Malware and cyberespionage tools like Gauss are hitting U.S. banking institutions and businesses from all corners of the globe. But why are these sometimes not-so-sophisticated attacks causing so much damage?
Roel Schouwenberg, a senior researcher at Moscow-based Kaspersky Lab, says organizations are not placing enough emphasis on security. And with the advent of new nation-state-sponsored attacks increasingly targeting industries linked to critical infrastructure, it's time for a mindset and technology change, he says.
"A lot of companies aren't investing enough money into security," Schouwenberg says in an interview with BankInfoSecurity's Tracy Kitten (transcript below). "Some companies are suffering sabotage because of that, and their business is crippled for some period of time."
In mid-July, researchers at Kaspersky Lab discovered Gauss, a new malware cyberthreat that was targeting online banking users in the Middle East. But Schouwenberg says it's likely users throughout the world have been affected. Because so many malware attacks are aimed at U.S. business and finance, it's safe to assume, he adds, that industry in the States was affected by Gauss, too.
Gauss, a complex cyberespionage toolkit designed to steal sensitive banking data, is similar to Flame, Stuxnet and Duqu. And even though Stuxnet is believed to been launched by the U.S. government, it did infect businesses in the U.S.
"Stuxnet was found in countries all over the world, including the United States," Schouwenberg says. "And in the United States, it was actually found within critical infrastructure."
These attacks are successfully infiltrating networks and systems because businesses have not paid much attention to cybersecurity, Schouwenberg says. Despite security experts' ongoing warnings that cyberthreats have reached a tipping point, organizations have seen little incentive to make any additional security investments or cultural changes, he says.
During this interview, Schouwenberg discusses:
- Why nation-state attacks are on the rise;
- Steps international governments should take to address increasing global cyberthreats;
- Why malware is the cybersecurity world's greatest concern.
Schouwenberg serves as senior researcher for the Americas within the global research and analysis division at Kaspersky Lab, a security research firm in Moscow. He joined the company in 2004, and since 2008, he has overseen malware monitoring and analysis of cyberincidents in North America. Schouwenberg focuses on targeted attacks - including those used in cyberwarfare - and proactive technologies. He also investigates new platforms and technologies. And he's a founding member of the Anti-Malware Testing Standards Organization and serves on its board of directors.
Cyberespionage and Cybersurveillance
TRACY KITTEN: Gauss is similar to Stuxnet, Flame, and Duqu. - all cyberespionage viruses used in so-called nation-state attacks. How did researchers first discover Gauss?
ROEL SCHOUWENBERG: We actually discovered Gauss because of our investigations into Flame. When we do deep-dive investigations, we go through our malware collection and try to find files that are very similar to the file that we are currently studying. So during this investigation, we found some old files that really looked like Flame. And when we analyzed them a bit deeper, we saw that these files were built on the Flame platform but were something different all together. That is how we found Gauss.
KITTEN: Why is Gauss believed to be in the same family as the other cyberespionage viruses? You noted that it looks a lot like Flame, but what about Duqu?
SCHOUWENBERG: So it looks a lot like Flame. ... It's built on the same basis the same source code. It's not built by the people who built Flame. That means that somehow their code must have been leaked or stolen, which would be a very, very scary scenario. And how do we know that Flame and Stuxnet, and therefore Duqu, are related? Well, when we found Flame we also realized that Flame had some things in common with the first variant of Stuxnet, which wasn't as well studied as the second variant of Stuxnet. It was actually the second variant of Stuxnet that was discovered first. So what we actually found in the first variant of Stuxnet was basically a precursor to Flame.
We found that one of the Stuxnet modules ... was in fact Flame, and that really showed to us that the Stuxnet team and the Flame team had some cooperation. There were some other things prior to this discovery that had us believe that there were some commonalities between these two teams. But the fact that Flame source code was shared with the Stuxnet people meant there was a very strong connection. With regard to Duqu, Stuxnet and Duqu were built on the same platform, very much like Flame and Gauss are built on the same platform.
KITTEN: So what is it that makes Gauss more concerning or threatening than some of its predecessors?
SCHOUWENBERG: That's a good question. I'm not sure if it's more concerning. It is definitely very different. Up until now, we had always said these nation-state-sponsored attacks, but they don't go after your banking credentials. Now, Gauss is proving us wrong. ... We had always said that one of the reasons why this was nation-state-sponsored was because there wasn't a clear financial motive. With Gauss, obviously, things have changed a bit. Some of these operations, such as Flame and Duqu, very clearly look like cyberespionage operations. Gauss looks very much like a cybersurveillance operation. So we don't know if Gauss is actually used to transfer funds from accounts or if it was just used to monitor accounts - such as monitor money flow.
