Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Stuxnet and Flame: They May Not Be Twins But the Family Resemblance Is Undeniable

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

The United States (and Israel) creating Stuxnet and Flame as covert cyberwar weapons is perhaps the worst kept secret since John Edwards and Rielle Hunter’s baby.

Theories about why Stuxnet’s and Flame’s origins are becoming public range from boosting President Obama’s image of strength in an election year to firing a cybershot over America’s “adversaries’” collective bows.

One theory that hasn’t been promulgated before because we didn’t think of it until now — Don’t you think we’re entitled to a guess along with everyone else? — is that the next generation of cyberweapons is already operational.

Whatever the reason Stuxnet and Flame were “outed,” according to a piece by Mathew J. Schwartz on, there’s ample evidence that they’re linked to each other and to the United States.

Schwartz quotes Alex Gostev, the chief malware researcher at Kaspersky Lab, “In 2009, part of the code from the Flame platform was used in Stuxnet….We believe that source code was used, rather than complete binary modules.” Obviously this indicates collaboration or crossover between Stuxnet and Flame. Gostev goes on to say that “since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities.”

Paraphrasing Gostev, Schwartz writes, there appears “to have been different development groups behind the two malware families–each working independently since 2007 or 2008–which (Gostev) refers to as “Team F” (for Flame) and “Team T” (for Tilded, which is the platform on which Stuxnet and Duqu were built).”

Gostev observes that “Flame and Tilded are completely different projects based on different architectures and each with their own distinct characteristics….For instance, Flame never uses system drivers, while Stuxnet and Duqu’s main method of loading modules for execution is via a kernel driver.” Think Stuxnet, Duqu and Flame could be triplets?

It looks like Flame was created by the summer of 2008 and Stuxnet in the first half of 2009. “The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet,” said Gostev.

Gostev notes that while the two groups of malware developers appear to have shared code, “after 2009, the evolution of the Flame platform continued independently from Stuxnet.”

Whether government-sponsored or coming from a lone (and likely lonely) hacker, cyberattacks, and having to fend them off, have become standard business practice.

By ThreatMetrix Posted