Security researchers at Kaspersky have found a connection between the two attacks which show that they share code – which means that it is likely that either they are part of the same effort, or at least the developers of each cyber-warfare tool knew about the other and so may well share origins or objectives.
Vitaly Kamluk, the Kaspersky’s chief malware expert, said:
There is a link proven – it’s not just copycats…We think that these teams are different, two different teams working with each other, helping each other at different stages.
They have found a module known as “Resource 207” that was used in early versions of Stuxnet which has a striking similarity to a module in Flame which “includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming” according to Alexander Gostev, chief security expert at the Russian-based security company.
Flame appears to have been active since 2007 when the fake details being used by the tool began registering domain names to use with the malware attack – and so has likely been monitoring Iranian infrastructure since then in order to send back details of their locations and technical setup. It may well, in fact, be the tool that was first deployed against Iran as an intelligence and fact-finding mission, before Stuxnet was built as a cyber-weapon to attack the weaknesses that Flame had found. If this was the case, then the developers of Stuxnet may well have used the code from Flame that had got through the Iranian cyber-defences and leveraged the same vulnerabilities to employ the weapon of sabotage. If this is the case, then it is very likely that Stuxnet and Flame are both part of the US and Israeli joint Olympic Games mission against Iran.