Regin (malware)

Last updated

Regin (also known as Prax or QWERTY) is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). [1] [2] [3] It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. [4] [5] The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. [6] [7] [8] The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. [5] Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. [9] (The name Regin is first found on the VirusTotal website on 9 March 2011. [5] ) Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan. [10]

Contents

Kaspersky has said the malware's main victims are private individuals, small businesses and telecom companies. Regin has been compared to Stuxnet and is thought to have been developed by "well-resourced teams of developers", possibly a Western government, as a targeted multi-purpose data collection tool. [11] [12] [13]

According to Die Welt , security experts at Microsoft gave it the name "Regin" in 2011, after the cunning Norse dwarf Regin. [14]

Operation

Regin uses a modular approach allowing it to load features that exactly fit the target, enabling customized spying. The design makes it highly suited for persistent, long-term mass surveillance operations against targets. [15] [16]

Regin is stealthy and does not store multiple files on the infected system; instead it uses its own encrypted virtual file system (EVFS) entirely contained within what looks like a single file with an innocuous name to the host, within which files are identified only by a numeric code, not a name. The EVFS employs a variant encryption of the rarely used RC5 cipher. [16] Regin communicates over the Internet using ICMP/ping, commands embedded in HTTP cookies and custom TCP and UDP protocols with a command and control server which can control operations, upload additional payloads, etc. [10] [12]

Identification and naming

Symantec says that both it and Kaspersky identified the malware as Backdoor.Regin. [10] Most antivirus programs, including Kaspersky, (as of October 2015) do NOT identify the sample of Regin released by The Intercept as malware. [17] On 9 March 2011 Microsoft added related entries to its Malware Encyclopedia; [18] [19] later two more variants, Regin.B and Regin.C were added. Microsoft appears to call the 64-bit variants of Regin Prax.A and Prax.B. The Microsoft entries do not have any technical information. [5] Both Kaspersky and Symantec have published white papers with information they learned about the malware. [12] [13]

Known attacks and originator of malware

German news magazine Der Spiegel reported in June 2013 that the US intelligence National Security Agency (NSA) had conducted online surveillance on both European Union (EU) citizens and EU institutions. The information derives from secret documents obtained by former NSA worker Edward Snowden. Both Der Spiegel and The Intercept quote a secret 2010 NSA document stating that it made cyberattacks that year, without specifying the malware used, against the EU diplomatic representations in Washington, D.C. and its representations to the United Nations. [5] [20] Signs identifying the software used as Regin were found by investigators on infected machines.

The Intercept reported that, in 2013, the UK's GCHQ attacked Belgacom, Belgium's largest telecommunications company. [5] These attacks may have led to Regin coming to the attention of security companies. Based on analysis done by IT security firm Fox IT, Der Spiegel reported in November 2014, that Regin is a tool of the UK and USA intelligence agencies. Fox IT found Regin on the computers of one of its customers, and according to their analysis parts of Regin are mentioned in the NSA ANT catalog under the names "Straitbizarre" and "Unitedrake". Fox IT did not name the customer, but Der Spiegel mentioned that among the customers of Fox IT is Belgacom and cited the head of Fox IT, Ronald Prins, who stated that they are not allowed to speak about what they found in the Belgacom network. [1]

In December 2014, German newspaper Bild reported that Regin was found on a USB flash drive used by a staff member of Chancellor Angela Merkel. Checks of all high-security laptops in the German Chancellery revealed no additional infections. [21]

Regin was used in October and November 2018 to hack the research and development unit of Yandex. [22]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">Rogue security software</span> Form of malicious software

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

<span class="mw-page-title-main">Advanced persistent threat</span> Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Tailored Access Operations</span> Unit of the U.S. National Security Agency

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.

<span class="mw-page-title-main">2010s global surveillance disclosures</span> Disclosures of NSA and related global espionage

Ongoing news reports in the international media have revealed operational details about the Anglophone cryptographic agencies' global surveillance of both foreign and domestic nationals. The reports mostly emanate from a cache of top secret documents leaked by ex-NSA contractor Edward Snowden, which he obtained whilst working for Booz Allen Hamilton, one of the largest contractors for defense and intelligence in the United States. In addition to a trove of U.S. federal documents, Snowden's cache reportedly contains thousands of Australian, British, Canadian and New Zealand intelligence files that he had accessed via the exclusive "Five Eyes" network. In June 2013, the first of Snowden's documents were published simultaneously by The Washington Post and The Guardian, attracting considerable public attention. The disclosure continued throughout 2013, and a small portion of the estimated full cache of documents was later published by other media outlets worldwide, most notably The New York Times, the Canadian Broadcasting Corporation, the Australian Broadcasting Corporation, Der Spiegel (Germany), O Globo (Brazil), Le Monde (France), L'espresso (Italy), NRC Handelsblad, Dagbladet (Norway), El País (Spain), and Sveriges Television (Sweden).

