FLAME, The NATO Cyber Doctrine, & Surveillance EffortsWhile recent chatter focuses on “nation-states” and secret cyberwar units, the origins of sophisticated spyware suites and their deployments aren’t as mysterious as commonly thought and “cyber war” is surprisingly tight connected to (police) surveillance programs.
On June 5th, the NATO held a workshop on the analysis of malware in Estonia, which is known as one of the first major state-run theaters of DDoS attacks.
In November 2011 the director of the Defense Advanced Research Projects Agency (DARPA) announced to “shift the focus of our cyber research towards the exploration of offensive capacities.”
Until then, only defending
against such attacks had been mentioned by the military.“One of the unique characteristics of this workshop is to focus on the allocation of attacks.”
This is the linchpin of offensive cyber-warfare. Prior to any retaliation by similar means, it must be assured that you attack the actual authors and not fall prey to a provocation by a third party who wants to initiate a conflict between two states.
The website of the NATO conference  communicates a clear message. As supporters, the Institute of Electrical and Electronics Engineers’ IEEE, Cisco, and Microsoft are listed, and in between the logo of a company called “Gamma Group” appears.And here it’s getting interesting
— Gamma Group is a military supplier that offers custom-tailored monitoring equipment, including training. The modules of the “FinFisher Suite”  can be used individually for their respective purposes, but connected together they “provide advanced tools for unsurpassed inspection and monitoring techniques of the IT environment through intelligence services.”This is exactly what FLAME does,
without insinuating that this suite is neccessarily related to FLAME. Gamma International and its FinFisher product line made global headlines in this context though. After the storming of government offices in Egypt during the Arab Spring, a contract of this company with Mubarak’s intelligence services was discovered. There, the malware suite was apparently used to spy on the computers of regime opponents infiltrated by malicious software.
The description of the use of individual modules and the features of the FinFisher suite in its military version match those of FLAME — and strikingly accurate at that. FLAME is a suite similar to those officially offered at fairs such as the infamous ISS by several European companies. The most expensive item, in such a suite is the “exploit,” or attack program that takes advantage of a still unknown but widespread vulnerability.
While the newly invented collision attack is the subject of recent research  and forensic analysis, most other FLAME modules appear to be rather of-the-shelf components which are available for example, from the aforementioned surveillance companies.Another example of a modular surveillance malware suite is the so called “Bundestrojaner”
— bearing a striking resemblance to FLAME, at least in its feature set — which is attributed to the German government, deployed as a means to conduct “online raids.”  The German government has denied its involvement, though notably, under German law the police are allowed to use spyware to snoop on suspected criminals — but only under strict guidelines.
Based in parts on an article from Austria: http://fm4.orf.at/stories/1700105/