UPDATE: I’ve just had an e mail exchange with Costin Raiu, a cyber security specialist at Kaspersky, and he’s expanded my understanding of Gauss (though the theorizing below is purely my own). There are some fascinating mysteries remaining to be uncovered about this virus. First, it seeks out computers that are not connected to the internet. It then infects them through use of a USB stick, the same method by which Stuxnet was spread.
So we have to figure out why it would target a computer without an internet connection. Possibly, because such a computer would be disconnected in order to protect it from contracting a virus. Such a computer would likely contain valuable information the owner wouldn’t want compromised or stolen. As you’ll read below, this again takes me toward Hezbollah, which would likely have such secrets it would wish to protect and which Israeli cyber-experts would want to steal.
Reading below, you’ll also see that Gauss has a mystery “payload” or “warhead” and Kaspersky has still not decrypted it. So we still don’t know what is at the core of this crucial element of the cyberweapon. I suppose it might be possible that the entire bank data theft aspect of Gauss is a feint and what its authors really want is still sealed in the unencrypted payload.
I’m inclined to believe that Gauss is attempting to penetrate Hezbollah’s communications network, since the computers controlling it would not be connected to the internet. There has been a long-term war on both sides to spy on each other and steal its communication secrets and codes. During the Lebanon war Hezbollah, probably with Iranian assistance, decrypted the IDF military communications network and could listen in on commanders talking in the field. This is one of the key reasons that Hezbollah’s defenses were so robust and so many Israeli soldiers died.
Israel is highly motivated to do the same to Hezbollah. If the former plans to attack Iran, then the Lebanese group will surely attack Israel in response. So it becomes even more important that Israel know as much as it can about what its enemy’s plans are. Here (and here) are some previous Israeli attempts to penetrate Hezbollah’s lines of communication.
Kaspersky Labs reports (and here) a new computer virus infection using some of the same coding as Flame, an earlier major malware creation largely attributed to Israel cyberwarfare experts (probably affiliated with the IDF’s Unit 8200):
A more in-depth analysis conducted in June 2012 resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to C&C servers, as well as numerous other similarities to Flame.
In our opinion, all of this clearly indicates that the new platform which we discovered and which we called ‘Gauss,’ is another example of a cyber-espionage toolkit based on the Flame platform.
Gauss is a project developed in 2011-2012 along the same lines as the Flame project. The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
The virus appears keyed to intercepting information related to Lebanese banking transactions:
Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks – for instance, Bank of Beirut, Byblos Bank, and Fransabank.
This tells me one thing immediately: given the uptick in terror attacks against Israeli targets over the past few months, Israel is seeking to follow the trail of financial transactions by Hezbollah-Syrian-Iranian interests in Lebanon. Though it’s unclear specifically what they might be seeking, it’s certainly possible that these terror attacks and their perpetrators are using Lebanese financial institutions to bankroll their activities. It’s also possible that Iranian banks might be using Lebanon as an outlet for financial-business transactions that circumvent international sanctions.
Several key aspects of the code are named for various distinguished figures in the history of mathematics. This seems to be an attempt by the hackers to boast of their academic training in the field. I suppose it’s supposed to make us feel that they’re not ordinary run-of-the-mill cheap hackers, but cultured ones. I’m not sure their mathematics professors would share in their pride in the ways they’ve put their training to use.
Ominously, cyberwarfare seems to have adopted the language of nuclear weaponry. Experts have noted that Gauss contains a mysterious “warhead” and “payload:”
“Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation.” Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.
Oddly, those studying Gauss can’t yet figure out what configuration the virus seeks out in the target computer before decided to hit it.
One of the ways the virus harvests financial information is by seeking out cookies related to credit card and other online transactions. It also will harvest browsing history and passwords registered. This would enable the hackers to actually penetrate the bank accounts and either use them or view their transaction history. Servers to which information was uploaded were located in India, Portugal and the U.S. Gauss has been in existence for about a year.
Given that this infection appears not to target Iranian banks specifically, it appears that the Israeli hackers were specifically looking at Hezbollah related banking transactions largely within Lebanon. Another interesting factor that Kaspersky noted is that one of the module names contains “Gauss White.” In Arabic and Hebrew the word Lebanon derives from the root LVN or “white.” This would be a further indication that the hackers spoke a Semitic language like Arabic or Hebrew and their targets were mainly in Lebanon.
There were less than half as many penetrations of computers in Israel and the Occupied Territories as in Lebanon (750 to 1,600). If Israelis are the culprit, they might also want to follow the trail of financial transactions from Lebanon to the Territories to determine if Hezbollah might be financing any local terror activities through Palestinian banks.
I can’t answer the question why Israeli cyberwarriors would have infected their own country’s computers if their ultimate goal was intercepting Lebanese banking data. I suppose that like Stuxnet, which accidentally infected computers around the world well outside its specified Iranian targets, that the Israeli infections are accidental or mistakes. It’s marginally possible that Iranian hackers are attempting to follow financial trails in Lebanon and or Israel. Though that logic seems harder to fathom.
It’s hard to know whether Gauss, like Stuxnet, was a joint Israeli-U.S. venture. If Gauss was keyed to Iranian financial activity then the U.S. might be involved. If it was targeting Hezbollah specifically, I think the U.S. would be less interested and less likely to be a partner to its development.
Kaspersky, unfortunately, has not been able to determine the method by which Gauss infects the computers it attacks.
Zhu Bajie says
Is Gauss aimed at Windows? Or other operating systems as well?
Richard Silverstein says
Windows, I believe.