More telltale signs of cyber spying and cyber attacks arise in Middle East (+video)
A Saudi energy company has lately confirmed that its computer networks were targeted by a cyberattack. But perhaps more important is the discovery of Gauss, malware believed to be related to the Stuxnet worm that attacked Iran's nuclear centrifuges in 2009.
(Page 2 of 2)
Fears that cyberattacks could shut down key oil-production operations and send shock waves through world oil markets are so far unfounded. But there's good reason for energy companies to keep up their guard, observers say.Skip to next paragraph
Subscribe Today to the Monitor
"While it's troubling that a strategic entity in Saudi Arabia was hit, what this indicates is only part of a larger picture of cyberattacks and cyberespionage across the region," says John Bumgarner, research director for the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry.
Others say that bigger picture is not at all clear.
"Shamoon and Gauss might be big deals, not because of what they are, but because they may be part of something larger," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. "What that larger picture is we just don't understand yet."
Discovered in June, Gauss has a main module that its anonymous creators named after the German mathematician Johann Carl Friedrich Gauss, Kaspersky researchers say. Other components of the malware bear names of famous mathematicians, including Joseph-Louis Lagrange and Kurt Göde.
So far, Gauss is known to have infected about 2,500 machines, although that number could be as high as 10,000, Kaspersky says. That's many fewer than Stuxnet infected, but it's many more than the number of attacks coming from Flame and Duqu, which had explicit targets.
Gauss zeroes in on data from Lebanese banks, including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and Credit Libanais, Kaspersky reported. In addition, it targets users of Citibank and PayPal.
That might suggest that Gauss is crimeware. Yet, unlike most banking malware used by organized crime groups, Gauss steals detailed information about infected PCs, including browser history, cookies, passwords, and system configurations. It is also capable of stealing access credentials for various online banking systems and payment methods.
Certainly such information can be used to drain funds from accounts. But it also can be used to track the movement of funds between Iran and nations to whom it may be clandestinely selling oil, Mr. Bumgarner suggests. Or such access could be used to detect whether such bank funds are flowing from Iran and other nations to support the Syrian government.
"Gauss collects a lot of information about the host system, network information. It actually fingerprints the DNA of the computer it's on," Bumgarner says. "It's collecting reams of detailed information about the system that amounts to forensic proof for later legal prosecution or some other purpose. Criminal malware doesn't typically do this."
There's something else. Embedded in Gauss is an encrypted payload reminiscent of Stuxnet – apparently waiting until it finds itself on exactly the right system before it will activate. Stuxnet infected more than 100,000 machines worldwide, but only activated and destroyed 1,000 centrifuges inside Iran's Natanz nuclear fuel refining facility. So, too, Gauss is searching, but for what?
Cracking the encryption is the key to discovering what Gauss is after. So far, investigators have not be able to do it.
“Despite our best efforts, we were unable to break the encryption,” Kaspersky researchers wrote in a blog post Aug. 14. “So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology, numerology and mathematics to join us in solving the mystery and extracting the hidden payload.”