Regin malware linked to NSA's QWERTY
Photo from Flickr: Yuri Samoilov
Earlier this month, Der Spiegel published source code of a program called QWERTY, it is essentially a keylogger that was included in the Edward Snowden documents. There wasn't anything special about the program until Kaspersky Labs took a closer look at its programing code. What they found is that QWERTY's source code can be linked to Regin, another malware program that was discovered in 2014.
Symantec’s report says Regin is believed to have been used in spying operations against governments, infrastructure operators, businesses, research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, Iran, and private individuals. When The Intercept wrote about Regin, they identified traces of its components dating back as far as 2003.
image from securelist.com
"This is a solid proof that the Qwerty plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225" wrote researchers Costin Raiu and Igor Soumenkov on Kaspersky’s Securelist blog. Their conclusion is that QWERTY is a plugin designed to work with the Regin platform and not a stand alone module. Raiu and Soumenkov continue on "considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together."
The Regin malware seems to have popped up in interesting locations such as state-owned company Belgacom, the European Commission in 2011, International Atomic Energy Agency based in Vienna, Germany's Bild newspaper, and infected the USB stick of a high-ranking staffer to Chancellor Angela Merkel just to name a few. The software is believed to be used by the Five Eyes partners since GCHQ got blamed for the Belgacom attack. Ronald Prins, who is the head of the Dutch security company Fox IT, analyzed the attack on Belgacom telling SPIEGEL ONLINE in the summer of 2011 that Regin appeared to be a tool belonging to the NSA and GCHQ.
