Cyber-espionage malware on German official's computer, authorities investigate

The 'Regin' malware has been found on the laptop of a high ranking German official, signalling foul play, perhaps by a western spy agency. Germany has started to investigate.

This wouldn't be the first time Regin has shown up on a government official's computer
This wouldn't be the first time Regin has shown up on a government official's computer

A high-ranking German politician has found espionage malware on his computer, prompting an investigation by the Federal Prosecutor's Office. 

Der Spiegel, the German news magazine, reported last week that an official within the German Federal Chancellery, a central office within the German government, discovered his personal laptop was infected with Regin, a piece of malware strongly associated with western cyber-espionage.

This incident echoes an incident last year when it was found that the National Security Agency, America's signals intelligence agency, was caught eavesdropping on the mobile phone of Angela Merkel, the German Chancellor.

Regin has been found in the computer networks of a variety of organisations and companies including governments, the energy sector, airlines, research bodies and even private individuals. 

Investigative journalism outfit, The Intercept, reported in 2014 that the UK signals intelligence organisation, GCHQ, had used the malware to spy on Belgacom, a Belgian communications company. It's also been found on EU computers, according to documents leaked by Edward Snowden.

In the case of Belgacom, GCHQ targeted the company's engineers by directing them to a LinkedIn page which they had loaded with the malware. Once the computers were infected, GCHQ could get inside their telecommunications apparatus to steal data.

Regin is a fairly high-level piece of kit. It was first discovered by Symantec in 2012, and has been shown to be able to spy on the infected device as well as steal passwords, recover deleted files, grab screenshots and capture network traffic. Symantec described it as a back-door type trojan, disguising itself as legitimate Microsoft software. 

It's also highly diverse, Symantec noted, allowing it to load different modules according to the target.

The company wrote at the time, “It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks.” 

Symantec spoke to SC, saying that “Regin bears the hallmarks of a state-sponsored operation and is likely used as an espionage and surveillance tool by intelligence agencies. However we do not have sufficient evidence to attribute it to any particular state or agency.”

Sian John, a security expert at Symantec, spoke to the BBC upon the discovery of the malware in 2012. She speculated that “it looks like it comes from a western organisation. It's the level of skill and expertise, the length of time over which it was developed.”

The German Federal Chancellery spoke to SC, saying that those assumptions "can not be confirmed." and "It did not come to an infection of the IT system of the Federal Chancellery"