Evidence suggest US, UK behind mysterious Regin malware
Regin is is the sophisticated work of hackers who dabble as government agents, experts say.
This post was originally published on Mashable.
For many years, a sophisticated and unprecedented cyberespionage campaign known as 'Regin' has been targeting hundreds of computers and networks in dozens of countries around the world. Yet its existence has only been unearthed in the last couple of days.
This is likely not your run-of-the-mill cyberattack mounted by criminals trying to steal credit card numbers, or by spies looking for intellectual property and trade secrets. According to several security researchers who have been investigating it and published reports on Sunday and Monday, this is the sophisticated work of hackers who dabble as government agents.
Security researchers at Symantec have called Regin 'peerless' and 'groundbreaking,' and it might be the most advanced malware campaign ever uncovered, a peek into the future of espionage and surveillance.
Like Stuxnet, the cyberattack that crippled Iran's nuclear program in the late 2000s, this campaign was most likely conducted by hackers working for a government with significant resources and some are already pointing their fingers at the United States and the UK and, more specifically, the NSA and its British counterpart, the GCHQ.
What is Regin?
Regin is a tool capable of infecting and compromising entire networks, not just individual computers, as security companies Symantec and Kaspersky Labs detailed in their technical reports published on Sunday and Monday.
It's not only a computer virus or malware, but also a toolkit or platform that can be used for different purposes, depending on the needs of the attackers. It can collect passwords, retrieve deleted files, and even take over entire networks and infrastructures, according to researchers.
It's a toolkit that is made of various pieces, and that unfolds in five different stages, making it extremely hard to detect. In one of its stages, Regin disguises itself as legitimate Microsoft software to fool targets and avoid detection. (Microsoft declined to comment when Mashable asked if the company had any knowledge of Regin.)
For Costin Raiu, the head of Kaspersky's global research and analysis team, 'Regin is a hugely complex puzzle.'
Given its complexity and sophistication, Symantec researchers estimate that Regin was developed by several authors, perhaps over the span of months or even years.
'There's not just one Regin, it's a full framework of a lot of species of malware,' Ronald Prins, a security researcher from the Dutch company Fox IT, told Mashable.
No one has the full picture yet. As Sean Sullivan, a researcher at Finnish security firm F-Secure, put it, this is like the discovery of a new kind of dinosaur.
'We're all seeing perhaps different bones of the overall animal,' he told Mashable. 'We are able to kind of give you a very good estimate of what that animal does and what it subsists on and so on, but we don't actually have the full skeleton.'
No researcher has been able to yet explain how Regin infects its victims. But now that Regin has been exposed, we'll probably have more information in the next few weeks or months.
Who did Regin hit? And where?
There have been hundreds of victims, according to researchers, but it's too early to tell the full extent and reach of Regin. But we do know of some - they range from individuals and academic institutions to government agencies and telecom and internet service providers.
Among the most high profile victims is the European Union, which was hacked in 2011, and, Belgacom, Belgium's partly state-owned internet and phone provider, which was attacked in 2010. Its employees' computers were hacked through a fake LinkedIn page which was used to install malware on visitors' computers. Then in 2013, the same attackers hacked Belgian cryptographer Jean-Jacques Quisquater.
These attacks are all part of the Regin campaign, according to reports on and The Intercept.
The attacks on the European Union and Belgacom were revealed last year by documents leaked by Edward Snowden, but the new reports indicate that they were connected and part of a larger operation.
Other victims include an unnamed GSM cellphone operator in one Middle East country in 2008. Though Kaspersky didn't release all the details of the attack, hackers infiltrated the network, which could have allowed them to take control of cellphone towers to snoop on calls, reroute them and perhaps even shut it down entirely. Researchers declined to name the nation that was targeted, but Wired's Kim Zetter reasonably speculates that the target country in this case may have been Afghanistan.
