DHS Says No Evidence That Flame Targets Industrial Systems, But Urges Caution

ID THREATPOST:17195BD0B70A54DCB28B02570076C9F4
Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:32:08


In and advisory, the Department of Homeland Security’s Industrial control System (ICS) CERT said that it doesn’t believe the Flame malware targets industrial control systems (ICS) or SCADA systems, but the group advised critical infrastructure owners to be on alert.

The advisory, issued Wednesday, describes Flame (aka sKy WIper) as complex malware with many features for spreading and stealing information. However, the agency said it has no evidence that Flame “specifically targets industrial control systems (ICS).” The alert also throws cold warning on speculation by some that Flame has similar origins to both the Stuxnet and DuQu worms.

“Initial analysis by the CrySyS team indicates that SKyWIper has few similarities when compared to Duqu and Stuxnet,” the alert reads, citing important early analysis by CrySys Lab at the Budapest University of Technology and Economics.

Neither ICS-CERT nor the larger US-CERT organizations have received any reports of Flame infections – not surprising given the low number of infections and the malware’s concentration in two countries: Iran and Hungary.

DHS advised organizations that are ICS operators and critical infrastructure operators to isolate control systems from the Internet, and to minimize their exposure to any larger network, and to deploy both firewalls and anti malware software to protect them.

Others, notably researchers at Kaspersky Lab, have suggested that both Flame and Stuxnet may be of a similar origin, even though they are separate programs. Among other things, Flame took advantage of many of the same software vulnerabilities used by Stuxnet. And, like Stuxnet, Flame was capable of spreading both by USB, and by exploiting vulnerable network file shares and printers.