Computer security industry adds state agencies to global malware blacklist

Edward Snowden was there first – it’s not just cybercrooks who are using staggeringly sophisticated spyware to invade damn near everything. Companies and countries flail about as they fall through a new kind of wormhole


Against the backdrop of Edward Snowden’s revelations of the UK’s GCHQ mass data-harvesting from cables linking Ireland to Britain and North America, the multibillion-dollar computer security industry has become locked in a perpetual cat-and-mouse arms race – not just with vandals, activists and cybercriminals, but now with state agencies and their sophisticated spyware aimed at Windows systems, tablets and smartphones.

These highly sophisticated and stealthy APTs (advanced persistent threats) specifically target foreign government organisations, military installations, defence contractors and research institutions. But they can also quietly log our movements, potentially transforming the world’s mobile phones into multimedia bugging devices.

Discovered in the past five years, APTs such as GhostNet, Shady Rat and Operation Aurora (believed to be Chinese) have attacked western cloud computing firms, banks, defence and aerospace corporations as well as dissidents.

Red October and Turla are believed to be Russian, while in recent weeks and months, other suspected Russian-backed groups have hacked the White House, Ukraine, Georgia, the Caucasus and other former eastern bloc countries, as well as Nato and defence contractors across Europe.

Western agencies such as the NSA, GCHQ and Israeli military intelligence have been widely credited with ingenious platforms such as Flamer, which hit systems and individuals all over the Middle East, mainly Iran; it was reportedly primed for turning infected computers into “Bluetooth beacons”, sucking data from nearby devices.

In February this year, experts extolled The Mask (supposedly of Spanish origin) as more ingenious still. It targeted embassies, energy companies and research organisations from Morocco to Brazil.

Attack in Iran

Credited as the world’s first real cyberweapon, Stuxnet set off existential fears of a Pandora’s toolbox which, in the wrong hands or during wartime, could take down air-traffic control systems, power grids, water-treatment plants and the like.

Now experts seem to agree that the latest cyberespionage tool, Regin, is one of the most sophisticated attack platforms ever analysed.

Symantec, owner of Norton Anti-Virus, revealed the existence of Regin globally on November 23rd as a “groundbreaking and almost peerless” intelligence-gathering stealth tool. Regin individually targets government agencies, telecoms, research institutes (particularly those involved in advanced maths and cryptography), even hotels (perhaps for intelligence on guests’ movements).

Its ingenious modular design of interdependent components involved a dropper and five-stage loading architecture (similar to Stuxnet and the related Duqu). A suite of payloads are controlled by the attacker via remote command-and-control servers scattered around the internet. So far it’s been used to conduct “continuous monitoring of targeted organisations or individuals”.

Regin captures screenshots and steals logs and passwords, retrieving even deleted files. It monitors emails, web and network traffic, even mobile telephony base station controllers, which it can intercept and interfere with.

The sheer time, resources and skill involved in creating Regin could only have come from a “nation state” intelligence agency, according to Symantec. Others again cited the US, UK or Israel as the most likely candidates, and world news outlets rang the alarm.

Neutralising infection

Orla Cox

Cox acknowledges that they have not got a full picture of the latest version, and that such a flexible sophisticated tool could easily be adapted by intelligence agencies. But the average user needn’t be too concerned, she says, as safeguards are now in place.

Symantec’s Dublin office, as part of the global team, was involved in decrypting, reverse-engineering and piecing together various Regin components. Symantec says this stealth tool simply collects data and monitors targets using a multistage approach, where each stage (bar the first) is hidden and encrypted; as is the stolen data.

Even when detected, it can be difficult to ascertain Regin’s motives. Symantec admitted it could only analyse the payload after decrypting numerous sample files.

The initial driver is the only code left visible on the computer. The rest is stored as “encrypted data blobs” deep in with unusual file storage, such as in the registry, virtual file systems or raw sectors at the end of disk, which could be sitting on machines for years before detection.

“It’s a full-feature spying tool for long- term surveillance and mass data-gathering,” Cox says, “a whole framework which can be adapted or updated to take on extra payloads or functions, depending on the system or organisation they are targeting. It’s fully customisable for whatever the operator wants it to do.”

Symantec tracked one version of the malware from 2008 to 2011, when it disappeared. Version “2.0” resurfaced in 2013. The firm admits it took a long time to piece together the jigsaw, and they still haven’t detected all modules of the new version. And more versions likely exist.

Symantec has verified about 100 infections globally, categorised as private individuals or small businesses (48), telecoms backbones (28), hospitality sector (9), energy sector (5), airlines (5), and research facilities (5).

