New Israeli Cyberworm Spies on
Lebanese Bank Transactions
Kaspersky Labs reports a new computer virus infection using some
of the same coding as Flame, an earlier major malware creation largely
attributed to Israel cyberwarfare experts (probably affiliated with the IDF’s
Unit 8200):
A more in-depth analysis conducted in June 2012 resulted in the discovery of a new,
previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base
and system for communicating
to C&C
servers, as well as numerous other similarities to Flame.
In our opinion, all of this clearly indicates that the new platform which we
discovered and which we called ‘Gauss,’ is another example of a cyber-espionage toolkit based on the Flame platform.
Gauss is a project developed in 2011-2012 along the same lines as the Flame project.
The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of
Gauss infections has
been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
The virus appears keyed to intercepting information related to
Lebanese banking transactions:
Functionally, Gauss is designed to collect as much information about infected systems
as possible, as well as to steal credentials for various banking systems and social network, email and IM
accounts. The Gauss code
includes commands to intercept data required to work with several Lebanese banks – for
instance, Bank of Beirut, Byblos Bank, and Fransabank.
This tells me one thing immediately: given the uptick in terror
attacks against Israeli targets over the past few months, Israel is seeking to
follow the trail of financial transactions by Hezbollah-Syrian-Iranian
interests in Lebanon. Though it’s unclear specifically what they might be
seeking, it’s certainly possible that these terror attacks and their
perpetrators are using Lebanese financial institutions to bankroll their
activities. It’s also possible that Iranian banks might be using Lebanon as an
outlet for financial-business transactions that circumvent international
sanctions.
Several key aspects of the code are named for various
distinguished figures in the history of mathematics. This seems to be an attempt
by the hackers to boast of their academic training in the field. I
suppose it’s supposed to make us feel that they’re not ordinary run-of-the-mill
cheap hackers, but cultured ones. I’m not sure their mathematics
professors would share in their pride in the ways they’ve put their training to
use.
Ominously, cyberwarfare seems to have adopted the language of
nuclear weaponry. Experts have noted that Gauss contains a mysterious
“warhead” and “payload:”
“Gauss
is a nation state sponsored banking Trojan which carries a warhead of unknown designation.” Besides stealing various kinds of data from
infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.
Oddly, those studying Gauss can’t yet figure out what
configuration the virus seeks out in the target computer before decided to hit
it.
One of the ways the virus harvests financial information is by
seeking out cookies related to credit card and other online transactions.
It also will harvest browsing history and passwords registered. This
would enable the hackers to actually penetrate the bank accounts and either use
them or view their transaction history. Servers to which information was
uploaded were located in India, Portugal and the U.S. Gauss has been in
existence for about a year.
Given that this infection appears not to target Iranian banks
specifically, it appears that the Israeli hackers were specifically looking at
Hezbollah related banking transactions largely within Lebanon. Another
interesting factor that Kaspersky noted is that one of the module names
contains “Gauss White.” In Arabic and Hebrew the word Lebanon derives
from the root LVN or “white.” This would be a further indication that the
hackers spoke a Semitic language like Arabic or Hebrew and their targets were
mainly in Lebanon.
There were less than half as many penetrations of computers in
Israel and the Occupied Territories as in Lebanon (750 to 1,600). If
Israelis are the culprit, they might also want to follow the trail of financial
transactions from Lebanon to the Territories to determine if Hezbollah might be
financing any local terror activities through Palestinian banks.
I can’t answer the question why Israeli cyberwarriors would have
infected their own country’s computers if their ultimate goal was intercepting
Lebanese banking data. I suppose that like Stuxnet, which accidentally
infected computers around the world well outside its specified Iranian targets,
that the Israeli infections are accidental or mistakes. It’s marginally
possible that Iranian hackers are attempting to follow financial trails in
Lebanon and or Israel. Though that logic seems harder to fathom.
It’s hard to know whether Gauss, like Stuxnet, was a joint
Israeli-U.S. venture. If Gauss was keyed to Iranian
financial activity then the U.S. might be involved. If it was targeting
Hezbollah specifically, I think the U.S. would be less interested and less
likely to be a partner to its development.
Kaspersky, unfortunately, has not been able to determine the
method by which Gauss infects the computers it attacks.
Posts
0 comments: