More telltale signs of cyber spying and cyber attacks arise in Middle East

A Saudi energy company has lately confirmed that its computer networks were targeted by a cyberattack. But perhaps more important is the discovery of Gauss, malware believed to be related to the Stuxnet worm that attacked Iran's nuclear centrifuges in 2009.

John Bumgarner, research director for the US Cyber Consequences Unit, a non-profit group that studies the impact of cyber threats, holds a notebook computer while posing for a portrait in Charlotte in this December 2011 file photo.

John Adkisson/Reuters/File

August 21, 2012

More evidence has surfaced that the Middle East has become a cyberspace free-fire zone, with revelations about a destructive new cyberattack on at least one energy company and the exposure of a sophisticated cyberespionage program aimed at Lebanese banks.

Saudi Arabia's national oil company, Saudi Aramco, confirms reports that its computer networks were shut down last week by a malware attack. While its business network was impaired, the "interruption has had no impact whatsoever on any of the company’s production operations," Aramco reported on Facebook Aug. 15.

The next day, computer security firm Symantec announced that an energy firm it would not identify had been targeted by malware that made any computer it infected unusable by wiping clean sectors of the hard drive. There has been no reported connection between Saudi Aramco and the Symantec announcement.

The new software attack weapon, dubbed Shamoon by cybersecurity researchers, is the most recent in a series of attacks targeting key infrastructure in the Middle East region. Stuxnet, discovered in 2010, wrecked nuclear centrifuges in Iran, while its brethren, Duqu and Flame, were designed to clandestinely steal network data.

The Saudi Aramco attack and the Symantec report are reminiscent of Iran's claim that its oil terminal facilities were hit in April by a software weapon it called "Wiper." But analysis comparing the Iranian malware with the just-discovered Shamoon weapons shows them to be unrelated in terms of their authorship, according to Kaspersky Labs, a Moscow-based cybersecurity company.

"Our opinion, based on researching several systems attacked by the original Wiper, is that it is not" Shamoon, reported Kaspersky's Global Research & Analysis Team. "It is more likely that this [Shamoon attack] is a copycat, the work of script kiddies inspired by the story." "Script kiddies" are hackers who have little expertise of their own but who slightly modify existing malware.

A group calling itself the Arab Youth Group has claimed responsibility for the Saudi Aramco attack, decrying Saudi leaders for their ties to the US. But the group's claim has not been verified. "This action has been done in order to warn the Saudi rulers," said the group's message posted on pastebin, a website often used by hackers to communicate. "If the rulers of Saudi Arabia continue to betray the nation, [they] will face more severe action."

If the Saudi Aramco cyberattack does not appear to be the work of a top-notch sophisticated team, the same cannot be said for another newly discovered act of cyberespionage, dubbed Gauss. Kaspersky publicly disclosed its existence earlier this month. 

Can Syria heal? For many, Step 1 is learning the difficult truth.

Gauss has been linked to a suite of cyberweapons reportedly developed by the United States and Israel to spy on Iran and attack its nuclear infrastructure, Kaspersky researchers who discovered it reported. Stuxnet, Duqu, Flame, and now Gauss share digital features that indicate they were made by the same developer, they conclude.

"After looking at Stuxnet, Duqu, and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories,' ” states the Kaspersky analysis. "All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of 'sophisticated malware.' ”

Fears that cyberattacks could shut down key oil-production operations and send shock waves through world oil markets are so far unfounded. But there's good reason for energy companies to keep up their guard, observers say.

"While it's troubling that a strategic entity in Saudi Arabia was hit, what this indicates is only part of a larger picture of cyberattacks and cyberespionage across the region," says John Bumgarner, research director for the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry.

Others say that bigger picture is not at all clear.

"Shamoon and Gauss might be big deals, not because of what they are, but because they may be part of something larger," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. "What that larger picture is we just don't understand yet."

Discovered in June, Gauss has a main module that its anonymous creators named after the German mathematician Johann Carl Friedrich Gauss, Kaspersky researchers say. Other components of the malware bear names of famous mathematicians, including Joseph-Louis Lagrange and Kurt Göde.

So far, Gauss is known to have infected about 2,500 machines, although that number could be as high as 10,000, Kaspersky says. That's many fewer than Stuxnet infected, but it's many more than the number of attacks coming from Flame and Duqu, which had explicit targets.

Gauss zeroes in on data from Lebanese banks, including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and Credit Libanais, Kaspersky reported. In addition, it targets users of Citibank and PayPal.

That might suggest that Gauss is crimeware. Yet, unlike most banking malware used by organized crime groups, Gauss steals detailed information about infected PCs, including browser history, cookies, passwords, and system configurations. It is also capable of stealing access credentials for various online banking systems and payment methods.

Certainly such information can be used to drain funds from accounts. But it also can be used to track the movement of funds between Iran and nations to whom it may be clandestinely selling oil, Mr. Bumgarner suggests. Or such access could be used to detect whether such bank funds are flowing from Iran and other nations to support the Syrian government.  

"Gauss collects a lot of information about the host system, network information. It actually fingerprints the DNA of the computer it's on," Bumgarner says. "It's collecting reams of detailed information about the system that amounts to forensic proof for later legal prosecution or some other purpose. Criminal malware doesn't typically do this."

There's something else. Embedded in Gauss is an encrypted payload reminiscent of Stuxnet – apparently waiting until it finds itself on exactly the right system before it will activate. Stuxnet infected more than 100,000 machines worldwide, but only activated and destroyed 1,000 centrifuges inside Iran's Natanz nuclear fuel refining facility. So, too, Gauss is searching, but for what?

Cracking the encryption is the key to discovering what Gauss is after. So far, investigators have not be able to do it.

“Despite our best efforts, we were unable to break the encryption,” Kaspersky researchers wrote in a blog post Aug. 14. “So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology, numerology and mathematics to join us in solving the mystery and extracting the hidden payload.”