Latest StuxNet Incarnation Resembles Alleged Project of Murdered GCHQ Officer

Kaspersky Labs has found a new incarnation of StuxNet malware, which they’ve called Gauss. As Wired summarizes, the malware is focused geographically on Lebanon and has targeted banks.

A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to researchers.

The malware, which steals system information but also has a mysterious payload that could be destructive against critical infrastructure, has been found infecting at least 2,500 machines, most of them in Lebanon, according to Russia-based security firm Kaspersky Lab, which discovered the malware in June and published an extensive analysis of it on Thursday.

The spyware, dubbed Gauss after a name found in one of its main files, also has a module that targets bank accounts in order to capture login credentials. The malware targets accounts at several banks in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets customers of Citibank and PayPal.

I find that interesting for a number of reasons. First, every time banks have squawked about our government’s access of SWIFT to track terrorist financing, the spooks have said if they don’t use SWIFT they’ll access the information via other means; it appears this malware may be just that. And the focus on Lebanon fits, too, given the increasing US claims about Hezbollah money laundering in the time since Gauss was launched. I’m even struck by the coincidence of Gauss’ creation last summer around the same time that John Ashcroft was going through the Lebanese Canadian Bank to find any evidence of money laundering rather than–as happens with US and European banks–crafting a settlement. I would imagine how that kind of access to a bank would give you some hints about how to build malware.

But the other thing the malware made me think of, almost immediately, was the (I thought) bogus excuse some British spooks offered last summer to explain the murder of Gareth Williams, the GCHQ officer–who had worked closely with NSA–who was found dead in a gym bag in his flat in August 2010. Williams was murdered, the Daily Mail claimed, because he was working on a way to track the money laundering of the Russian mob.

The MI6 agent found dead in a holdall at his London flat was working on secret technology to target Russian criminal gangs who launder stolen money through Britain.

[snip]

But now security sources say Williams, who was on secondment to MI6 from the Government’s eavesdropping centre GCHQ, was working on equipment that tracked the flow of money from Russia to Europe.

The technology enabled MI6 agents to follow the money trails from bank accounts in Russia to criminal European gangs via  internet and wire transfers, said the source.

‘He was involved in a very sensitive project with the highest security clearance. He was not an agent doing surveillance, but was very much part of the team, working on the technology side, devising stuff like software,’ said the source.

He added: ‘A knock-on effect of this technology would be that a number of criminal groups in  Russia would be disrupted.

‘Some of these powerful criminal networks have links with, and employ, former KGB agents who can track down people like  Williams.’

Frankly, I always thought that explanation was bogus–I suggested that the Brits could just partner with the US to access such data via SWIFT. And whatever it means, I haven’t seen such an explanation since.

But I do find it rather interesting that one of the most prominent unsolved murders of a spook was blamed–at around the time the StuxNet people were working on Gauss–on a plan to track money laundering.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

9 replies
  1. Arbusto says:

    Sounds more like Mossad dicking around with derivatives of StuxNet we so nicely provided them. Israel got it’s hat handed to it invading Lebanon in ’06 by Hezbollah and would love to fuck up Hezbollah infrastructure.

  2. earlofhuntingdon says:

    So if Swift or any other data base the US is interested in won’t gladly hand over free, real time access, the US will simply hack into the system. Needless to say, such hacking would be felonies in every jurisdiction. If Julian Assange tried that, the US would kidnap him and put him in a Gitmo-like jail for life, without prosecution, trial or appeal.

  3. P J Evans says:

    I thought it was interesting that Kaspersky was sending out an email that was, summarizing, ‘we found this; it does this, this, and this; don’t worry about it’. First time I’ve gotten anything like that.

  4. JohnLopresti says:

    There’s an article at CSO which describes Gauss as a use of chunks of Flame code as a malware Advanced Persistent Threat toolkit, with purpose related to a national government in the middle east region; but the articles I have seen mention three countries, more than one nation as targets.

    Reagan could have done much differently in the Middle East during his ten years of manufacturing policy for that zone; spanning the trotting out of the Missouri to the gray eminence management of a putative October Surprise.

    The CSO article I read, and one from RSA, seem to say the trojan remains partly un-decrypted; but that Gauss’ deploying entity/ies is/are likely to alter the malware code, given its discovery recently. That probably means things like searching for Palida Narrow font might produce a null result which is meaningless Real Soon Now.

    That Syria has been the site of two years of armed conflict in the region also seems like it might relate to the cyber conflicts, simply by proximity, and because of longstanding economic interests of several nations in the protracted shifts of governments arrayed across the Mediterranean’s southern and eastern rims and beyond.

  5. rugger9 says:

    IIRC, Stuxnet has already been traced to us, and now we have this? Exactly how does help us be considered as honest brokers in the ME? Exactly how does this help us reach the Iranian rational majority? This is the kind of thing that would get the Guardian Council in to a deeper alliance with the Russians [who already are the source of the nuclear know-how] and the Chinese. There’s a good reason to keep this kind of thing secret.

    OT, one wonders how Ryan is going to do on the campaign trail, seeing how he ran away from his own town hall regarding his budget. There are no evangelicals on the ticket. Neither Mittens nor Ryan are “proven” social conservatives. And, while Mitt may have the first ballot commitment, Ryan does not and the Paul and Santorum delegates may exact some price to go along with this or just select their own guy. Pass the popcorn….

  6. Frank33 says:

    OT unless the Government has created Ultra Malware, that can wipe out computer servers, all over the world. But Gizmodo says the FBI claimed Kim Dotcom could erase servers all over the world in a few minutes.

    That is why a Bin Laden type raid was launched, with automatic weapons and choppers and FBI. But it did take a few minutes to find Kim in his secret attic hideout. Apparently, no servers were harmed, by this massive raid. Must have cost somebody a few tens of thousands of dollars.

    Grant Wormald, the detective inspector who oversaw the operation for the Organized and Financial Crime Agency (Ofcanz) said he was told by the FBI that Dotcom “carried a device with him to delete servers around the world”. Apparently, the ‘Doomsday’ delete-all-servers device could have been triggered “in seconds” from any computer or phone on the property.

    Great name, Detective Inspector Grant Wormald, and the FBI never lies. So there might be a whole new set of computer games, created by Secret Hackers, paid by taxpayers, erasing servers all over the world!

  7. Frank33 says:

    Here is a bit more from New Zealand. There is VIDEO!
    http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10826176

    Thirty armed police stormed Dotcom’s Auckland home by road and air to find the device in the FBI-inspired raid in January.

    Almost 30 other officers followed to search for evidence using a warrant since ruled invalid…

    Mr Davison asked about the people who watched the operation unfold on video from the North Shore policing centre on the day of the raid. The United States’ most senior law enforcement officer for cyber crime, Jay Prabhu, was present with Mr Wormald and Crown Law Office staff watching a video feed.

    Asked where the broadcast was from, Mr Wormald refused to say.

    In response to a question from Chief High Court Judge Helen Winkelmann, Mr Wormald said he rejected the option of arresting Dotcom after he left a recording studio about 4.30am, saying: “We were trying to delay as long as we could them making a call to a lawyer.”

    After Dotcom was advised of his rights he could phone a lawyer.

Comments are closed.