Several Lebanese banks were targeted by a sophisticated new virus capable of stealing financial data, researchers say, with evidence suggesting the cyber attack may have been state-backed.
According to Kasperky Lab, which discovered the attack it dubbed ‘Gauss’, the virus was based on the same platform as Stuxnet, a cyber weapon that attacked Iranian nuclear infrastructure in 2010, and cyber espionage tools Duqu and Flame.
“We’re talking here about Bank of Beirut, Blom Bank, Byblos Bank, Credit Libinais - most of them are banks that are based in Lebanon,” Stefan Tanase, a senior security researcher for Kaspersky Lab based in Moscow, told Arabian Business.
He added that systems belonging to Citibank and online payments firm Paypal had also been infected.
Tanase said that the virus, which is spread via USB drives, was designed to monitor financial transactions and emails and had so far infected around 1,600 computers in the Levant country. He said that researchers had so far not seen evidence to suggest other machines in other countries in the region had been infected.
“The likely case is that [the attacker] is monitoring transaction flows to gather intelligence about their victims,” Tanase said, adding that the virus could be used by “a nation state operation that is financing itself by stealing money from the victims,” but he thought this was unlikely.
Kaspersky Lab refused to speculate on who might be behind the attack, but said that the complexity of Gauss’s code and its shared characteristics with Stuxnet, Duqu and Flame strongly suggested the attack was state-sponsored.
Tanase said that Gauss contained a heavily encrypted payload which would only be triggered when the virus infected a specific machine.
Stuxnet, which also spread via USB drives, had a similarly encrypted module that was only triggered when it infected centrifuges at Iran’s uranium enrichment facility in Natanz. Stuxnet was designed to cause nuclear centrifuges to spin out of control and eventually break, but the plant’s operators discovered the attack before this could occur.
Kasperky Lab’s Tanase said that the security firm had seen the type of encryption used in Gauss before and was hopeful that the company could decrypt the mystery module within a few weeks.
Bank of Beirut, Blom Bank, Byblos Bank, Credit Libinais, Citigroup and Paypal did not immediately response to Arabian Business's request for comment.