Regin Spyware Likely Made by NSA, UK

Possible cricket terms were found in Regin's code. Credit: Sean Nel/Shutterstock

(Image credit: Possible cricket terms were found in Regin's code. Credit: Sean Nel/Shutterstock)

Britain's GCHQ and the United States' National Security Agency are probably behind the newly discovered Regin super-spyware, evidence gathered by four different security firms indicates.

The clues include the countries and industries targeted (and those not targeted), internal file names and the working hours kept by Regin's developers. Regin is linked to a GCHQ operation described in NSA documents leaked by Edward Snowden, and it bears similarities to both the Stuxnet worm, used against Iran in 2010, and the Flame spyware, which mapped out the Iranian networks Stuxnet attacked.

"We're convinced that this is the product of the U.S. or U.K.," Erik de Jong, of Dutch cybersecurity firm Fox-IT, told SC Magazine in a piece posted today. "In our mind, there's no doubt at all."

MORE: 7 Scariest Security Threats Headed Your Way

Regin (pronounced with a soft "g") is Windows-based spyware that entails "a degree of technical competence rarely seen," according to Symantec, the U.S.-based antivirus giant that first revealed Regin in a detailed report yesterday (Nov. 23). (The name may refer to the fact that the malware saves some code in the Windows registry, or "reg.")

Russia's Kaspersky Lab followed up with its own report today (Nov. 24), and like Symantec, concluded that the spyware has been in operation since at least 2008 or 2009 and was developed by a national intelligence agency.

Kaspersky Lab added that Regin also infected cellular-carrier base stations in order to gather information on cellphones. (A reader told Wired's Kim Zetter that the base-station IDs matched four in Afghanistan.)

In one unnamed Middle Eastern country, the Kaspersky report said, Regin apparently created its own private peer-to-peer network, in which the nodes included the office of the country's president, a bank, an educational institution and a research facility.

Neither Symantec nor Kaspersky Lab were willing to point the finger at any specific country. Smaller firms such as Fox-IT and Finland's F-Secure had fewer qualms.

F-Secure cryptically said in a blog post last night: "Our belief is that this malware, for a change, isn't coming from Russia or China."

"We've obviously looked at the malware, and looked with a great deal of interest at the information published and leaked by Mr. Snowden," Fox-IT's De Jong told SC Magazine. "Some of that just makes sense — the pieces fit."

If it's Tuesday, this must be Belgium

Fox-IT's evidence may include undisclosed information about sustained GCHQ spying on Belgacom, a state-controlled Belgian telecommunications company. Snowden documents revealed the GCHQ operation in September 2013, and Belgacom hired Fox-IT to conduct an investigation.

The Belgacom attack was later linked to a separate spying attack on Belgian cryptography professor Jean-Jacques Quisquater.

"We believe Regin is the one that targeted Jean-Jacques Quisquater," F-Secure's Mikko Hypponen, one of the most widely recognized computer-security experts in the world, said on Twitter.

"We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform," Kaspersky Lab said in its report.

Quisquater may have had information on how to break commonly used cryptography standards — highly desirable to any signals-intelligence agency. Belgacom is thought to have been targeted because it handles telephone traffic in and out of European Union headquarters in Brussels, and also because it handles long-distance telephone traffic between Africa and Europe.

Patterns of force

Belgium was far from the only country targeted by Regin, Kaspersky and Symantec said. The bulk of activity occurred in Russia and Saudi Arabia, with additional targets in 15 other countries, including Iran, India, Pakistan, Afghanistan, Ireland and Mexico.

Russia, Iran, Syria, Pakistan and Afghanistan would be obvious intelligence targets for both the U.S. and the U.K., while counterterrorist operations would be interested in the funding of jihadi groups by Saudi private citizens. The U.K. would probably want to keep a close eye on Ireland, and the U.S. on Mexico.

Interestingly, two small South Pacific nations were included. Fiji is the landing point for a trans-Pacific submarine communications cable, but Kiribati no longer is.

No activity was detected in any of the "Five Eyes" countries, which have been sharing signals intelligence for more than half a century: Australia, Canada, New Zealand, the U.K. and the U.S.

Nor was any activity detected in China, an obvious intelligence target. None of the four firms that analyzed Regin could explain that omission, but it's worth noting that few traditional Chinese targets — such as Japan, Taiwan or South Korea — were included.

More telling were the private industries targeted. A full three-quarters of the firms Symantec saw hit were Internet service providers or telecommunications companies — ideal targets for signals-intelligence agencies aiming to conduct long-term surveillance. Hospitality firms (hotels and restaurants) and airlines were also targets, which fits in with known NSA techniques for tracking targeted individuals' travel itineraries.

Another clue lies in the working hours apparently kept by the Regin coders. Kaspersky noted that timestamps in the code began at about 10 a.m. British time (5 a.m. EST), peaked in the early afternoon and then slowly declined (with a "break" around 3 p.m. British time), finally ending with a sudden spurt of activity around 8 p.m.

Still, as Kaspersky Lab put it, "As this information could be easily altered by the developers, it's up to the reader to attempt to interpret this: as an intentional false flag or a noncritical indicator left by the developers."

That's not cricket

Other Briticisms crop up in the code itself. Most of the Regin modules are given numbered file names, deliberately obscuring the developers' native language. But Kaspersky Lab noted that a few English file names do appear: LEGSPIN, WILLISCHECK, HOPSCOTCH and U-STARBUCKS.

The first word refers to a common bowling trick in cricket, a term that would be unknown to most Americans. Alec Muffett, a Facebook developer in Britain, hypothesized that "WILLISCHECK" might refer to legendary English cricket bowler Bob Willis.

Kaspersky noted that a vulgar English four-letter noun, albeit one known to many non-English speakers, constantly crops up in the code.

Family resemblances

Finally, there's Regin's code itself. The malware is split into several different parts, only the first of which is unencrypted, and different modules that are installed depending on whether the targeted machine runs 32-bit or 64-bit Windows.

The initial infection is via a "dropper," a Trojan horse likely installed by visiting a compromised website. From there, the dropper determines the operating system used and installs more malware, customized for various tasks including stealing data, taking screenshots, stealing passwords, monitoring network traffic and controlling the mouse pointer.

"This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask)," the Symantec report noted, "while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats."

Whatever the origin of Regin, most experts agreed that it is a major discovery.

"Few terms are misused in a security context as often as the term 'advanced'," wrote Martijn Grooten, editor of the information-security newsletter Virus Bulletin, "perhaps in part because the industry doesn't like to admit that most of the threats we're facing aren't particularly advanced. Yet for the 'Regin' espionage tool, which Symantec wrote about yesterday, it seems fully justified."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.