BEIRUT: Over the past 11 months, eight sophisticated digital virus strands have targeted computers across Lebanon.
The viruses are surreptitiously infiltrating the operating systems, mining the computers’ data for account information and then sending the data to five command and control servers around the world. The attack – the most sophisticated virus ever to be unleashed on the country and likely sponsored by a nation-state – pulls Lebanon into the cross hairs of a cyber-espionage battle waged over computers in the Middle East in the past several years.
While at first glance the attack, named Gauss, appears to be for identity theft, the sophistication of the programing for the eight virus modules goes far beyond a money-making scheme.
Only Russia, China, Israel and the U.S. have the programming capabilities to craft such a piece of stealth malware, security experts say. And it’s likely one of those countries that launched the information mining attack that is currently targeting Lebanon’s financial and email accounts.
The specialized virus from an international power has sent shock waves throughout the banking industry.
“They are frightened and they don’t know what to do,” says a Web security expert who works with the banking industry in Lebanon.
“It’s a direct attack against the banking sector in Lebanon, one of the most stable sectors in Lebanon,” the expert says. “If it collapses, maybe the country will fall into chaos.”
Security experts say the government’s and many businesses’ cyber security protection lag well behind the industry standard, putting people at exceptional risk by having their information compromised.
Gauss mines personal information from computers it contaminates; it can gather usernames and passwords related to Lebanese banking accounts, social networking sites and email services.
After collating the personal information, the modules secretly send the information back to five command and control servers in India, Portugal and the U.S., according to Russian company Kaspersky Labs, which announced the discovery of the virus Thursday.
But only parts of the virus’ capabilities are known. Some parts of the virus are encrypted and other areas haven’t yet been explored. Experts aren’t even sure yet of the main method of the viruses’ distribution or its country of origin.
But what is unusual about this virus is how much it honed in on Lebanon.
Many virus attacks move into their target countries slowly, by way of file transfers from people in other nations. But of the 2,500 infiltrations Kaspersky Labs documented, 1,660 came from Lebanon. The organization says the detected number of infections is likely only a small portion of the total number in the country.
“It’s actually uncanny how well they managed to keep it in a geographical region,” says Daniel Bilar, a director of research at a cyber security organization in the U.S. “This is espionage [information] gathering ... You need a lot of international power behind this.”
The discovery of the virus comes weeks after the U.S. Justice Department condemned a Lebanese bank for laundering money for Hezbollah and South American drug cartels. The government renewed sanctions Friday on the armed political party.
The Gauss attack also comes amid a broad U.S. effort to force banks to tighten financial sanctions on Syria and Iran. The effort most recently saw U.S. officials alleging a U.K. bank, Standard Chartered, was breaking sanctions and laundering money for Iran.
Allegation of money laundering is widely denied by Lebanese bank officials. But some banking security advisers say the industry is deeply concerned and looking for ways to protect itself.
In addition to the financial crackdown, the discovery of Gauss is also tied to a cyber-espionage campaign in the Middle East that has been uncovered over the past several years mainly by a Russian security corporation.
“The discovery of Gauss indicates that there are probably many other related cyber-espionage malware in operation,” Kaspersky Labs reported Thursday. “The current tensions in the Middle East are just signs of the intensity of these ongoing cyber war and cyber-espionage campaigns.”
According to The New York Times, in 2009, the U.S. likely carried out a barrage of cyber attacks against Iran to try and slow down the development of its nuclear program. A report this year from The New York Times claims those attacks were part of a broad array of cyber attacks against the Islamic Republic codenamed Olympic Games that were approved by both President Barack Obama and George W. Bush.
The first shot of the cyber-espionage campaign was heard in 2009 when the sophisticated Stuxnet computer worm was being spread through USB sticks in and around Iran.
The worm targeted Iran’s nuclear program and heralded a new era in cyber warfare in an attack far more complex than almost anything that had been seen before. The virus injected code into software that controls industrial systems, allowing the worm to collect information and disrupt control of the system.
More cyber attacks came and a large number of attacks may not have been discovered. Shortly after Stuxnet was discovered in 2011 another virus was found called Duqu that also targeted industrial systems. In early 2012, computers were infected across the Middle East by the Flame virus that mined data and broke codes.
Flame escalated the cyber-espionage field even further. The virus employed expert level cryptography to crack operating system security and take control of infected systems.
Flame shared wide technical similarities with Stuxnet and Duqu, and Kaspersky Labs found the latest Gauss virus appears to be processed from the same “factory” as Flame.
A technical analysis from Kaspersky Labs found it likely was made by the same country that crafted those cyber-espionage attacks. The technical aspects of the Gauss virus had too much in common with some of the most sophisticated cyber attacks in history to have come from anywhere else, the report said.
But other cyber-security experts caution against drawing a direct line between all of the discovered attacks. There are no certain identification marks; instead, analysts have to draw comparisons based on the technical construction of the malware.
The components in the Gauss attack were named after famous mathematicians: a brash moment of showy intelligence by the code’s crafters or a false lead? It’s very difficult to say.
Possibly complicating the issue further is that the main source releasing this type of information on the virus is Kaspersky Labs, a Russian company with ties to the Russian government that may have a stake in the political ramifications of the virus’ discovery.
It’s this world of shadowy online conspiracy that Lebanon has now been pulled into.