The Terror Finance Blog

By David Nordell

Reports have spread rapidly over the last week of a new piece of computer malware, named Gauss, that has been detected in thousands of computers, mainly in the Middle East. After the tremendous publicity given to Stuxnet, the cleverly-engineered piece of malware that caused the failure of many of the centrifuges enriching uranium hexafluoride gas for the Iranian nuclear weapons programme, and subsequently to the Flame spyware programme, Gauss has attracted relatively little attention, perhaps because it doesn’t appear to have any destructive properties.

But three things in particular stick out from the news reports about Gauss, especially from the detailed information published by Russian computer security company Kaspersky, which carried out a detailed technical analysis of how Gauss was constructed, all of which point to a possible new trend in cyberwarfare, and in particular how cyberweapons are now being used in the fight against terror financing.

The first is that the malware analysts have concluded that Gauss, like Stuxnet and Flame, was programmed and distributed by a state or state-sponsored hacker group rather than by an independent hacker group: this conclusion was reached on the basis of the sophistication of the programming and encryption techniques used, and because of technical similarities with the previous types of malware that are already believed to have originated in either the US or Israeli intelligence communities, or perhaps through cooperation between the two. The USA and Israel, together with the United Kingdom, Russia and China, are regarded as the countries with the highest level of state capabilities in developing and deploying offensive cyberweapons.

The second is that the vast majority of the Gauss infections so far discovered have been in the Middle East. Of about 2,500 infections in 25 countries counted by Kaspersky Labs up to 31^st July 2012, 1,660 were found in Lebanon, 483 in Israel, and 261 in the Palestinian territories. Apart from a few dozen infections in the USA and Germany, most of the remaining computers infected have been in Arab countries – although of course these statistics bear the caveat that these are only infections that have been detected using Kaspersky’s virus detection software, which is not installed on all possible target computers. Since the Kaspersky report also suggests that Gauss is planted on target computers largely through USB memory sticks, this suggests that Gauss has been planted using an extensive and carefully run human intelligence operation, which again suggests state involvement.

The third and most interesting feature of Gauss is that, at least according to Kaspersky, it is designed to steal bank log-on credentials of Lebanese banks, including the Bank of Beirut, Byblos Bank and Fransabank; and the company’s report claims that this “is the first publicly known nation-state sponsored banking Trojan.”

So what does this all mean? My guess is that either the USA or Israel, or both countries working in tandem, have decided to go well beyond the traditional forms of financial intelligence gathering, using Know Your Customer and transaction data from the international banks carrying our transactions with the Lebanese banking system, which have yielded disappointing results, not least because the European Union has refused to designate Hizbollah as a terrorist organization. Instead, they designed Gauss as spyware to be planted directly on computer systems in Lebanese banks known or suspected to carry out banking operations for Hizbollah, and especially if these banking operations also involve the large sums of Iranian money that have helped to keep Hizbollah afloat. It’s equally possible that Gauss has been engineered to propagate itself from Lebanese bank computers (or bank computers in Dubai, which is also known to act as a proxy for Iranian transactions that the international banking system is supposed to block.

I would also hazard a guess as to a further, longer-term, purpose of Gauss, based on a paragraph in the Kaspersky report that refers to an encrypted payload within the Gauss programme designed to “target a certain system (or systems) which have a specific programme installed. This could either be to withdraw Hizbollah or other Iranian-related funds from the banks where they are deposited, upon receipt of an appropriate message from a command-and-control server, in order to cause embarrassment or tactical damage to the target organization at a suitable time, or simply to wipe all the data relating to these target accounts.

Whether Gauss is indeed nothing more than spyware or it also contains some more destructive payload, what seems to be clear is that cybertools have now become a more sophisticated weapon for counter-terror finance and perhaps also for economic warfare in the Middle East. How effective they will be in fighting Iran and its Lebaanese proxy Hizbollah remains to be seen; but if in some way they help to remove either the nuclear threat that Iran currently poses to the rest of the Middle East and perhaps the whole of the free world, or at least they reduce the threat of Hizbollah reprisal attacks in the event of an Israeli preemptive strike against Iran, they will be a welcome addition to the West’s arsenal, they more so since they are bloodless weapons.