Yesterday the US CERT and ICS-CERT published a Joint Security Awareness Report (JSAR) on the Gauss malware recently reported by Kaspersky Lab. According to Kaspersky this malware appears to be targeted at financial institutions in Lebanon and the surrounding countries. Why ICS-CERT is publishing this JSAR is not clear as there do not appear to be any affect, currently, on control systems or industrial networks.
As would be expected, the Kaspersky report is extremely detailed, with most of the information available only to those fluent in Geek Speak (unfortunately I am only conversant in pidgin Geek Speak). What is clear, however, is that Kaspersky believes that this new malware is related to STUXNET, FLAME, and DUQU and that the malware is readily adaptable to carry any number of new modules. In fact, there are a number of encrypted modules in the versions that Kaspersky has studied that have unknown purposes.
There is already discussion on the internet that this is ‘another’ in a series of cyber-warfare tools developed and deployed by the United States (and Israel). No one expects any confirmation of that but we didn’t expect President Obama’s supposed confirmation of STUXNET being a US cyber-warfare tool either. The disclosure of this malware and the unsupported attribution of it to the United States will certainly inspire counter-attack aspirations by Iran and its allies and encourage the development of cyber-warfare capabilities by a wide variety of folks around the world.
That this could have an effect on the continued debate of cybersecurity legislation is almost a foregone conclusion. There will be those that might suspect that the publication of this JSAR could be part of a campaign by the Administration to encourage positive movement in debate. Not me, of course.
BTW: Interesting tweet from Joel Langill on Gauss.