<span class="mw-page-title-main">ANT catalog</span> Classified catalog of hacking tools by the NSA

The ANT catalog is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine Der Spiegel in December 2013. Forty-nine catalog pages with pictures, diagrams and descriptions of espionage devices and spying software were published. The items are available to the Tailored Access Operations unit and are mostly targeted at products from US companies such as Apple, Cisco and Dell. The source is believed to be someone different than Edward Snowden, who is largely responsible for the global surveillance disclosures since 2013. Companies whose products could be compromised have denied any collaboration with the NSA in developing these capabilities. In 2014, a project was started to implement the capabilities from the ANT catalog as open-source hardware and software.

<span class="mw-page-title-main">Timeline of global surveillance disclosures (2013–present)</span>

This timeline of global surveillance disclosures from 2013 to the present day is a chronological list of the global surveillance disclosures that began in 2013. The disclosures have been largely instigated by revelations from the former American National Security Agency contractor Edward Snowden.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

Operation Socialist is the code name given by the British signals and communications agency Government Communications Headquarters (GCHQ) to an operation in which GCHQ successfully breached the infrastructure of the Belgian telecommunications company Belgacom between 2010 and 2013. The operation's existence was first revealed in documents leaked by the former National Security Agency contractor Edward Snowden. GCHQ used a method called Quantum Insert attack embedded in fake LinkedIn pages targeting Belgacom engineers. The breach was conducted under the code name 'OP Socialist'. The main target of the clandestine infiltration was to gain access to Belgacom's GRX Operator to enable GCHQ to obtain roaming data for mobile devices and execute what is generally referred to as Man-in-the-middle attack against targets.

Duqu 2.0 is a version of malware reported in 2015 to have infected computers in hotels of Austria and Switzerland that were sites of the international negotiations with Iran over its nuclear program and economic sanctions. The malware, which infected Kaspersky Lab for months without their knowledge, is believed to be the work of Unit 8200. The New York Times alleges this breach of Kaspersky in 2014 is what allowed Israel to notify the US of Russian hackers using Kaspersky software to retrieve sensitive data.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack. A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.

References

  1. 1 2 Christian Stöcker, Marcel Rosenbach " Spionage-Software: Super-Trojaner Regin ist eine NSA-Geheimwaffe" Der Spiegel, November 25, 2014
  2. "Experts Unmask 'Regin' Trojan as NSA Tool". Spiegel.de. Retrieved 9 November 2021.
  3. Zetter, Kim. "Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer". Wired. ISSN   1059-1028 . Retrieved 2022-02-22.
  4. "Regin Revealed". Kaspersky Lab. 24 November 2014. Retrieved 24 November 2014.
  5. 1 2 3 4 5 6 Marquis-Boire, Morgan; Guarnieri, Claudio; Gallagher, Ryan (24 November 2014). "Secret Malware in European Union Attack Linked to U.S. and British Intelligence". The Intercept.
  6. "Top German official infected by highly advanced spy trojan with NSA ties". 26 October 2015.
  7. Perlroth, Nicole (24 November 2014). "Symantec Discovers 'Regin' Spy Code Lurking on Computer Networks". New York Times . Retrieved 25 November 2014.
  8. Gallagher, Ryan (13 December 2014). "The Inside Story of How British Spies Hacked Belgium's Largest Telco". The Intercept.
  9. Kaspersky:Regin: a malicious platform capable of spying on GSM networks, 24 November 2014
  10. 1 2 3 "Regin: Top-tier espionage tool enables stealthy surveillance". Symantec. 23 November 2014. Retrieved 25 November 2014.
  11. "BBC News - Regin, new computer spying bug, discovered by Symantec". BBC News. 23 November 2014. Retrieved 23 November 2014.
  12. 1 2 3 "Regin White Paper" (PDF). Symantec. Archived from the original (PDF) on 7 September 2019. Retrieved 23 November 2014.
  13. 1 2 "Regin White Paper" (PDF). Kaspersky Lab. Retrieved 24 November 2014.
  14. Benedikt Fuest (24 November 2014). "Ein Computervirus, so mächtig wie keines zuvor". Die Welt. Archived from the original on 28 November 2014.
  15. "Regin Malware - 'State-Sponsored' Spying Tool Targeted Govts". The Hacking Post - Latest hacking News & Security Updates. Archived from the original on 2017-02-18. Retrieved 2014-11-24.
  16. 1 2 "NSA, GCHQ or both behind Stuxnet-like Regin malware?". scmagazineuk.com. 24 November 2014. Retrieved 25 November 2014.
  17. Virustotal: Detection ratio: 21 / 56
  18. Microsoft Malware Protection Center, click button "Malware Encyclopedia
  19. Microsoft Protection Center: Trojan:WinNT/Regin.A
  20. Poitras, Laura; Rosenbach, Marcel; Schmid, Fidelius; Stark, Holger (29 June 2013). "Attacks from America: NSA Spied on European Union Offices". Der Spiegel.
  21. "German government denies falling victim to cyber attack". Deutsche Welle. 29 December 2014.
  22. "Western Intelligence Hacked 'Russia's Google' Yandex to Spy on Accounts". Reuters. June 27, 2019. Archived from the original on June 29, 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.