Nation-state hacking kit ‘Flame’ had a second life, researchers say

The discovery shows how good source code dies hard, and that tracking its evolution can be a very long game for researchers.
Flame malware
(Pexels/remixed in PhotoMosh)

Flame, the nation-state-developed malware kit that targeted computers in Iran, went quiet after researchers exposed it in 2012. The attackers tried to hide their tracks by scrubbing servers used to talk to infected computers. Some thought they had seen the last of the potent malware platform.

Flame’s disappearance “never sat right with us,” said Juan Andres Guerrero-Saade and Silas Cutler, researchers with Alphabet’s Chronicle. On Tuesday at the Kaspersky Security Analyst Summit in Singapore, they showed that Flame hadn’t died, it had just been reconfigured.

Tracing early components of Flame, Guerrero-Saade and Cutler found a new version of it that was likely used between 2014 and 2016. Flame 2.0 is “clearly built” from the original source code, but it has new measures aimed at eluding researchers, they wrote in a paper.

The discovery shows how good source code dies hard, and that tracking its evolution can be a very long game for researchers.


Flame wasn’t your average malware. Guerrero-Saade and Cutler described it as “one of the seminal modular platforms” in the flexibility it gave the attackers to go after different systems. That functionality is a staple of modern nation-state hacking kits, they added.

Flame offered its operators a lot of visibility onto machines it infected. Its modules, Guerrero-Saade and Cutler explained, “gather system information, beacon to nearby bluetooth devices, implement network replication, propagate to other machines or removable media, create backdoor accounts, and much more.”

Researchers have drawn links between Flame, another malware group dubbed Duqu, and Stuxnet, the famous computer worm that the U.S. and Israel reportedly developed and that destroyed centrifuges at an Iranian nuclear facility in 2009.

An early component of Stuxnet has ties to an older malware framework known as Flowershop, according to Guerrero-Saade and Cutler. That framework was active as early as 2002, suggesting “that yet another team with its own malware platform was involved in the early development of Stuxnet,” they wrote.

Guerrero-Saade and Cutler’s discovery notwithstanding, much of Flame 2.0 remains a mystery. Some of the malicious platform’s capabilities are still unknown, they said, because they couldn’t decode modules embedded on a virtual machine.


And so Guerrero-Saade and Cutler appealed for help from other researchers.

“We hope that releasing these indicators at an early stage in our research process will encourage collaboration from the threat intelligence community,” they said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts