Skip to Content

State-Sponsored Spying May Be Teaching Cyber-Criminals New Tricks

Did spies or criminals make a sophisticated new malware targeting Lebanese banks?
August 10, 2012

In the past two days researchers have unmasked two sophisticated cyber-espionage tools created by nation sates. And some experts now say there’s evidence criminals are adopting techniques learned from such tools.

A map showing where infections of the sophisticated Gauss malware were found.

On Wednesday, computer security company Rapid7 researcher Claudio Guarnieri shared new details of the workings of FinFisher, a piece of malware sold by UK contractor Gamma Group to government agencies.

FinFisher can turn on webcams, record keystrokes, intercept Skype calls and take over a computer. Gamma Group have said that it is sold only to governments but little was known about its use. Guarnieri reverse engineered FinFisher’s remote control system to reveal that it is used in a wide range of countries, raising fears that it may be in use by governments with less-than-perfect human rights records, and maybe by private parties, too. He found FinFisher servers at work in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States.

Guarnieri’s post describes it as “frankly embarrassing” that he could so easily break the command and control system used to operate FinFisher. Although what he found didn’t constitute firm evidence the tool has leaked outside government hands, his post concludes:

[O]nce any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes […] As we’ve seen countless times before, and will certainly see again, it’s impossible to keep this kind of thing under control in the long term.

On Thursday, researchers at antivirus company Kaspersky announced their own discovery:

Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines.

They found Gauss thanks to its similarity with Flame, a piece of government-backed spyware discovered in May this year and described as “the most complex malware ever found.” Flame was a kind of multi-purpose data thief, able to send all kinds of data back to its operator. Its newly-described cousin Gauss is more specialized, and concerned with stealing online banking credentials. The tool is most capable at targeting Lebanese banks, but can also grab credentials for Citibank and PayPal accounts. Kaspersky estimate that Gauss has infected some 2,500 computers, mostly in Lebanon, compared to just 700 for Flame. They estimate that Gauss has been operating since September 2011, and became “dormant”, waiting for new orders, last month after Kaspersky found it.

Speaking to the New York Times, a security expert from RSA questions Kaspersky’s claim that a state must have created Gauss:

“State-sponsored actors do not go after bank accounts. That’s not to say they couldn’t, but it’s incongruent with traditional nation-state behavior. It’s possible the code was made available underground and repurposed or reused by cybercriminals.”

That raises more worrying prospect for those Web users not part of the intelligence community – that sophisticated tools such as Stuxnet and Flame are teaching criminals new tricks. Kaspersky and other antivirus software has now been updated to detect Flame and Gauss, but modified versions could get around that. In the offline world, secret military technology usually stays secret. But things are different today. As one expert put it to me last month (see “The Antivirus Era is Over”):

“Never have so many billions of dollars of defense technology flowed into the public domain.”

Keep Reading

Most Popular

10 Breakthrough Technologies 2024

Every year, we look for promising technologies poised to have a real impact on the world. Here are the advances that we think matter most right now.

Scientists are finding signals of long covid in blood. They could lead to new treatments.

Faults in a certain part of the immune system might be at the root of some long covid cases, new research suggests.

AI for everything: 10 Breakthrough Technologies 2024

Generative AI tools like ChatGPT reached mass adoption in record time, and reset the course of an entire industry.

What’s next for AI in 2024

Our writers look at the four hot trends to watch out for this year

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.