back to article Regin: The super-spyware the security industry has been silent about

A public autopsy of sophisticated intelligence-gathering spyware Regin is causing waves today in the computer security world. But here's a question no one's answering: given this super-malware first popped up in 2008, why has everyone in the antivirus industry kept quiet about it until now? Has it really taken them years to …

  1. Anonymous Coward
    Anonymous Coward

    Why know?

    I think you are asking the wrong question. It's not why did no-one say anything, but why announce its existence now? Presumably it's been superseded by something better and stealthier..

    1. YARR

      Re: Why know?

      Codenames: Bush, Clinton and Obama.

    2. VinceH

      Re: Why know?

      Exactly what I was thinking: The reason it's now in the public eye is because Regin has become less relevant, and so permission has been granted.

    3. Uffish

      Re: Presumably it's been superseded by...

      ... the Win 10 version.

  2. Anomalous Cowturd
    WTF?

    I was just about to post the same thing.

    Nice to know they are happy to target more than just us hoi polloi.

    Money well spent.

    Treasonous May wants new laws to spy on school-children, to protect us from... Exploding children! Or something.

    What next? Paedo children? Children who want to have sex with other children? Rather than sex with fat MPs grown men? It must be stopped!

    Holy shit, this country is fucked up!

    Maybe we should all just offer ourselves up for re-education?

    1. Destroy All Monsters Silver badge
      Trollface

      Re: I was just about to post the same thing.

      Holy shit, this country is fucked up!

      At least one commentard disagreed. Having visited the reeducation facilities which are in impeccable condition and maintained to the highest sanitary standards, a consequential downvote was just the right action to perform.

      "I also have a problem. I'm not sure which side runs this Village."

      1. earl grey
        Happy

        Re: I was just about to post the same thing.

        Well done number six. Well done.

      2. goldcd

        Think this through

        We've discovered the government malware.

        You click through to comment upon it - and then you see a post that distracts you, and causes you to write something else.

        Who benefits from this distraction? Who might have caused it? Surely you don't believe there's really anybody quite so retarded?

        *raises eyebrow*

    2. Sureo

      Re: I was just about to post the same thing.

      "Maybe we should all just offer ourselves up for re-education?"

      No, they'll just implant a chip in your head, monitor you and shock you if you misbehave.

  3. Zack Mollusc
    Thumb Up

    Well, since I haven't been exploded by evil hacker-paedo-terrorists, I say 'Hurrah for the noble government, you are doing a fine job!'

    1. Anomalous Cowturd
      Stop

      @Zack Mollusc

      It's the evil hacker-paedo-child-terrorists that will get YOU unless WE get these new laws!

      Pre-crime any-one?

      Computer says "Re-education for you!"

      Has nobody read 1984 FFS?

      1. Anonymous Coward
        Anonymous Coward

        Re: @Zack Mollusc

        "Has nobody read 1984 FFS?"

        Course they have.

        They just thought it was an instruction book, or a longform HOWTO.

        1. elDog

          Re: @Zack Mollusc

          Correction: Longform FUQ (Frequently Unanswered Questions)

          Please delete this comment and ban me to eternal purgatory (or perhaps a week or so.)

  4. Mikel

    More and better

    There will be no lack of material for stories like this in the years to come.

  5. John Brown (no body) Silver badge
    WTF?

    Hang on...

    WTF is an AV outfit doing NOT dealing with or reporting on a sophisticated piece of malware "because their client" asked them not to? Are the people who PAY for their AV products not clients? It's not as if they are obligated to list the names and addresses of their infected "clients".

    1. Marketing Hack Silver badge
      Black Helicopters

      Re: Hang on...

      "Their client" might have been penetrated by Regin because the client was or was perceived to be doing something that got them in the sights of one or more sigint agencies, and when they found out they were being targeted they decided to make nice with the government(s) involved. Part of the plea bargain is that the client in question not talk about the vehicle used to surveil them. Or they just decided not to make matters worse and risk going from acceptable levels of surveillance by shadowy sigint forces to all-out penetration of their infrastructure.

    2. Allan George Dyer Silver badge

      Re: Hang on...

      "WTF is an AV outfit doing NOT dealing with or reporting…"

      From the article, F-Secure did deal with the malware, Mikko's tweet was, "Malware decoded, detection added". When you're receiving hundreds of thousands of samples of dozens of varieties of malware a day, something has to be pretty exceptional to deserve a press release, if the only known victim doesn't want it publicised, what's left to talk about?

