Stuxnet cousin able to attack industrial control systems

Today, extensive analysis on a new cyber espionage weapon dubbed “Gauss’ has been released, stating that the tool has capabilities to attack national critical infrastructure and steal financial data.

Apparently designed by the same “factory’ behind the state-sponsored Flame and Stuxnet cyberweapons, Gauss was discovered in June and has already been found to have infected personal computers in Lebanon and other countries in the Middle East.

The sophisticated malware, which not only steals system information but has a potentially dangerous “mysterious payload’, also contains a module known as “Godel’ which researchers have concluded contain a weapon for attacking industrial control systems.

Ross Brewer, vice president and managing director for international markets, LogRhythm, has made the following comments:

This latest malware discovery clearly shows a developing trend of sophisticated cyber weapons, like the Stuxnet, Duqu and Flame viruses, which aim to take control of critical national systems. While Gauss’ initial purpose appears to be the theft of financial information, its inclusion of the “Godel’ module further proves that cyber warfare tactics between nation states can result in significant damage to physical infrastructure.

A large proportion of today’s cyber security breaches – whether cyber espionage exercises such as data theft or full on cyber attacks that take control of critical systems – are a result of organisations lacking visibility into the activity taking place across their networks.

Traditional perimeter cyber security defences such as anti-virus software just aren’t enough to ensure protection, particularly as Gauss’s “cousin’, the Flame virus, avoided detection from 43 different anti-virus tools and took over two years to detect.

Instead, what’s required is a continuous monitoring of all log data generated by IT systems, so that any aberrant network activity can be identified, analysed and remediated in real time.

Especially relevant in the detection of attacks on control systems like SCADA (supervisory control and data acquisition), constant monitoring of IT network log data also provides the traceability required to identify patterns in seemingly unrelated incidents enabling damage limitation strategies to be enacted before any destruction of national infrastructure can occur.

In order to subvert this approach, hackers have to simultaneously break into their target, control systems like SCADA for example, and into the log management system to modify specifically the pieces they were looking for – a very difficult if not impossible task. Only by adding these additional levels of protection can anomalies be identified in real-time and cyber threats be responded to.

Don't miss