Kaspersky also detailed a 'mind-blowing' attack against another unnamed Middle East country, in which Regin completely took over the networks of the country's presidential office, a research center, an educational institute, a mathematics institute, and a bank.
Regin also hit several other countries: Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia, Syria, according to Kaspersky.
Per Symantec, the graphic below details the geographical distribution of Regin's victims.
So, who is behind it?
This is always the million dollar question when it comes to cyberespionage operations. This time, however, all signs seem to point to NSA and GCHQ.
Prins, the researcher whose company was hired to investigate the Belgacom hack, has no doubts. Based on Snowden documents leaked last year and the analysis that his company has done of the Regin malware, Prins said he is fully convinced that the NSA and the GCHQ are behind Regin.
Both UNITEDRAKE and STRAIGHTBIZARRE are part of the Regin framework. You can find them in the ANT catalog. https://t.co/TFsdlI8JOW - Ronald Prins (@cryptoron)November 24, 2014
UNITEDDRAKE and STRAIGHTBIZARRE are codenames of NSA programs, according to leaked documents. While those codenames are not mentioned in the malware, Prins explained that their description in the Snowden documents matches with 'the functionality of parts of the Regin framework.'
Kaspersky researchers, however, did find codenames of a somewhat similar style inside parts of the Regin malware.
#Regin internal module codenames: LEGSPINv2.6, WILLISCHECKv2.0, HOPSCOTCH. - Costin Raiu (@craiu)November 24, 2014
Sullivan, the researcher from F-Secure, another firm who's been tracking Regin for years, told Mashable that given the list of victims, and especially given who's not among them, it's not hard to guess 'the elephant in the room that nobody is naming.' (The Five Eyes countries referenced in the tweet below refer to the US, UK, Australia, New Zealand, Canada, allies that share intelligence information with each other.)
I find it interesting that #Regin has no reported victims in Five Eyes countries - Timo Hirvonen (@TimoHirvonen)November 24, 2014
Sullivan declined to name it himself, but when asked if it was possible that the NSA or GCHQ were involved, Sullivan said he'd need very strong evidence to the contrary to not believe that. Symantec's senior engineer, Vikram Thakur also declined to name names, but said that 'there are very few countries in the world who can sponsor or maintain such a framework.'
Raiu, the Kaspersky researcher, was more cautious, warning that 'on the internet, attribution can very easily fail and false flag operations are quite common.'
An NSA spokesperson we contacted declined to comment.
'We are not going to comment on speculation,' Vanee' Vines wrote in a statement.
A GCHQ spokesperson echoed his NSA counterpart, and dismissed the Regin speculations as 'unfounded' allegations related to 'an old story' from 2013.
'We don't comment on speculation. That's what it is, pure speculation on your part,' the spokesperson, who declined to be named, told Mashable in a phone interview.
Why has it been revealed now?
The malware has been around since at least 2003, according to The Intercept. But its traces first surfaced online in 2009, when someone uploaded its components to the online virus repository Virus Total. It seems that's also where its name originates - some of the files uploaded in 2009 contain the codename 'Regin.'
Microsoft included two samples of the Regin malware in its online malware encyclopedia in 2011, and one more in 2013.
But until now no one has publicly disclosed details of this cyberespionage campaign. Why?
Symantec's Thakur said that they had been investigating Regin since last year, but only felt 'comfortable' publishing details of it now.
Raiu, the researcher from Kaspersky, said they had been tracking Regin for 'several years' but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.
For Prins, the reason is completely different.
'We didn't want to interfere with NSA/GCHQ operations,' he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to 'global security.'
Mikko Hypponen, a renowned security expert and chief research officer for F-Secure, said that while they had detected some parts of Regin since 2009, they were not at liberty to discuss their discovery due to confidentiality agreements with customers who asked them not to publish details of hacks they suffered.
Both Symantec and Kaspersky denied having ever been asked by anyone, including governments, to withhold information related to Regin.
Mashable is the largest independent news source covering digital culture, social media and technology. Follow IT Pro on Twitter