Flame (also known as Flamer, sKyWIper, or Skywiper) is a highly modular cyber-espionage toolkit discovered in May 2012 by the Iranian National CERT (MAHER), Kaspersky Lab, and Hungary's CrySyS Lab. It targeted Windows systems primarily in Iran and other Middle Eastern countries, including the West Bank, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, with a heavy focus on government, academic, and energy-sector machines.
What set Flame apart from typical malware was its size and sophistication. At roughly 20 megabytes when fully deployed, it was orders of magnitude larger than most espionage tools and included modules for keystroke logging, screen capture, audio recording via the host's microphone, Bluetooth device scanning, network sniffing, and exfiltration of documents and Skype conversations. It used the Lua scripting language for extensibility, an unusual choice that gave operators flexibility to add capabilities on the fly.
Flame is widely cited as one of the first pieces of malware to exploit a cryptographic collision attack against MD5 to forge a Microsoft code-signing certificate, allowing it to spread via fake Windows Update packages on local networks. Microsoft responded with Security Advisory 2718704 in June 2012, revoking the abused intermediate certificates.
Analysts at Kaspersky and others linked Flame to the same broader operation as Stuxnet and Duqu, pointing to shared code in an early Stuxnet module. In June 2012, The Washington Post reported, citing unnamed officials, that Flame was a joint U.S.–Israeli intelligence operation, part of the same campaign as Stuxnet (sometimes referred to under the codename "Olympic Games"). Neither government has officially confirmed authorship.
For IR and policy researchers, Flame is a landmark case in the debate over state-sponsored cyber operations, the militarization of code, and the absence of binding international law governing peacetime cyber-espionage. It is regularly cited alongside Stuxnet in discussions of the Tallinn Manual process and norms work at the UN GGE and OEWG.
Example
In May 2012, Iran's MAHER CERT and Kaspersky Lab announced the discovery of Flame on computers in Iran's oil ministry, prompting Tehran to disconnect affected systems from the internet.
Frequently asked questions
No state has officially claimed responsibility. In June 2012, The Washington Post reported, citing unnamed U.S. officials, that Flame was a joint U.S.–Israeli operation linked to the same effort as Stuxnet.
Keep learning