Skip to Content

State-Sponsored Spying May Be Teaching Cyber-Criminals New Tricks

Did spies or criminals make a sophisticated new malware targeting Lebanese banks?
August 10, 2012

In the past two days researchers have unmasked two sophisticated cyber-espionage tools created by nation sates. And some experts now say there’s evidence criminals are adopting techniques learned from such tools.

A map showing where infections of the sophisticated Gauss malware were found.

On Wednesday, computer security company Rapid7 researcher Claudio Guarnieri shared new details of the workings of FinFisher, a piece of malware sold by UK contractor Gamma Group to government agencies.

FinFisher can turn on webcams, record keystrokes, intercept Skype calls and take over a computer. Gamma Group have said that it is sold only to governments but little was known about its use. Guarnieri reverse engineered FinFisher’s remote control system to reveal that it is used in a wide range of countries, raising fears that it may be in use by governments with less-than-perfect human rights records, and maybe by private parties, too. He found FinFisher servers at work in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States.

Guarnieri’s post describes it as “frankly embarrassing” that he could so easily break the command and control system used to operate FinFisher. Although what he found didn’t constitute firm evidence the tool has leaked outside government hands, his post concludes:

[O]nce any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes […] As we’ve seen countless times before, and will certainly see again, it’s impossible to keep this kind of thing under control in the long term.

On Thursday, researchers at antivirus company Kaspersky announced their own discovery:

Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines.

They found Gauss thanks to its similarity with Flame, a piece of government-backed spyware discovered in May this year and described as “the most complex malware ever found.” Flame was a kind of multi-purpose data thief, able to send all kinds of data back to its operator. Its newly-described cousin Gauss is more specialized, and concerned with stealing online banking credentials. The tool is most capable at targeting Lebanese banks, but can also grab credentials for Citibank and PayPal accounts. Kaspersky estimate that Gauss has infected some 2,500 computers, mostly in Lebanon, compared to just 700 for Flame. They estimate that Gauss has been operating since September 2011, and became “dormant”, waiting for new orders, last month after Kaspersky found it.

Speaking to the New York Times, a security expert from RSA questions Kaspersky’s claim that a state must have created Gauss:

“State-sponsored actors do not go after bank accounts. That’s not to say they couldn’t, but it’s incongruent with traditional nation-state behavior. It’s possible the code was made available underground and repurposed or reused by cybercriminals.”

That raises more worrying prospect for those Web users not part of the intelligence community – that sophisticated tools such as Stuxnet and Flame are teaching criminals new tricks. Kaspersky and other antivirus software has now been updated to detect Flame and Gauss, but modified versions could get around that. In the offline world, secret military technology usually stays secret. But things are different today. As one expert put it to me last month (see “The Antivirus Era is Over”):

“Never have so many billions of dollars of defense technology flowed into the public domain.”

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.