Motive for Attacks
KITTEN: Do we have any idea about who might be behind some of these attacks?
SCHOUWENBERG: Well, what we know for sure is that Gauss is coming from the same factory that was responsible for Flame, and, by extension, also Stuxnet and Duqu. With regard to actual attribution, we don't know. Attribution in cyberspace is extremely difficult, and it is very easy to get misled or to just be confused. So we focus strictly on the technical details.
KITTEN: Gauss was first identified in July, after it had infected more than 2,500 personal computers in Lebanon, Israel and the Palestinian territories. The virus targets online banking credentials, as you've noted. Why do you think that bank accounts and payment transactions are the primary targets?
SCHOUWENBERG: I think that Gauss is a cybersurveillance operation, so it makes sense for government to monitor certain groups. ... And monitoring money flow is obviously something that is very interesting for government as well to see what exactly is going on. But it's just not about targeting specific number of banks and some other payment systems; it is also targeting social network and your general browser passwords.
Even though the banking aspect of it is very big, it's not the only aspect of it. And we should see Gauss as not just attacking banks or banking credentials, but an overall cybersurveillance operation that should be seen in light of a bigger operation that involves also Stuxnet and the other operations that we've discussed. We shouldn't see Gauss just as an operation by itself.
KITTEN: It's an interesting point because it relates to the next question I was going to ask, and that is to ask why financial institutions in this particular part of the world - Lebanon, Israel and the Palestinian territories - were being targeted?
SCHOUWENBERG: Obviously, we don't know the motives of the attackers. But given that is a cybersurveillance operation, I think at that point the attacker simply wants to get as much information as possible. And watching money flow can be very useful information.
Future Gauss Attacks?
KITTEN: Have the attacks spread to other parts of the world, or have there been any updates related to these Gauss attacks?
SCHOUWENBERG: Well, we are researching Gauss. In the middle of July, basically, the so-called command-and-control servers were taken offline and it looked like the operation had been stopped completely. So there, effectively, hasn't been any update. ... Even though we've only managed to identify about 2,500 infected machines ... we estimate that the total amount of infected machines globally is in the tens of thousands.
Detecting and Stopping Gauss
KITTEN: So what steps are banking institutions taking to detect and stop Gauss attacks?
SCHOUWENBERG: Well, we shared our findings with financial institutions, and I think, for them, it doesn't change a whole lot. They are being targeted by malware on a daily basis. And this particular piece of malware, though interesting, is still just malware. So there isn't anything that can be used to tell financial institutions, "Hey, when you see this kind of behavior, that means it is Gauss." There are no such clues, in this particular case. Banks are basically just treating Gauss as they would any other piece of malware.
KITTEN: Are you aware of any steps that are being taken at the national level to protect systems from attacks like Gauss?
SCHOUWENBERG: Governments are realizing that with the advent of these nation-state-sponsored attacks, things are getting more and more serious. ... So I definitely think that, globally, this is being discussed on an increasingly higher level. ... Obviously, there are big discussions, with regard to what should be mandated or what shouldn't be mandated. ... A lot of companies aren't investing enough money into security. Some companies are suffering sabotage because of that, and their business is crippled for some period of time. Maybe some governments globally are now considering the idea of an additional mandate that will further encourage companies to be more secure and pay more attention to security.
KITTEN: Why are these so-called nation-state attacks on the rise, and what would you say institutions and other industries across the board should take to help mitigate their risks? Is it just investing in more layers of security?
SCHOUWENBERG: These attacks are on the rise because they are very cheap and very risk-free. When we look at traditional warfare there are basically only a few major players globally. When we look at things in cyberspace, things change dramatically. A country with just 1 million inhabitants can become a [a serious cyberwarfare] player [and international threat]. ... You don't need physical resources to go into cyber, so it is a very low threshold [for entry], and it's very easy to do. And I think that is one of the major risks.
For instance, Stuxnet was found in countries all over the world, including the United States. And in the United States, it was actually found within critical infrastructure. Luckily, the Stuxnet offers were very thorough in how they were targeting machinery; otherwise power could have gone down within the U.S. because of Stuxnet. So we are dealing with huge issues here.
With regard to how to mitigate risk, that is a very tough question that I think everybody is currently trying to answer.
It is clear that more investment into security is needed. We are seeing not just a rise in nation-state sponsored attacks, but also a huge rise in cyberespionage, in general. Many of those attacks attacking U.S. companies are not very high quality. Even so, these attacks are successful, and that just goes to show that we need to raise the bar and make it more difficult for these attackers. If these attackers are able to get into our networks using 10- to 15-year-old techniques, that means something is very wrong.