In February, I had the opportunity to spend time with Kaspersky experts and security writers from around the world. The primary discussion during those meetings was the concept of cyber war and if there were cyber wars happening in the world now. The general consensus in February was no.
If the conversation came up today, the general consensus may still be no, but we are edging closer, with issues like Stuxnet and Flame. And today, Kaspersky Lab announced the discovery of Gauss, a new cyber threat targeting users in the Middle East. According to a release on the finding, Gauss is a complex, nation-state-sponsored, cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies and specific configurations of infected machines.
The new malware was discovered after Flame, during the course of the ongoing effort initiated by the International Telecommunication Union. As Alexander Gostev, chief security expert, Kaspersky Lab, said in a release:
Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different to Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.
The researchers at Kaspersky think the virus operation began in August and September of 2011 around the same time Duqu was discovered. According to the SecureList blog:
Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab’s cloud-based security system, with the estimated total number of victims of Gauss probably being in tens of thousands.
The Kaspersky experts believe Gauss is less sophisticated than Flame, but the interesting thing about Gauss is its focus on banking credentials and browsing history. And unlike Flame, which primarily targeted Iran, Gauss is focused in Lebanon. Again from the SecureList blog:
The presumption is that the attackers are interested in profiling the victims and their computers. Banking credentials, for instance, can be used to monitor the balance on the victim’s accounts - or, they can be used to directly steal money. We believe the theory that Gauss is used to steal money which are used to finance other projects such as Flame and Stuxnet is not compatible with the idea of nation-state sponsored attacks.
I don’t think this is the last of the Flame-Stuxnet-Duqu family that we’ll see, but the new discovery, in my opinion, is yet another reminder of how inevitable a cyber war is.