=5 June 2014 | archive-url=https://web.archive.org/web/20140605045350/http://www.bbc.co.uk/news/technology-18277555 | url-status=live }}

A leaked NSA document mentions that dealing with Iran's discovery of FLAME is an NSA and GCHQ jointly-worked event.{{cite web | url=https://s3.amazonaws.com/s3.documentcloud.org/documents/1150433/lobban-nsa-visit-precis.pdf#page=3 | title=Visit Précis: Sir Iain Lobban, KCMG, CB; Director, Government Communications Headquarters (GCHQ) 30 April 2013 – 1 May 2013 | access-date=1 May 2014 | archive-date=2 May 2014 | archive-url=https://web.archive.org/web/20140502033350/https://s3.amazonaws.com/s3.documentcloud.org/documents/1150433/lobban-nsa-visit-precis.pdf#page=3 | url-status=live }}