REGIN: 'cyberspy' threat from 2003, snooped on Saudis, Russians, Belgians... [u5]

Symantec unleashes PR guns, shys away from blaming the perp, but the truth will out

regin 2003

The Regin espionage malware suite is supposedly so 'advanced' that it must have been created by a nation state. But which one? The spotlight now seems to be falling on the NSA and UK's GCHQ.

This appears to be the same malware first hinted at by Microsoft and Kaspersky, but now unpicked in more detail by Symantec, which duly unleashed its PR arsenal. Evidence then emerged that versions of the malware were in the wild as early as 2003!

Researchers won't reveal their suspicions about who wrote it. But that won't stop others: In IT Blogwatch, bloggers open all Five Eyes, wide.

Your humble blogwatcher curated these bloggy bits for your entertainment. (This is update #5 -- scroll to end for the new bits.)

Nancy Weil's dis-eased about the news: [You're fired -Ed.]

[It] was likely developed by a nation state and has been used to spy on governments, infrastructure operators, businesses, researchers and individuals. ... Researchers have identified its use in 10 countries, mainly Russia and Saudi Arabia.

Regin is a back-door...multistaged threat, with each stage hidden and encrypted. [It] also takes a modular approach...used with other advanced malware families, inlcuding Flamer and Weevil. The multistage loading also akin to Duqu/Stuxnet.

Researchers have identified dozens of payloads...including a Microsoft IIS Web server traffic monitor and a traffic sniffer aimed at mobile telephone base-station controllers.  MORE

And Darren Pauli's editors do their standard SHOUTY-HED schtick:

[Researchers] found attackers have foisted Regin on targets using mixed attack vectors including one unconfirmed zero-day in Yahoo! Messenger. [They] did not name a nation as the source of Regin.

Regin's talented authors encrypted data blobs after the stage one vector. The stage zero dropper probably responsible for setting extended attributes and registry keys that held encoded data of subsequent stages was not found.  MORE

Some anonymous Symantec gnomes breathlessly blog thuswise:

Regin has been used in systematic spying campaigns against a range of international targets since at least 2008. [Its] structure displays a degree of technical competence rarely seen. ... Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.

Regin infections have been observed in a variety of organizations between 2008 and 2011. ... A new version of the malware resurfaced from 2013. ... Targets include private companies, government entities and research institutes...private individuals and small businesses.

Its low key nature means it can potentially be used in espionage campaigns lasting several years. [It includes] anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption [that] isn’t commonly used.  MORE

So Dan Goodin digs deeper:

Researchers believe Regin...dates back to 2008 and possibly several years earlier. Liam O'Murchu, manager of operations for Symantec Security Response, [said] the roster of modules used against one target was often unique, an indication that Regin was used in multiple campaigns.

Almost half of the computers known to be infected by Regin were inside [ISPs] so the operators could spy on specific customers who used the ISPs.

The researchers have yet to uncover the command and control system the attackers used to communicate with infected computers, and they still don't have any educated hunches about the country behind the malware.  MORE

But Arik "Anne Ant" Hesseldahl has a theory:

[It] was likely created by a government agency. And while its origin is unclear, a short list of capable countries would include the U.S., Israel and China. ... No infections have yet been detected in the U.S. [Israel] or China

The quality of Regin’s design and the investment required to create it is such that it was almost certainly made by a nation-state, said O’Murchu. But asked to speculate which nation-state, he demurred. It doesn’t take much of a leap to wonder out loud if the [NSA] or the [CIA], perhaps working with Israel, might be the source. ... However, there are other possible sources, including China..  MORE

Meanwhile, Fatih Babacan fingers the NSA:

Belgacom (Belgian internet provider) had found such a malware on its servers. Reportedly it was also a complex malware made by the US. The NSA gathered customers data for years massively. Instead of focusing on an suspicious individual NSA thought it was a good idea to mass spy on Belgian citizens. Those bastards!  MORE

Update #1: Malcolm Tucker "takes a stab" at explaining, in his own unique style:

Most likely, Apple developers created it years ago. ... The new software was released the day Steve Jobs died. I mean think about it. Wouldn't Apple Developers be the best dang virus-writing team on the planet? [They] forgo releasing manuals that disclose functionality...deny everything, all software is delivered over the web, and during the product lifecycle, they release new features which update to the previous version; always requiring additional RAM to prevent [the] Spinning Pinwheel Of Death.

