Link between NSA and Regin cyberespionage malware becomes clearer

Security researchers found a strong connection between Regin and a keylogger used by the Five Eyes intelligence alliance

Keylogging malware that may have been used by the NSA shares signficant portions of code with a component of Regin, a sophisticated platform that has been used to spy on businesses, government institutions and private individuals for years.

The keylogger program, likely part of an attack framework used by the U.S. National Security Agency and its intelligence partners, is dubbed QWERTY and was among the files that former NSA contractor Edward Snowden leaked to journalists. It was released by German news magazine Der Spiegel on Jan. 17 along with a larger collection of secret documents about the malware capabilities of the NSA and the other Five Eyes partners -- the intelligence agencies of the U.K., Canada, Australia and New Zealand.

"We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin," malware researchers from antivirus firm Kaspersky Lab said Tuesday in a blog post. "Looking at the code closely, we conclude that the 'QWERTY' malware is identical in functionality to the Regin 50251 plugin."

Moreover, the Kaspersky researchers found that both QWERTY and the 50251 plug-in depend on a different module of the Regin platform identified as 50225 which handles kernel-mode hooking. This component allows the malware to run in the highest privileged area of the operating system -- the kernel.

This is strong proof that QWERTY can only operate as part of the Regin platform, the Kaspersky researchers said. "Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source code, we conclude the QWERTY malware developers and the Regin developers are the same or working together."

Der Spiegel reported that QWERTY is likely a plug-in of a unified malware framework codenamed WARRIORPRIDE that is used by all Five Eye partners. This is based on references in the code to a dependency called WzowskiLib or CNELib.

In a separate leaked document authored by the Communications Security Establishment Canada, the Canadian counterpart of the NSA, WARRIORPRIDE is described as a flexible computer network exploitation (CNE) platform that's an implementation of the "WZOWSKI" Five Eyes API (application programming interface).

The document also notes that WARRIORPRIDE is known under the code name DAREDEVIL at the UK Government Communications Headquarters (GCHQ) and that the Five Eyes intelligence partners can create and share plug-ins for it.

The newly discovered link between QWERTY and Regin suggests that the cyberespionage malware platform security researchers call Regin is most likely WARRIORPRIDE.

Some experts already suspected this based on other clues. According to Kaspersky Lab, Regin was the malware program that infected the personal computer of Belgian cryptographer Jean-Jacques Quisquater in 2013. That attack was linked to another malware attack against Belgian telecommunications group Belgacom whose customers include the European Commission, the European Parliament and the European Council.

Der Spiegel reported in September 2013, based on documents leaked by Snowden, that GCHQ was responsible for the attack on Belgacom as part of a secret operation code-named Operation Socialist.

Ronald Prins, co-founder of Fox-IT, a Dutch security company hired to investigate the attack against Belgacom, told The Intercept in November that he was convinced Regin was used by British and American intelligence services. The Intercept also reported, citing unnamed sources, that the malware was used in attacks against the European Parliament.

An NSA spokeswoman said at the time that the agency would not comment on The Intercept's "speculation."

The existence of Regin was first disclosed in November, when both Kaspersky Lab and Symantec published extensive research papers on it. However, antivirus companies knew about the malware for at least a year prior to that and forensic evidence suggests that the threat may have been active as far back as 2006.

Security researchers believe that Regin is comparable in sophistication to Stuxnet, the computer worm reportedly created by the U.S. and Israel that was used to sabotage Iran's nuclear efforts by destroying uranium enrichment centrifuges.

However, unlike Stuxnet, Regin was mostly used for espionage, not sabotage. Symantec found around 100 Regin victims in 10 countries, mostly in Russia and Saudi Arabia, but also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. The main targets were telecom operators, government organizations, multi-national political bodies, financial institutions, research centers and individuals involved in advanced mathematical and cryptographical research, according to Kaspersky Lab.

No new infections with Regin have been found since mid-2014, said Costin Raiu, director of Kaspersky's global research and analysis team, via email Monday.

It's not clear whether the malware platform's authors are working to completely replace it because it has been exposed or are just making significant changes to it.

"We believe it would be very difficult to replace the whole Regin platform with something else," Raiu said. "Therefore, it is more likely it will be modified and improved instead of completely replaced."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags National Security AgencysymantecsecurityCommunications Security Establishment CanadaGovernment Communications HeadquartersBelgacomspywaremalwarekaspersky labintrusion

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?