      Full disclosure - Mikko is a nice guy to have a drink with.

      1. John Brown (no body) Silver badge

        Re: Hang on...

        @ Allan George Dyer

        Fair enough, I didn't read it properly

  6. Anonymous Coward
    Anonymous Coward

    They are us from the future!

    Obviously Regin was created by the Monolith and transmitted to Earth over extremely low frequency radiation using earth's magnetosphere as the antenna and modulated to GSM frequencies for payload delivery.

    1. Destroy All Monsters Silver badge

      Re: They are us from the future!

      Please tell us more.

  7. Anonymous Coward
    Anonymous Coward

    Why was Ireland 3rd most heavily targeted?

    Anyone got ideas as to why.. ?

    1. Marketing Hack Silver badge
      Go

      Re: Why was Ireland 3rd most heavily targeted?

      Because the Irish throw the biggest boozeouts, and somebody in the shadows wanted to know where the next party was being held?

      More seriously, possibly the shadowy "they" are watching all this corporate revenue being moved through Ireland for tax purposes.

      Or (less seriously--I hope) maybe because the Irish stood on the sidelines during WW2 and the Cold War, the lot of them must be nazi/commie sympathizers!! By that logic, these days the Irish must be the "have a wee drink" arm of Al Qaeda!!

      1. Destroy All Monsters Silver badge

        Re: Why was Ireland 3rd most heavily targeted?

        More seriously, possibly the shadowy "they" are watching all this corporate revenue being moved through Ireland for tax purposes.

        Just phone up the big four.

    2. thames

      Re: Why was Ireland 3rd most heavily targeted?

      Various parts of the US government can forward their interests to the NSA. So, the diplomats and arms makers will ask for information on Russia, the terrorism watchers will have questions about Saudi Arabia, the drug investigators will have questions about Mexico, and the tax office will have questions about companies who use Ireland as a tax haven.

      Something like Regin would get developed by the "product development" department as a general purpose spy toolkit. A lot of the actual R&D probably gets outsourced. The NSA has an internal catalogue that their application spies can pick from. The list of countries we see here just happens to be the aggregate of all the different internal departments that used it for different purposes. This sort of stuff about how they operate came out in the Snowden documents.

      It makes more sense if you think about the NSA (and to a lesser extent GCHQ) as a big conglomerate with different "business units" serving different "markets". Spying is what they do, and they try to expand into any and all markets.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why was Ireland 3rd most heavily targeted?

      Presumably it's easier than gettting covert cooperation* from the Irish government and Ireland has most of the data centres.

      (*implying Irish government not capable of keeping a secret, not that they wouldn't cooperate)

    4. John Sturdy
      Devil

      Re: Why was Ireland 3rd most heavily targeted?

      Because corruption in Ireland is pretty blatant, but there's probably a lot more material not yet public, that would be excellent for blackmailing senior politicians into compliance with external interests.

      Or possibly just to make up a price list to see which ones to buy.

    5. Bloakey1

      Re: Why was Ireland 3rd most heavily targeted?

      Big Finance center, lots of tax avoidance schemes, big time I.T. / comms center, masters of peat extraction, first country to have a Guinness tanker which neatly leads us to Saudi.

  8. Marketing Hack Silver badge
    Black Helicopters

    This is part of the larger problem with the NSA's dual responsibility in the U.S.

    It's the safecracker/national security hacker of choice, but it is also in charge of cybersecurity for the U.S. On top of that through it's big budget, relationships with other sigint agencies, alumni community in private industry and the ability to rouse support from various arms of the military-industrial, intelligence or law enforcement communities in the U.S. and probably a lot of U.S. allies, it has huge influence in IT security around the world.

    So if you are an IT security company, the NSA can really hold your feet to the fire. If you tweak them by outing their malware without permission, you can find your products getting bad security reviews from the NSA, or no reviews at all, or getting inexplicably edged out of government contracts or work with defense/government contractors in the U.S. and overseas. That's a lot of potential customers to risk losing by through exposing an NSA or 5 Eyes operation, even if that operation is a threat to IT security in general.

    Plus there is just the national security/sigint aspect of their organization. If you are the CEO of even a huge IT security vendor like Symantec and you get a call from the Director of the NSA, you are probably going to take the call simply out of interest in what he is going to ask you about and what he thinks the potential alignment might be between the world's premier sigint agency and your company.

