Regin Malware Confirmed as UK and US Spying Tool

Over the weekend, the Internet and Twittersphere was abuzz with rumors and information about a new malware program, known as Regin, that was first made public by the threat research group at Symantec.

Since hitting the wires, there has been a flurry of speculation as to whether or not the malware was state-sponsored or the act of an individual crime network, and now, thanks to Glenn Greenwald at the Intercept, a chunk of previously unreleased Snowden leaks have confirmed that the program was developed as a joint espionage effort between both the United States and UK governments.

Some members of the security community had suspected that the infection was developed by members of the Five Eyes collective when the targets of the campaign were released, focusing primarily on countries like Russia, Saudi Arabia, and Brazil.

Of these nations (and several others listed in the pie chart below), some are considered a threat by both the United States and the British, each of whom have pooled the collective resources of their independent intelligence agencies to create one of the most effective, and least detectable infection tools to date.

regin

Photo: Symantec

“Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept,” wrote Greenwald.

“Regin was found on infected internal computer systems and email servers at Belgacom, a partly state-owned Belgian phone and internet provider, following reports last year that the company was targeted in a top-secret surveillance operation carried out by British spy agency Government Communications Headquarters, industry sources told The Intercept.”

This wouldn’t be the first time a piece of malware developed by the two countries has gotten out of the bag either. Back in 2012, the press picked up on a new style of malware that had been used to infect Iranian uranium enrichment facilities in an effort to sabotage their efforts to manufacture a nuclear weapon.

In this instance, the main target of Regin was Belgacom, a Belgian telecommunications company that was suspected of harboring terrorist customers who had been exploiting the company’s lax security rules to message each other from Pakistan, Afghanistan, and Syria.

The intrusion had originally been disclosed by Greenwald and Snowden back in August of last year, however the exact method that the UK utilized to get in was kept secret until now.

The main motivation for keeping this information hidden was to prevent criminals from hopping on the train and looking for new ways to exploit state-manufactured malware, much like what we saw with Stuxnet, which was later morphed into Flame after the undesirables had got their hands on it and used it to break into the average user’s machine.

Greenwald believes that his publication is cleared to come forward with this information as a result of Symantec’s investigation, as opposed to when they had their opportunity the first time around.

He states that since the attack on Belgacom went viral, it’s likely that the NSA and GCHQ have switched gears, ditching Regin altogether in favor of something a little less public and a lot more effective at the job of breaking into the backdoor of major telecommunications companies and small businesses around the world.