Most Buddhists believe that when you die, your soul travels at the speed of light through space. That said, the closest thing to this has to be writing a computer virus which comes pre-installed. This...explains why Apple switched from default pictures of clownfish to space pictures.  MORE

Update #2: Kim Zetter narrates the "mysterious" story:

It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion...was sophisticated and widespread and used a zero-day exploit. ... They infected numerous systems belonging to the...Commission and the European Council. ... Two years later another big target was hacked. This time it was Belgacom. ... According to...Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials. ... Then five months of another high-profile breach emerged...targeting prominent Belgian cryptographer Jean-Jacques Quisquater.

Researchers have found the massive digital spy tool used in all three attacks. [It's] been known since at least 2011 [by] Microsoft. ... Kaspersky...began tracking the threat in 2012. ... Symantec began investigating it in 2013. ... Though no one is willing to speculate on the record about Regin’s source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA.  MORE

Update #3: Morgan Marquis-Boire, Claudio Guarnieri, and Ryan Gallagher tag-team to confirm that final point:

Regin is...behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to...sources and [our] technical analysis. ... Sources familiar with internal investigations [are] linking the spy tool to the secret GCHQ and NSA operations.

Ronald Prins, a security expert whose company Fox IT was hired to remove the malware from Belgacom’s networks...said, “I’m convinced Regin is used by British and American intelligence services.” ... In a hacking mission codenamed Operation Socialist, GCHQ gained access to Belgacom’s internal systems in sending their internet connection to a fake LinkedIn page [which] launched a malware attack...part of the suite of malware now known as Regin. ... [We have] identified traces of its components dating back as far as 2003.

GCHQ declined to comment for this story. ... The NSA said...“We are not going to comment.” ... In Nordic mythology, the name Regin is associated with a violent dwarf who is corrupted by greed.  MORE

Update #4: USA! USA! Kevin Fogarty is pleased to hear the NSA and its allies are "waaaay ahead":

[It] appears to be long-term corporate and political espionage committed by a major national intelligence agency. [It] is so complex and programming so is most likely to have been developed by a state-sponsored intelligence agency...rather than hackers or malware writers motivated by profit or commercial developers...that sell software designed for espionage.

The consistency in targets and approach...are similar to those of previously identified apps designed for international espionage and sabotage including Stuxnet, Duqu, Flamer, Red October and Weevil. ... It also pushes the envelope of what we knew was possible. [It's] easily clever enough to inspire admiration of its technical accomplishments.  MORE

Update #5: Thomas Fox-Brewster is "perplexed," implying his suspicions:

Symantec was actually detecting components of Regin back in 2010 and had labelled it a Trojan in March 2011...the same time Microsoft had picked up on the malware. ... But there’s something didn’t include any technical information...evidently [because] no human analyst decided it was worthy of attention. Another anti-virus provider, F-Secure...started blocking components from as early as 2009, whilst admitting [it] had been asked by a customer...not to publicly divulge information.

Symantec has given Regin the lowest possible risk rating and only a “medium” score for its “damage rating”. ... Microsoft, meanwhile, gave it a “severe” rating three years ago. Such mixed messages don’t fill onlookers with confidence.

This would all indicate AV firms’ technology did an adequate job at figuring out if something was malicious and then blocking it. But [weren't] able to expose Regin as a nation state-sponsored malware as fast as they might. And they were either afraid to say it outright or didn’t have enough hard facts.  MORE

You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2014 IDG Communications, Inc.

Shop Tech Products at Amazon