    The NSA really needs to have it's cybersecurity responsibilities moved out from under the agency. It basically allows them to corrupt or appear to corrupt much of the IT security industry. I can understand why the NSA wants to keep that responsibility in-house, it allows them to control a lot of the industry. However, its a bad deal for IT customers and the IT security industry itself.

    1. elDog

      Re: This is part of the larger problem with the NSA's dual responsibility in the U.S.

      Good idea - separating the NSA spying/infiltrating/implanting from the NSA passively watching radio waves.

      Sort of like getting other Intelligence Agencies to not meddle in other countries affairs in a disruptive manner.

      I can't see getting ex-spooks/clandestine operatives that are running these agencies to relinquish their sense of satisfaction of being in control vs. being just observers.

      Even if we/you were to split agencies into analysis/operational roles, we all know that the pathways between their buildings would be well worn.

      1. Fatman

        Re: This is part of the larger problem with the NSA's dual responsibility in the U.S.

        Even if we/you were to split agencies into analysis/operational roles, we all know that the pathways between their buildings would be well worn an enclosed pedestrian bridge.

        FTFY!!!

        1. oolor

          Re: This is part of the larger problem with the NSA's dual responsibility in the U.S.

          >an enclosed pedestrian bridge.

          Oh, Canada!

  9. Mark 85 Silver badge

    It's interesting that it's very target specific...

    Seems that it's more interested in the infrastructure much like Stuxnet but without the "destroy... destroy... destroy...." command. Or maybe there's a part of it that allows such commands to be entered. Nothing like shutting down power on a country to create problems for the leadership.

  10. thames

    "virtually no infections have been reported in the US, UK or other Five Eyes nations, some to suspect it's the work of the NSA, GCHQ or their contractors."

    What's even more fascinating is that the mainstream media (i.e. not the tech press) reports that I have been reading waffled like mad about the source of it, and then vaguely insinuated that Russia and China were to blame.

    One news story quoted a "Gartner analyst Avivah Litan" as directly saying it was Russia, China, or North Korea, or even all three of them working together in a vast alliance. He didn't quite say "axis of evil", but the thought was there.

    Given that the target list pretty much encapsulates the people the US wants to spy on, I don't think we're in too much doubt about who was behind it. The big question is why the mainstream media are afraid to admit the obvious?

    1. frank ly

      The mainstream press get their information from 'trusted sources', i.e. sources who they often have lunch and drinks with. The NSA and GCHQ are probably running a serious lunch and drinks operation on this one.

    2. Destroy All Monsters Silver badge
      Headmaster

      A land of honey and rainbow-colored quadrants.

      Gartner analyst Avivah Litan

      Attachement to base reality would have lifted off the page at this point.

    3. Anonymous Coward
      Anonymous Coward

      "Given that the target list pretty much encapsulates the people the US wants to spy on"

      Actually the US want to spy on everybody, including "allies" as the scandal over Merkel's phone showed. My guess is that the reported infections are a subset of the total, and there will be infections in Europe and the Anglophone countries.

    4. Anonymous Coward
      Anonymous Coward

      ask the German mainstream media who they work for?

      for example by reading http://en.wikipedia.org/wiki/Udo_Ulfkotte

      recent number one best-selling book on Amazon.de,

      now

      Nr. 1 in Bücher > Film, Kunst & Kultur > Medien

      Nr. 1 in Bücher > Fachbücher > Medienwissenschaft > Publizistik > Journalismus

      Nr. 1 in Bücher > Biografien & Erinnerungen > Weitere Berufe & Themen (Further Business & Themes)

      The book "Bought Journalists" http://www.amazon.de/Gekaufte-Journalisten-Udo-Ulfkotte/dp/3864451434/

      According to Ulfkotte, the CIA and German intelligence (BND) bribe journalists in Germany to write pro-NATO propaganda articles, and it is well understood that one may lose their media job if they fail to comply with the pro-Western agenda. In 2014, Ulfkotte published Bought Journalists ("Gekaufte Journalisten"), in which he reveals that the CIA and other secret services pay money to journalists to report a particular story in a certain light.

      Is there any reason not to assume that our British dearly beloved journalists are not also "bought"?

      (I write this as an anonymous commentard who was probably targeted/hit by the Regin attack)

      The only good news is that since Udo's book was released, the German mainstream media (who ignore the book) have seen a free-fall in their unique visitors & might be suffering blowback!

