Kaspersky Lab, the Russian security software vendor, has claimed the discovery of a new "cyber threat", named Gauss, which is designed to steal data on bank accounts in Lebanon.
The discovery was made with the support of the UN’s International Telecommunication Union, which also assisted Kaspersky Lab in its discovery of the Flame Trojan earlier this year.
Gauss shares many technical characteristics with Flame, Kaspersky Lab said yesterday, including the fact that it can be transferred over USB drives.
"Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious programme," said Alexander Gostev, chief security expert at Kaspersky Lab. "However, its purpose was different to Flame or [Stuxnet-like ‘cyber espionage’ tool] Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”
Gauss is designed to steal data related to online accounts at banks include the Bank of Beirut, Byblos Bank and Fransabank, it said.
It is also more widespread than Flame, the company claims, having infected around 2,500 machines, mainly in Lebanon, compared to Flame’s 700, primarily in Iran.
Kaspersky said that the first Gauss infections date back to around September 2011. Kaspersky and ITU discovered the malware in June 2012, and the command and control servers that co-ordinate it were shut down in July 2012.
The resemblence to Flame also leads Kaspersky to conclude that Gauss is a state-backed operation. "Code references and encryption subroutines, together with the Command and Control infrastructure make us believe Gauss was created by the same ‘factory’ which produced Flame," it said. "This indicates it is most likely a nation-state sponsored operation."
"This is the first publicly known nation-state sponsored banking Trojan," Kaspersky claims.
In June, the Washington Post reported that Flame was built by US and Israeli intelligence forces, citing "Western officials with knowledge of the effort". Kaspersky’s implication is that the same is true of Gauss.
Critics have questioned the ITU’s motives in collaborating with Kaspersky. The UN’s International Telecommunication Regulations are due to be renewed later this year, and US politicians have accused the ITU of wanting give the UN – and therefore China and Russia – greater control of the Internet.
Exposing US and Israeli-backed ‘cyber threats’ would, in theory, be a good bargaining chip in making the case for stronger UN control.
However, the ITU denies that there is any special relationship with Russia’s Kaspersky, saying it is one of many security vendors to participate in its IMPACT campaign against ‘cyber threats’.