A new cyber weapon believed to be linked by code to the infamous Stuxnet worm has been discovered stealing banking information in Lebanon, according to Moscow-based cyber security firm Kaspersky Labs.
The new malware, dubbed Gauss for an in-code reference to a German mathematician, is designed to “steal and monitor data from clients of several Lebanese banks,” among other nefarious abilities. The code also includes some kind of “special warhead” that is so well encrypted that Kaspersky has been unable to identify it.
Of the more than 2,500 instances of Gauss infections in the Middle East, more than 1,600 of them were discovered in Lebanon and nearly 500 in Israel, Kaspersky said in a blog post.
Kaspersky researchers said they discovered Gauss while investigating Flame, a massive espionage program revealed in May that was able to record nearly everything done on an infected computer, including real-world conversations that took place near it.
Kaspersky researchers had previously linked specific portions of code in Flame to Stuxnet, believed to be the first-ever true cyberweapon to do actual physical damage to its target, an Iranian nuclear facility, and Duqu, a surveillance worm based on Stuxnet. Now the Russian researchers said they believe Gauss to be related to those three as well.
“After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories,’” the blog post said.
Kaspersky and several other cyber security firms said that Stuxnet and its kin are so sophisticated and required such a commitment of time and expertise that a nation-state was most likely behind their creations. A 2010 Congressional report on Stuxnet put the U.S. and Israel at the top of a short list of probable suspects and the New York Times reported Stuxnet was developed by the two countries as part of a wave of cyber attacks aimed at Iran.
Peter Boogaard, a spokesperson for the U.S. Department of Homeland Security, said the agency is “coordinating with our federal and private sector partners to analyze” Gauss and is “working with organizations that could potentially be affected.”
Kaspersky said that while a vast majority of the infections they’ve detected were centered in Lebanon, there were a few instances of Gauss detected on computer systems in the U.S. and the total number of infections is still unknown.