01/27/2015 01:21 PM

Source Code Similarities

Experts Unmask 'Regin' Trojan as NSA Tool

By , and

Just weeks ago, SPIEGEL published the source code of an NSA malware program known internally as QWERTY. Now, experts have found that it is none other than the notorious trojan Regin, used in dozens of cyber attacks around the world.

Earlier this month, SPIEGEL International published an article based on the trove of documents made available by whistleblower Edward Snowden describing the increasingly complex digital weapons being developed by intelligence services in the US and elsewhere. Concurrently, several documents were published as well as the source code of a sample malware program called QWERTY found in the Snowden archive.

For most readers, that source code was little more than 11 pages of impenetrable columns of seemingly random characters. But experts with the Russian IT security company Kaspersky compared the code with malware programs they have on file. What they found were clear similarities with an elaborate cyber-weapon that has been making international headlines since November of last year.

Last fall, Kaspersky and the US security company Symantec both reported for the first time the discovery of a cyber-weapon system which they christened "Regin". According to Kaspersky, the malware had already been in circulation for 10 years and had been deployed against targets in at least 14 countries, including Germany, Belgium and Brazil but also India and Indonesia.

Symantec spoke of a "highly complex" threat. Many of the targets were in the telecommunications sector, but others included energy companies and airlines. Both Symantec and Kaspersky did not shy away from superlatives when describing the malware program, calling it a "top-tier espionage tool" and the most dangerous cyber-weapon since Stuxnet, the notorious malware program used to attack the Iranian nuclear program.

"We are certain that we are looking at the keylogger-module from Regin," Costin Raiu, head of research for Kaspersky, said of the code published by SPIEGEL. A keylogger is a program that can record keys struck on a keyboard -- thus logging sensitive information such as passwords, email addresses and text documents -- and then send that information back to the malware programmer.

"Pursuant to our technical analysis, QWERTY is identical with the Regin plug-in 50251," Raiu says. In addition, the analysis revealed that Regin is apparently an attack platform that can be used by several different institutions in several different countries. Kaspersky published its findings in a blog post on Tuesday.

The new analysis provides clear proof that Regin is in fact the cyber-attack platform belonging to the Five Eyes alliance, which includes the US, Britain, Canada, Australia and New Zealand. Neither Kaspersky nor Symantec commented directly on the likely creator of Regin. But there can be little room left for doubt regarding the malware's origin.

There are also additional clues pointing to Regin being a Five Eyes tool:

In the last several years, Regin has been exposed as the cyber-weapon behind a number of digital attacks:

It seems likely that more Regin discoveries will be made. Kaspersky alone, says Raiu, has found the malware in computers belonging to 27 international companies, governments and private persons.


Related SPIEGEL ONLINE links:

Related internet links

All Rights Reserved
Reproduction only allowed with permission