Security Experts:

France: Flame Malware Used in Attacks Against Government Officials, US Accused

State-sanctioned attackers broke into French government computers and illegally obtained top-secret information, according to an exclusive report in the French paper L'Express. The United States was behind the incident, the paper claimed.

Attackers used simple social engineering tactics to phish government officials working at the Élysée Palace for their login credentials, L'Express reported. The attackers used Facebook to identify people who worked at the presidential palace and connected with them on the social networking site. The victims considered the attackers as friends, making it even more likely that when the attackers sent an email invitation with a link to a Website, the victims would click on it. The fake site was a replica of the Élysée Palace site, and when prompted to enter the password, they did so, in "good faith," according to L'Express.

Flame Malware in FranceWith login credentials in hand, the attackers were able to access the Élysée Palace network, and installed "spy software" which spread to other computers. The malware infected machines belonging to the "most influential advisers" in the French government, including Xavier Musca, the Secretary General, according to the report. The French president, Nicolas Sarkozy, was not infected because he didn't have a networked Windows PC. The attackers then stole political and strategic data, L'Express said.

“We categorically refute allegations of unidentified sources,” Mitchell Moss, a spokesperson from the U.S. Embassy in Paris, told l’Express. “France is one of our best allies. Our cooperation is remarkable in the areas of intelligence, law enforcement and cyber defense. It has never been so good and remains essential to achieve our common fight against extremist threat.”

L'Express said the malware had the same features as Flame, the cyber-espionage tool discovered by Kaspersky Lab earlier this year.

The attack occurred in May, just before the second round of presidential elections in France. An unnamed official close to the investigation said the attack was likely related to France's numerous political and economic agreements with foreign countries, including the Middle East. The attackers could have been trying to figure out how those agreements would be impacted if Sarkozy lost the election.

"You can be on good terms with a ‘friendly country’ and still wish to ensure its continued support, especially in a period of political transition,” an unnamed official told the magazine.

It took the French information security agency Anssi several days to clean and restore the network.

Department of Homeland Security secretary Janet Napolitano told L'Express in an interview that Flame and Stuxnet had "never been linked to the US government."

Stuxnet is widely believed to have been developed by the United States and Israel to damage, and halt Iran's nuclear program. However, anonymous government officials reportedly confirmed to the New York Times this summer that Stuxnet was part of a joint US-operation codenamed Operation Olympic Games.

Kaspersky Lab believes Flame is related to Stuxnet because the two pieces of malware share a code module. Despite being discovered earlier, Kaspersky researchers believe Stuxnet was developed after Flame.

“We have no greater partner than France, we have no greater ally than France. We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones," Napolitano told L'Express.

Related: Connections Exist Between Cyber Weapons, But Secrets Remain

Related: Obama Ordered Use of Stuxnet Against Iran

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.