Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Link between NSA and Regin cyberespionage malware becomes clearer

Lucian Constantin | Jan. 28, 2015
Security researchers found a strong connection between Regin and a keylogger used by the Five Eyes intelligence alliance.

Der Spiegel reported in September 2013, based on documents leaked by Snowden, that GCHQ was responsible for the attack on Belgacom as part of a secret operation code-named Operation Socialist.

Ronald Prins, co-founder of Fox-IT, a Dutch security company hired to investigate the attack against Belgacom, told The Intercept in November that he was convinced Regin was used by British and American intelligence services. The Intercept also reported, citing unnamed sources, that the malware was used in attacks against the European Parliament.

An NSA spokeswoman said at the time that the agency would not comment on The Intercept's "speculation."

The existence of Regin was first disclosed in November, when both Kaspersky Lab and Symantec published extensive research papers on it. However, antivirus companies knew about the malware for at least a year prior to that and forensic evidence suggests that the threat may have been active as far back as 2006.

Security researchers believe that Regin is comparable in sophistication to Stuxnet, the computer worm reportedly created by the U.S. and Israel that was used to sabotage Iran's nuclear efforts by destroying uranium enrichment centrifuges.

However, unlike Stuxnet, Regin was mostly used for espionage, not sabotage. Symantec found around 100 Regin victims in 10 countries, mostly in Russia and Saudi Arabia, but also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. The main targets were telecom operators, government organizations, multi-national political bodies, financial institutions, research centers and individuals involved in advanced mathematical and cryptographical research, according to Kaspersky Lab.

No new infections with Regin have been found since mid-2014, said Costin Raiu, director of Kaspersky's global research and analysis team, via email Monday.

It's not clear whether the malware platform's authors are working to completely replace it because it has been exposed or are just making significant changes to it.

"We believe it would be very difficult to replace the whole Regin platform with something else," Raiu said. "Therefore, it is more likely it will be modified and improved instead of completely replaced."

 

Previous Page  1  2 

Sign up for MIS Asia eNewsletters.