Stuxnet/Flame/Gauss and the limits of cyber espionage
Researchers at Kaspersky Labs are reporting the discovery of another variant of sophisticated spyware that appears to be part of the growing Stuxnet family. Apparently launched in September and discovered in June, the company reported that, “in 140 characters or less, Gauss is a nation state-sponsored banking Trojan which carries a warhead of unknown designation.”
Kaspersky does not speculate about which nation state or states are responsible for this most recent variation, but published reports have placed the credit, or the blame, for Stuxnet with a covert U.S. program conducted in cooperation with Israel.
There is a cyber-libertarian saw that “information wants to be free.” This might or might not be true, but the most recent discovery is an illustration of the difficulty of keeping secrets in cyberspace.
Flame reportedly set up Stuxnet attack, was under human control
Stuxnet shut down by its own kill switch
Although cyberspace offers unique opportunities for long-range, asymmetrical warfare and espionage, launching a cyberweapon can effectively put the code into the public domain, giving researchers around the world the opportunity to inspect it.
The Stuxnet family tree is far from clear, but it appears to include Duqu and Flame spyware. Kaspersky wrote in its analysis of the latest discovery that “there are significant similarities in code and architecture between Gauss and Flame. In fact, it is largely due to these similarities that Gauss was discovered.”
The discovery was made as part of the International Telecommunication Union’s Global Cybersecurity Agenda, an international effort to provide training, research and monitoring to help ensure the security of cyberspace. The new Trojan is being called Gauss because of a key module apparently named after the mathematician Johann Carl Friedrich Gauss. (There are other internal references to Kurt Godel and Joseph-Louis Lagrange.)
It appears to gather banking information, and from its distribution and semantic clues it appears to have targeted Lebanon. The lion’s share of infections, 1,660 of about 2,500, appears in that country. Another 483 were found in Israel and 261 in the Palestinian territories.
The United States has 43 infections and there are small handfuls of infections reported in another 21 countries.
Whatever Gauss was looking for, it no longer is looking. Its command and control servers were shut down in July, shortly after its discovery.
This does not necessarily mean that Gauss is a failure. It might have been able to gather the information it was looking for in the 10 or 11 months it was active, and although it now is dormant it could be called back to active service in the future.
But the continued discovery of malware variants stemming from the Stuxnet project must be frustrating to those who invested the time and money in developing the software. It’s like cloning a superspy only to have his DNA, fingerprints and other biometric data published to the world.
It is a reminder that although cyberspace has been recognized as a military and intelligence domain — alongside land, sea, air and space — it has unique characteristics that create operational challenges as well as opportunities.
The work of dissecting Gauss is not yet complete, Kaspersky notes in its FAQ. “We are still analyzing the contents of these mysterious encrypted blocks and trying to break the encryption scheme. If you are a world class cryptographer interested in this challenge, please drop us an e-mail at firstname.lastname@example.org.”