In terms of a geographic breakdown, the 100 verified infections struck Russia (28) and Saudi Arabia (24), with Ireland and Mexico at joint third on nine, followed by India, Afghanistan, Iran, Belgium, Austria and Pakistan on five.

Of the nine Irish infections, all afflicted just one “very surprised” Irish company, “not a particularly high-profile organisation”, which Cox declines to identify.

Countries unaffected included the UK, US and the other three “five eyes” cybersurveillance alliance countries: Canada, Australia and New Zealand.

Regin announced

The InterceptThe InterceptGlenn GreenwaldLaura Poitras

When Symantec went public, the other big anti-virus companies (Kaspersky and F-Secure) immediately followed suit, also stating they had been tracking Regin samples, which were in their files since 2008 or earlier.

Indeed, the VirusTotal website flagged one component in 2011, when Microsoft began removing it. Mikko Hyponnen of F-Secure said that certain customers asked him not to discuss the malware found on their networks.

Meanwhile, Kaspersky identified 27 further victims from countries such as Brazil, Algeria, Germany, Syria, Malaysia, Indonesia, Fiji and the tiny Pacific island-nation of Kiribati.

Belgian hack

The InterceptBelgacom

Apparently, GCHQ began by targeting engineers and administrators with full access to the system, and using IP addresses, web traffic and cookies, targeted each individually with malware to spread across the system.

According to The Intercept, GCHQ identified other cellphone operators connected to Belgacom through international roaming partnerships, and hacked into data links over a protocol called GPRS, which handles cellphone internet browsing and multimedia messages. The hack remained undetected until spring 2013.

Belgacom hired a Dutch security firm, Fox-IT, which found that Regin had infected more than 120 computer systems, and up to 70 personal computers.

The most “mind-blowing” Regin infection Kaspersky saw occurred in an unnamed Middle Eastern country, on an elaborate web of networks the attackers infected and then bridged together between the country’s presidential office, a research centre, an educational institute and a bank.

Instead of having each infected network communicate with the attackers’ command server, the attackers set up an elaborate web so that commands passed between them as if through a peer-to-peer network. Only the educational institute served as a hub for communicating externally with the attackers.

Meanwhile, last February 1st, again from Belgium, it was reported that Regin had hacked the PC of Jean-Jacques Quisquater, a cryptography professor and security specialist at the Université Catholique de Louvain, after he clicked a bogus LinkedIn page of a non-existent employee of the European patent office.

Espion technician Conor O’Neill says the Symantec announcement certainly alarmed his clients. Like Brian Honan, who consults for Irish government departments, the UN and Interpol, O’Neill had never heard of Regin before this.

Legally, such hacking and data retention exists in a grey area. Privacy International’s Dr Richard Tynan notes that the UK Intelligence Services Act 1994 can be called upon to justify hacking “in the interests of the economic well-being of the United Kingdom in relation to the actions or intentions of persons outside the British Islands”.

Meanwhile, last April, an EU directive governing data retention was overturned by the EU Court of Justice, after Digital Rights Ireland referred Ireland’s Criminal Justice (Terrorist Offences) Act, 2005 to the court.

In a move that seems at odds with that ruling, Minister for Justice Frances Fitzgerald signed into law a statutory instrument on November 26th, enacting the dormant third part of the 2008 Criminal Justice (Mutual Assistance). This allows foreign law enforcement agencies to tap Irish phone calls and emails. Telecoms that refuse to comply with an intercept order could be brought before a private “in camera” court.

Their own law

As in other industries, there is a revolving door between the private sector and government agencies such as GCHQ/NSA – from the top. Gen Keith Alexander, former US Cyber Command and NSA head, now attracts vast seven-figure consulting fees for his IronNet Cybersecurity firm.

This after Alexander left the NSA under a cloud in March over Snowden’s revelations of NSA bulk surveillance and warrantless wire-tapping. There were revelations of a secret deal by which the NSA paid RSA, the security company, $10 million (€8.3 million) for RSA to incorporate a backdoor into its encryption product, BSafe.

According to Espion’s O’Neill: “These threats are here to stay, and AV is not a silver bullet, but everyone should be taking measures. For organisations, that includes general security awareness and network monitoring: appropriate segregation of networks, firewall rules; threat modelling exercises; and even the inevitable disaster recovery plans.”

However all these warnings should be taken in light of Belgacom boss Dirk Lybaert’s description of the Regin malware: “This is a kind of attack that a single company or country would be unable to withstand on its own.”

As security guru Bruce Schneier said recently, we are all potentially collateral damage of state-sponsored malware, particularly if we’re “unlucky enough to be sitting in the blast radius”.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection


Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.