U.S. and U.K. Spy Agencies Likely Source of Malware Attacks on EU, Russian and Saudi Computers

Friday, November 28, 2014
Thomas Kienzle--Associated Press

Cyberwarriors are at it again, this time with a malicious program called Regin that has infected computers in Russia, Saudi Arabia and other countries and is so complex that security experts say it probably came from the United States, Britain or another Western government.

A Belgian cryptographer, Jean Jacques Quisquater, was one victim of a Regin attack, according to computer security firm Kapersky Lab. Another victim was an unnamed Middle Eastern country. “In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president’s office, a research center, educational institution network and a bank,” Kapersky reported on its blog.

Many countries, including China and Russia, engage in cyberwarfare, but those nations don’t appear to be the source of Regin. “We believe Regin is not coming from the usual suspects. We don’t think Regin was made by Russia or China,” Mikko Hypponen, chief research officer at F-Secure, told The Guardian. The only other countries thought to have the capability to create Regin are the United States, Britain and Israel.

There have been no incidents of Regin attacks in any of the “Five Eyes” countries—Australia, Canada, New Zealand, the UK and the U.S.—which comprise an intelligence alliance that dates back to World War II.

The virus has been found on servers belonging to Belgacom, the partly government-owned telecom company which was under surveillance by British intelligence and certain European Union systems that had been targeted by the U.S. National Security Agency. Quisquater was hit by Regin while investigating Belgacom.

“Having analyzed this malware and looked at the [previously published] Snowden documents,” Ronald Prins, a security expert whose company Fox IT was hired to remove the malware from Belgacom’s networks, told The Intercept, “I’m convinced Regin is used by British and American intelligence services.”

Regin has been compared to the Stuxnet malware, which infected Iranian computers and held up that country’s nuclear program. Stuxnet was believed to be the work of the United States, Israel, or both. However, unlike Stuxnet, Regin does not cause destruction within the targeted computer networks; rather, its function is to collect data and facilitate other attacks. It sneaks up on its targets disguised as Microsoft software.

Regin victims have been found in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia and Syria, according to SecureList. However, it’s one virus the average computer user probably doesn’t need to worry about—it appears to be infecting only targeted users.

“As we’ve been following and analyzing Regin, the complexity and the level of sophistication in the attacks has become very evident. We would place Regin in the category of highly sophisticated governmental espionage campaigns,” Hypponen said.

-Steve Straehley


To Learn More:

‘Regin’ Malware Comes From Western Intelligence Agency, Say Experts (Tom Fox-Brewster, The Guardian)

Secret Malware in European Union Attack Linked to U.S. and British Intelligence (by Morgan Marquis-Boire, Claudio Guarnieri and Ryan Gallagher, The Intercept)

Regin: Nation-State Ownage Of GSM Networks (by GReAT, SecureList)

Latest Middle East Cyber Attacks on U.S. Corporations Employ Sabotage (by Noel Brinkerhoff, AllGov)

Stuxnet Attack on Iran…the Worm that Keeps on Giving (by Noel Brinkerhoff, AllGov)


Leave a comment