VPN Articles and News

Researchers Believe NSA Created Regin Malware For Spying

Thursday, April 16th, 2015

Security researchers now have sufficient grounds to believe that the infamous Regin malware, a powerful piece of software that can spy on its targets for years, was in fact created by the US intelligence agency NSA (or one of its counterparts). Researchers came to this conclusion after discovering striking similarities between Regin malware’s code and the source code of another spying program from NSA’s arsenal, the QWERTY keylogger.

The Regin malware created headlines last year after it was discovered lurking on Belgian telecom company Belgacom’s servers. The discovery led to allegations that the program was the creation of Western intelligence agencies and was being used to spy on private firms and telecom companies. Since that discovery, the malware has been detected in ten more countries including Russia, Iran, Mexico, Saudi Arabia, India, Pakistan, Austria, Belgium, Ireland and Afghanistan. While there is no definite way of confirming how long the program has been spying on its targets, security experts believe that the program originated way back in 2003.

Security firm Symantec has dubbed the Regin malware as an “extremely complex software” suited for long term surveillance programs due to its ability to remain undetected for years. The firm also said that the malware combines some of the most groundbreaking techniques ever used in malware creation with sophisticated methods of concealment. The malware can not only take snapshots on target computers, take control of mouse functions, monitor network speeds, intercept passwords and recover deleted files but it also allows operators to deploy customized spying functions depending on the nature of the target.

As for the QWERTY program, it is a powerful keylogger that can capture and record each and every keystroke occurring on the infected computers. Whistleblower Edward Snowden was the first person to confirm the existence of the QWERTY keylogger and also leaked its details to the German publication Der Spiegel. The magazine decided to publish the source code of the keylogger in order to foster research and also confirmed that QWERTY appeared to be a part of the Warriorpride suite of malware being used by the members of the Five Eyes alliance countries (U.S., U.K., Australia, Canada and New Zealand) to carry out their surveillance and spying activities.

After Der Spiegel published QWERTY’s source code, it did not take long for security experts from Kaspersky to discover unmistakable similarities between the codes of the two programs. Researchers also discovered that certain parts of QWERTY keylogger made reference calls to the Regin malware and the malware appeared to contain some parts of the keylogger. Considering the complexity of the malware and how difficult it is to duplicate such a sophisticated program without having access to the actual source code, Kaspersky concluded that the creators of the two programs were either the same or were working very closely.

After Kaspersky published its findings, Der Spiegel published another report which cited that a Dutch security expert had attributed the software used to spy on Belgacom as either belonging to NSA or GCHQ. The report also highlighted how the Regin tool was linked to attacks on International Atomic Energy Agency and the European Commission that occurred in 2011.

April 16, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

0 + 7 =