Source Code Similarities Experts Unmask 'Regin' Trojan as NSA Tool

Just weeks ago, SPIEGEL published the source code of an NSA malware program known internally as QWERTY. Now, experts have found that it is none other than the notorious trojan Regin, used in dozens of cyber attacks around the world.
A comparison of malware codes: Regin is on the left; QWERTY, published by SPIEGEL, is on the right.

A comparison of malware codes: Regin is on the left; QWERTY, published by SPIEGEL, is on the right.

Foto: Kaspersky

Earlier this month, SPIEGEL International published an article based on the trove of documents made available by whistleblower Edward Snowden describing the increasingly complex digital weapons  being developed by intelligence services in the US and elsewhere. Concurrently, several documents were published as well as the source code of a sample malware program called QWERTY found in the Snowden archive.

For most readers, that source code was little more than 11 pages of impenetrable columns of seemingly random characters. But experts with the Russian IT security company Kaspersky compared the code with malware programs they have on file. What they found were clear similarities with an elaborate cyber-weapon that has been making international headlines since November of last year.

Last fall, Kaspersky and the US security company Symantec both reported for the first time the discovery of a cyber-weapon system which they christened "Regin". According to Kaspersky, the malware had already been in circulation for 10 years and had been deployed against targets in at least 14 countries, including Germany, Belgium and Brazil but also India and Indonesia.

Symantec spoke of a "highly complex" threat. Many of the targets were in the telecommunications sector, but others included energy companies and airlines. Both Symantec and Kaspersky did not shy away from superlatives when describing the malware program, calling it a "top-tier espionage tool" and the most dangerous cyber-weapon since Stuxnet, the notorious malware program used to attack the Iranian nuclear program.

The Regin code on the Kaspersky website: Identical code.

The Regin code on the Kaspersky website: Identical code.

"We are certain that we are looking at the keylogger-module from Regin," Costin Raiu, head of research for Kaspersky, said of the code published by SPIEGEL. A keylogger is a program that can record keys struck on a keyboard -- thus logging sensitive information such as passwords, email addresses and text documents -- and then send that information back to the malware programmer.

"Pursuant to our technical analysis, QWERTY is identical with the Regin plug-in 50251," Raiu says. In addition, the analysis revealed that Regin is apparently an attack platform that can be used by several different institutions in several different countries. Kaspersky published its findings in a blog post  on Tuesday.

The new analysis provides clear proof that Regin is in fact the cyber-attack platform belonging to the Five Eyes alliance, which includes the US, Britain, Canada, Australia and New Zealand. Neither Kaspersky nor Symantec commented directly on the likely creator of Regin. But there can be little room left for doubt regarding the malware's origin.

  • The source code excerpt published by SPIEGEL comes straight from the Snowden archive.

  • Regin was also apparently involved in the attack on the Belgian telecommunications firm Belgacom. And Belgacom, as SPIEGEL reported in the summer of 2013 , was a target of the British intelligence agency GCHQ. Ronald Prins, head of the Dutch security company Fox IT, which analyzed the attack on Belgacom, told SPIEGEL ONLINE in the summer of 2011 that Regin appeared to be a tool belonging to the NSA and GCHQ.

There are also additional clues pointing to Regin being a Five Eyes tool:

  • In the QWERTY code, there are numerous references to cricket, a sport that enjoys extreme popularity in the Commonwealth.

  • There are many similarities with the cyber-weapons system that the intelligence agencies call "Warriorpride" in the Snowden documents.

  • The targets thus far known are consistent with Five Eyes surveillance targets as outlined in the Snowden documents.


Photo Gallery: Operation Socialist

In the last several years, Regin has been exposed as the cyber-weapon behind a number of digital attacks:

  • The attack on the partially state-owned company Belgacom, as mentioned above.

  • A serious cyber-attack on the European Commission in 2011. The deputy head of Germany's Federal Office for Information Security, Andreas Könen, told SPIEGEL at the end of last December that, "we have reconstructed that; there are clear congruencies."

  • The Austrian newspaper Der Standard, citing anonymous sources, reported last November that malware code from the Regin family had been found in the network of the International Atomic Energy Agency, based in Vienna.

  • Germany's Bild newspaper also reported a Regin infection in the computer of a member of the department for European affairs in Angela Merkel's Chancellery. According to the paper, the malware was found on the woman's private computer. The Federal Office for Information Security says that Regin has not yet been found on official German government computers.

It seems likely that more Regin discoveries will be made. Kaspersky alone, says Raiu, has found the malware in computers belonging to 27 international companies, governments and private persons.