Kaspersky Labs reports (and here) a new computer virus infection using some of the same coding as Flame, an earlier major malware creation largely attributed to Israel cyberwarfare experts (probably affiliated with the IDF’s Unit 8200):
A more in-depth analysis conducted in June 2012 resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to C&C servers, as well as numerous other similarities to Flame.
In our opinion, all of this clearly indicates that the new platform which we discovered and which we called ‘Gauss,’ is another example of a cyber-espionage toolkit based on the Flame platform.
Gauss is a project developed in 2011-2012 along the same lines as the Flame project. The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
The virus appears keyed to intercepting information related to Lebanese banking transactions:
Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks – for instance, Bank of Beirut, Byblos Bank, and Fransabank.
This tells me one thing immediately: given the uptick in terror attacks against Israeli targets over the past few months, Israel is seeking to follow the trail of financial transactions by Hezbollah-Syrian-Iranian interests in Lebanon. Though it’s unclear specifically what they might be seeking, it’s certainly possible that these terror attacks and their perpetrators are using Lebanese financial institutions to bankroll their activities. It’s also possible that Iranian banks might be using Lebanon as an outlet for financial-business transactions that circumvent international sanctions.
Several key aspects of the code are named for various distinguished figures in the history of mathematics. This seems to be an attempt by the hackers to boast of their academic training in the field. I suppose it’s supposed to make us feel that they’re not ordinary run-of-the-mill cheap hackers, but cultured ones. I’m not sure their mathematics professors would share in their pride in the ways they’ve put their training to use.
One of the ways the virus harvests financial information is by seeking out cookies related to credit card and other online transactions. It also will harvest browsing history and passwords registered. This would enable the hackers to actually penetrate the bank accounts and either use them or view their transaction history. Servers to which information was uploaded were located in India, Portugal and the U.S. Gauss has been in existence for about a year.
Given that this infection appears not to target Iranian banks specifically, it appears that the Israeli hackers were specifically looking at Hezbollah related banking transactions largely within Lebanon. Another interesting factor that Kaspersky noted is that one of the module names contains “Gauss White.” In Arabic and Hebrew the word Lebanon derives from the root LVN or “white.” This would be a further indication that the hackers spoke a Semitic language like Arabic or Hebrew and their targets were mainly in Lebanon.
There were less than half as many penetrations of computers in Israel and the Occupied Territories as in Lebanon (750 to 1,600). If Israelis are the culprit, they might also want to follow the trail of financial transactions from Lebanon to the Territories to determine if Hezbollah might be financing any local terror activities through Palestinian banks.
I can’t answer the question why Israeli cyberwarriors would have infected their own country’s computers if their ultimate goal was intercepting Lebanese banking data. I suppose that like Stuxnet, which accidentally infected computers around the world well outside its specified Iranian targets, that the Israeli infections are accidental or mistakes. It’s marginally possible that Iranian hackers are attempting to follow financial trails in Lebanon and or Israel. Though that logic seems harder to fathom.
It’s hard to know whether Gauss, like Stuxnet, was a joint Israeli-U.S. venture. If Gauss was keyed to Iranian financial activity then the U.S. might be involved. If it was targeting Hezbollah specifically, I think the U.S. would be less interested and less likely to be a partner to its development.
Kaspersky, unfortunately, has not been able to determine the method by which Gauss infects the computers it attacks.
This article appeared at Tikun Olam