Source Code Similarities Experts Unmask 'Regin' Trojan as NSA Tool

Just weeks ago, SPIEGEL published the source code of an NSA malware program known internally as QWERTY. Now, experts have found that it is none other than the notorious trojan Regin, used in dozens of cyber attacks around the world.

A comparison of malware codes: Regin is on the left; QWERTY, published by SPIEGEL, is on the right.

A comparison of malware codes: Regin is on the left; QWERTY, published by SPIEGEL, is on the right.

By , and

Earlier this month, SPIEGEL International published an article based on the trove of documents made available by whistleblower Edward Snowden describing the increasingly complex digital weapons being developed by intelligence services in the US and elsewhere. Concurrently, several documents were published as well as the source code of a sample malware program called QWERTY found in the Snowden archive.

For most readers, that source code was little more than 11 pages of impenetrable columns of seemingly random characters. But experts with the Russian IT security company Kaspersky compared the code with malware programs they have on file. What they found were clear similarities with an elaborate cyber-weapon that has been making international headlines since November of last year.

Last fall, Kaspersky and the US security company Symantec both reported for the first time the discovery of a cyber-weapon system which they christened "Regin". According to Kaspersky, the malware had already been in circulation for 10 years and had been deployed against targets in at least 14 countries, including Germany, Belgium and Brazil but also India and Indonesia.

Symantec spoke of a "highly complex" threat. Many of the targets were in the telecommunications sector, but others included energy companies and airlines. Both Symantec and Kaspersky did not shy away from superlatives when describing the malware program, calling it a "top-tier espionage tool" and the most dangerous cyber-weapon since Stuxnet, the notorious malware program used to attack the Iranian nuclear program.

The Regin code on the Kaspersky website: Identical code.

The Regin code on the Kaspersky website: Identical code.

"We are certain that we are looking at the keylogger-module from Regin," Costin Raiu, head of research for Kaspersky, said of the code published by SPIEGEL. A keylogger is a program that can record keys struck on a keyboard -- thus logging sensitive information such as passwords, email addresses and text documents -- and then send that information back to the malware programmer.

"Pursuant to our technical analysis, QWERTY is identical with the Regin plug-in 50251," Raiu says. In addition, the analysis revealed that Regin is apparently an attack platform that can be used by several different institutions in several different countries. Kaspersky published its findings in a blog post on Tuesday.

The new analysis provides clear proof that Regin is in fact the cyber-attack platform belonging to the Five Eyes alliance, which includes the US, Britain, Canada, Australia and New Zealand. Neither Kaspersky nor Symantec commented directly on the likely creator of Regin. But there can be little room left for doubt regarding the malware's origin.

  • The source code excerpt published by SPIEGEL comes straight from the Snowden archive.

  • Regin was also apparently involved in the attack on the Belgian telecommunications firm Belgacom. And Belgacom, as SPIEGEL reported in the summer of 2013, was a target of the British intelligence agency GCHQ. Ronald Prins, head of the Dutch security company Fox IT, which analyzed the attack on Belgacom, told SPIEGEL ONLINE in the summer of 2011 that Regin appeared to be a tool belonging to the NSA and GCHQ.

There are also additional clues pointing to Regin being a Five Eyes tool:

  • In the QWERTY code, there are numerous references to cricket, a sport that enjoys extreme popularity in the Commonwealth.

  • There are many similarities with the cyber-weapons system that the intelligence agencies call "Warriorpride" in the Snowden documents.

  • The targets thus far known are consistent with Five Eyes surveillance targets as outlined in the Snowden documents.

Photo Gallery

4  Photos
Photo Gallery: Operation Socialist
In the last several years, Regin has been exposed as the cyber-weapon behind a number of digital attacks:

  • The attack on the partially state-owned company Belgacom, as mentioned above.

  • A serious cyber-attack on the European Commission in 2011. The deputy head of Germany's Federal Office for Information Security, Andreas Könen, told SPIEGEL at the end of last December that, "we have reconstructed that; there are clear congruencies."

  • The Austrian newspaper Der Standard, citing anonymous sources, reported last November that malware code from the Regin family had been found in the network of the International Atomic Energy Agency, based in Vienna.

  • Germany's Bild newspaper also reported a Regin infection in the computer of a member of the department for European affairs in Angela Merkel's Chancellery. According to the paper, the malware was found on the woman's private computer. The Federal Office for Information Security says that Regin has not yet been found on official German government computers.

It seems likely that more Regin discoveries will be made. Kaspersky alone, says Raiu, has found the malware in computers belonging to 27 international companies, governments and private persons.


Discuss this issue with other readers!
8 total posts
Show all comments
Page 1
edwards.mikej 01/27/2015
So now Angela Merkel will bow to her rulers in DC and do and say, what she has been saying over the past - we love the US and Neoliberalism we are firm allies to the Empire - yes maybe we're a little embarrassed but its worth it because - TERRORISM!!! Germany has worked hard and devoted thousands of its intelligence staff to doing anything the Impeiral masters in the US demand.
dtechba 01/27/2015
2. Wow!
Because there are coding similarities and the Russians say so it has to come from the NSA? Wow, how simple can one be? Source code similarities are pervasive seeing as how it is posted online for anyone, including hackers, to use and the Russians aren't exactly and unbiased source. Give me a break....
birchwood 01/28/2015
3. A previous happening
What is written did not involve the governments but criminal groups in at least two countries - A person involved with unlocking electronics, for black money in the U.S. and Russia was asked by an associated criminal group in Moscow to send over electronic(s) available in the U.S. but not in Russia. He did so........ When I found out I warned him what he sent may be able to make Improvised Explosive Devices (IED's) that Russian Security may not be aware of the frequency range or type of encryption (such as burst, etc.), such as when safeguarding visiting dignitaries in convoys of vehicles. And could possibly be used in truck bombs also, etc. I told him to tell the U.S. Government or the Russian Security, or the information would get to them in some manner. He refused to come forward and the information got to the governments so hopefully lives could be saved........ It is sad, for Greed will make some people do anything.
spon-facebook-10000234202 01/29/2015
4. Why German media spend too much time for this issue ?
German and Russia have conspired to redraw EU map economically and militarily.Therefore, they keep talking about NSA scandal while most other countries have forgotten it for months ......... German and Russia want reduce US influence in EU as well as NATO and gradually kick US out of EU soil so that they can RULE the continent as their own will. It would be a calamity for the continent if this duo can accomplish their DREAMS.
gjphilip 01/31/2015
5. belgium Telecom
Another article in Der Speigel tells us that Belgium sends more troops to ISIS than any other European nation: maybe that's why the 5 Eyes spy on Belgium's telecoms?
Show all comments
Page 1

All Rights Reserved
Reproduction only allowed with permission

Die Homepage wurde aktualisiert. Jetzt aufrufen.
Hinweis nicht mehr anzeigen.