Chronicle is particularly well placed to do such investigations. The company was launched last year by its parent company Alphabet, which is also parent company to Google, and has access to a massive repository of malware and suspected malware that people have submitted to VirusTotal website over the years. VirusTotal, a free antivirus scanning website Google acquired in 2012 and that is now operated by Chronicle, aggregates dozens of antivirus scanning tools from various companies in one place; anyone can upload suspicious files to the site to see if any of the scanning engines consider it malicious. That repository of files can then be analyzed at scale by Chronicle to match malicious files and code that share similarities.

Flame, which is believed to have been created by Israel, has always held a lot of fascination for the research community. It was the first modular spy platform discovered in the wild, with multiple plug-ins that could be swapped out according to whatever tools were needed for each victim. It had a lot of capability that was unique at the time it was discovered, and also used a highly sophisticated technique for spreading. The attackers tricked Microsoft into issuing them a legitimate Microsoft certificate, which they used to sign their malicious files. Then they subverted the trusted Windows Update mechanism, through which Microsoft distributes patches and software upgrades to customers, to deliver those malicious files to targeted victims instead, doing so in a way that made it look like they came from Microsoft’s server. The attackers also managed a fleet of 80 command-and-control domains to communicate with infected machines until they faked Flame’s death in May 2012, pushing out the kill module to infected machines and closing shop on the command-and-control servers.