Country briefing exerts and analysis from KCS Group
The discovery of a new malware, dubbed Gauss, points to a new wave of cyber terrorism sweeping the Middle East and North Africa region.
The virus has been found in Windows 32bit systems, with the majority of cases being discovered in Lebanon, Israel and Palestine. It has also, to date, been found in the UAE, KSA and Qatar and is thought to be linked to the Flame attacks uncovered in June this year. Some experts believe it may have been live since last autumn but its effect has only begun to surface.
Designed to capture login details for Internet banking services, Gauss has had a particular focus on Lebanese banks although PayPal and Citibank have also been targeted. Thought to emanate from the same sources as the Stuxnet and Flame viruses which have already caused mayhem in the Middle East region, this new virus is unusual, inasmuch as it does not display the typical behaviour of a worm but rather spreads through infected USBs, its module capable of infecting both 32bit and 64bit USB drives.
Experts are still analysing the malware and more is expected, with Kaspersky putting out an appeal mid-August for cryptography enthusiasts to help crack the malware.
“This malware is yet another threat to the MENA region’s security and its repercussions could go deeper,” said Massimo Cotrozzi, one of the world’s leading experts on cyber crime and its prevention. Cotrozzi heads up a dedicated cyber crime division within London’s KCS Group, a long established, global security intelligence and risk management consultancy.
“It is highly likely that Gauss was written by a nation-state supported group, this belief is backed by the fact that it has targeted specific countries. Generally, traditional cyber criminals aim to infect as many machines as possible, anywhere in the world. The fact that Gauss has been contained within three main countries but leaked into others is significant,” Cotrozzi added.
Cyber attacks in the Middle East region have been escalating over the past year. It is widely suspected that the Stuxnet virus and latterly Flame, which have attacked Iran’s nuclear capabilities, were the work of a US-Israeli collaboration.
In defence, Iran having been the victim turned into the perpetrator and launched its own cyber warfare programme, investing in the region of a billion dollars to increase not just its cyber defence but also its offensive abilities, which could have drastic results for its immediate neighbours in the Gulf and Arab Maghreb Union.
That news came in the wake of reports Iran may have been in possession of several advanced US military reconnaissance drones, including a Lockheed RQ-170. The downing of the highly sophisticated unmanned aerial vehicle caused much speculation in the media after the Iranian government claimed to have hijacked the unit’s systems and taken manual control of the device – interception via cyberspace would be another way of putting it.
A subsequent investigation by a Spanish television station in the US contains alarming footage of a former Iranian Ambassador to Mexico discussing the use of cyber attacks targeting the FBI, the CIA, the White House and nuclear power systems in the USA. The aired documentary alleges that Venezuelan and Iranian diplomats were interested in an offer from a group of Mexican hackers to infiltrate the websites at the key US locations. However, inside reports say that the same hackers were Mexican students recruited to do the dirty work. They eventually decided instead to document the evidence to disrupt the plot.
It has also been reported in Israel that Iran’s push for cyber superiority has spurred the Israeli Defence Force to establish a task force similarly aimed at the development of improved cyber security. That Iran has built up a very talented bank of young, sophisticated IT engineers enlisted by the Iranian regime into a semi-covert army is now a fact. To date, it has been used for domestic repression but it could just as easily be deployed as a weapon against external enemies.
Iran certainly has immense capabilities in cyber space – illustrated especially in 2011 when it was able to selectively turn off parts of the net to hamper Facebook during the 2011 mass protests. Other Arab states have not had that ability.
No one at this stage is saying that it is Iran behind the latest virus attack – but experts within the KCS Group are very aware that the country is building up an incredible talent and could mastermind cyber attacks against important oil installations in the GCC, for example, Kuwait or Saudi Arabia. It is more than a possibility, particularly at a time when, with sanctions against Iran becoming tighter, the oil market is trending higher and retaliation from the Iranians is almost inevitable.
Iran could also pose a threat to countries as far away as North and North West Africa’s Maghreb Union (previously known as the Arab Maghreb Union, AMU), the five-member group comprising Algeria, Libya, Mauritania, Morocco and Tunisia. While the group has not met since 1994, mainly because of the festering dispute over the Western Sahara between Morocco and Algeria, there have been considerable efforts of late to revive the alliance, in the wake of the Arab Spring and with renewed concern for stability and security across the region. And security includes cyber attacks on vital installations, especially in an area, which is vulnerable from Jihadists and terrorist groups.
KCS has continually warned against the sophistication of cybercriminal hackers working in concert against Middle East banks and industry, particularly those in the UAE where one now sees increasing cyber-attacks from the Iranians. It is KCS’ estimation that cybercriminal activity is now a greater threat than the illegal narcotics industry ever was and certainly is generating more money.
In a report addressing cybercrime issued at the start of 2011, KCS advised that the sheer scale of cyber related crime had turned the phenomenon into a major international security concern. KCS wrote that businesses particularly those in the Middle East and North Africa region, would have little choice but to prepare for sophisticated attacks on computerised database systems and Internet traffic hijacking.
Looking ahead, the cyber-future remains in the balance. Companies in the UAE and AMU will need to take a strategic and yet even more aggressive approach to cyber security during 2013. With particular reference to Iran and China, there is little room to be complacent.
KCS intelligence experts close to the action, however, inform that the “events of 2012 suggest that the international cyber security landscape is likely to make public and private organisations throughout the Middle East and North Africa remain on unsteady footing in the foreseeable future.”
In short, the fall-out from instability in the Arab world involves not only counter terrorism measures, it has also meant increasing efforts by governments and alliances to be one step ahead of the very serious threat of cyber war, which would spell global disaster the likes of which has never been seen before.
KCS Group Staff