NSA, GCHQ or both behind Stuxnet-like Regin malware?

Symantec has discovered a new piece of customisable malware - reminiscent of the Stuxnet worm - which has been stealing data from governments, telcos, energy companies and SMEs since 2008. And experts say the threat actor could be the US or UK government.

NSA, GCHQ or both behind Stuxnet-like Regin malware?
NSA, GCHQ or both behind Stuxnet-like Regin malware?

In a new report published late on Sunday, the endpoint security firm said that the ‘Regin' malware ‘bears the hallmarks of a state-sponsored operation' and has been in operation since at least 2008, focusing specifically on government departments, telecom operators, academics, individuals and other private sector organisations.

The malware was first found operating between 2008 and 2011 before being ‘abruptly withdrawn' for no obvious reason. A new version resurfaced from 2013 to target private companies, government entities and research institutes – although research shows that targeted individuals and SMEs account for almost half of all infections.

Symantec says that attacks on telecom operators were designed so that the threat actor could gain access to calls being routed through their infrastructure – with Kaspersky Lab since reporting that Regin has also been used to attack GSM mobile networks.

Research shows that 28 percent of all infections were in Russia, with 24 percent in Saudi Arabia. Ireland, Belgium and Austria were the most-affected Europeans with 9 percent, 5 percent and 5 percent respectively.

Regin has already drawn parallels with Stuxnet and APT families like Flamer and Duqu owing to its sophisticated and customised modular approach which has enabled the threat actor to tweak the malware on a target-by-target basis.

The malware – Symantec says it differs from an APT as it simply collects data and monitors targets - employs a multi-stage approach where each stage (bar the first, where the backdoor is installed) – is hidden and encrypted. It is only possible to understand the complete package by decrypting all stages.

It is also incredibly stealthy; most code cannot be viewed on infected machines and stolen data is hidden from view.  Even when detected it can be difficult to ascertain its motives - Symantec admitted that that it was only able to analyse the payload after decrypting numerous sample files.

Other stealth features include anti-forensics capability, a custom-built encrypted virtual file system (EVFS) and an alternative encryption (it uses a variant of the rarely-used RC5). The malware communicates back to the attacker via ICMP/ping, embedding commands in HTTP cookies and custom TCP and UDP security protocols.

“Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns,” reads Symantec's analysis. “The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.”

The firm continued: “The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.”

Shortly after the report was released, a spokesman for Dutch security firm Fox-IT said that the nation state behind the malware could well be a combination of the US and UK.

Erik de Jong, who is responsible for Fox-IT's computer security incident response team, told SCMagazineUK.com that the company has been watching the malware over numerous versions and says that its modular approach makes it more of a ‘malware framework' that can be used on a wide range of targets. For example, he said that custom modules could be included to sniff email traffic.

“In our view it's not very specific – it's more of a framework in such a way that it can be really flexible and put to a variety of purposes,” he said, adding that this framework may have been in operation for more than ten years.

“It makes sense, something you can re-use – you don't have to keep reinventing the wheel all the time.”

De Jong was also certain who the threat actor is. “For us, we're convinced that this is the product of the US or UK [governments]. We've obviously looked at the malware, and looked with a great deal of interest at the information published and leaked by Mr [Edward] Snowden, and some of that just makes sense, the pieces fit.

“In our mind, there's no doubt at all.” To clarify, he later added in an email: “We based our assumption on our technical knowledge of the malware framework combined with pieces from information that were made public through Mr Snowden.”

F-Secure issued a blog post earlier in the day saying that it had spotted Regin in 2009, and believes the malware is not the work of the Russian or Chinese governments. Meanwhile, security researcher Frederic Jacobs added coyly in a Twitter post:

“I want Fox-IT to go on the record about Regin. Time to release the Belgacom report?” [This could be a reference to Jean-Jacques Quisquater, who was targeted back in February, which led some to suggest that Regin malware may have been used as part of a NSA/GCHQ investigation into Belgacom.]

The Fox-IT spokesman added that the initial compromise – thought to be spear phishing or spoofed websites – is currently much harder to ascertain, but said that the motive is a universal government ambition of wanting to protect national security, energy security and threats from terrorist activities.

He added that, while the small organisations were surprisingly targeted, that may have been the case as many of these have lots of IP or could be ‘stepping stones' to bigger targets.

Update: The Intercept has since published more on the NSA/GCHQ involvement.

Sign up to our newsletters