Data downloaded from compromised systems were encrypted, and the decryption key did not exist on either server. This meant that people responsible for downloading information knew nothing about the data. Operations where people only know what they need to know to do their job are typical in espionage, Haley said.
"You could see that people were given different jobs, like in a classic spy network," he said.
The developers were also very good at covering their tracks. All unnecessary logging events and entries in the database were deleted at regular intervals, and log files were also wiped from the server on a regular basis.
Fortunately, the defenses were not foolproof. Researchers found the entire history of the servers' setup, as well as a set of encrypted records in the database. In addition, the nicknames of the four code authors were uncovered. The names were not released.
The command and control functions were handled through a web application called Newsforyou. The software contained a simple control panel that attackers used to upload packages of code and download stolen data. The password to the control panel was found encrypted in the servers, but researchers have been unable to crack it.
The server delivered a module instructing Flame to wipe itself from computers in late May, which is what Symantec and other security researchers witnessed on the computers they setup to trap the malware.
The International Telecommunication Union's cyber security arm, called IMPACT, and the Computer Emergency Response Team (CERT) in Germany joined Kaspersky and Symantec in the research.
While the sophistication of Flame and Stuxnet have surprised many researchers, similarly complex data-stealing tools are available in the hacker underground, experts say. Known as RATs, or remote access tools, the applications can capture screenshots and keystrokes, download files, hijack webcams and listen through laptop microphones.
Read more about malware/cyber crime in CSOonline's Malware/cyber crime section.