    5. Bloakey1

      <snip>

      "One news story quoted a "Gartner analyst Avivah Litan" as directly saying it was Russia, China, or North Korea, or even all three of them working together in a vast alliance. He didn't quite say "axis of evil", but the thought was there"

      <snip>

      There is a man I would like to see pass the bacon sandwich test.

      Wanders off singing medley of Hava nagilla and home on the range.

    6. P. Lee Silver badge

      >The big question is why the mainstream media are afraid to admit the obvious?

      Perhaps because they don't want to be cut out of government briefings to the press in the future, or make an enemy of GCHQ/NSA in general?

  11. John Savard Silver badge

    Not Certain

    I note that one list of the countries where this malware was found also didn't include China, so that is another possibility. For that matter, with Sa'udi Arabia as a major target, maybe we should suspect Israel.

    1. John Sturdy
      Black Helicopters

      Re: Not Certain

      The Chinese government seems very interested in spying on the Chinese people (a bit like the American government being interested in spying on the American people, and the British government in spying on the British people) so if the software isn't found in China, that doesn't suggest it's of Chinese origin.

    2. Anonymous Coward
      Anonymous Coward

      Re: Not Certain

      Well I was hit in Italy, having bought a HP Server from Canada, which was delivered to me via a software company in downtown Tel Aviv (Shipping label air-way bill sticker left on outside packing crate!) You really should learn to send viruses by road transport guys!, air just leaves so much metadata..

      I suspect everyone, and I suspect no-one! as Inspector Clouseau would have said

  12. naive

    The missing word

    Compliments to those who made this very subtle spy frame work. The word that is missing in publications about this latest collapse in privacy is Microsoft, it is them providing the fertile soil for spyware like this.

    We need a new Ralph Nader, who will start addressing computer safety. It is a an outrage that desktops with updated windows versions running on idling i7's, are allowing silent insertion of new device drivers and kernel modifications. Until this is solved, the world can kiss NSA's feet if it continues its MS addiction. If we can verify https websites since over a decade, why can MS not verify low level drivers and other kernel extensions in 2014, and warn users that unknown software is inserted ?.

    Users pay $100,- per license, that gives users rights on a product that is more then platform to run spyware on, until MS is dragged before court in a massive class action lawsuit, nothing will change.

    MS lovers will probably down vote this post, compare Windows to a big TV manufacturer selling TV's with hidden camera's allowing spooks to spy in the living room, how would people feel about that ?.

    1. Peter 26

      Re: The missing word

      Extra security is always good, but the NSA/GCHQ are perfectly capable of stealing someone's signing key to make their drivers pass these tests.

    2. lambda_beta
      Linux

      Re: The missing word

      Unfortunately, the Ralph Naders in the US are either paid off, in jail or are living in another country (awaiting to be put in jail if they return).

    3. Jes.e

      Re: The missing word

      *Setup*

      I live in the home town of a certain ubiquitous caffeine addiction dealer as well as a certain massive (yet unprofitable) bookstore destroying pyramid scheme, AS WELL as neighbors to a certain dark fortress in nearby Redmond who makes "really good" software. You know the place.

      [It must be really good as it's ubiquitous]

      Elvis even did a strangely rapey movie about us back in the 60's..

      Our local news reporting (no different from the national coverage I might add) was (and is) very warm to these three entities needless to say..

      Back sometime in the 90's the local and national news started reporting increasingly breathless stories about how our precious software fluids were being invaded by things called virus and worms which were "somehow" taking up residence in our computer devices connected to the interwebs.

      They curiously never seemed to specifically mention *which* computers were at risk and how exactly the infection was spreading (IE, Outlook, activeX usually).

      Mac users hopefully knew that they were exempt, and the rare Unix and Linux almost certainly knew that this didn't apply to them, *BUT THE WINDOWS* users just assumed that this applied to EVERYONE including them.

      After all that's what the news stories said.

      Our media was thus protecting Microsoft by never raising the obvious question in the viewers mind "so why are these other operating systems safe?"

      Until one evening.

      One night our local news anchor accidentally (?) let slip by stating at the end of the report that this worm only affected Windows users!

      That was the only time.

      After that both the local and national news immediately STOPPED reporting on malware outbreaks.

      Interesting..

      In fact the regular news still does not report on security concerns anymore- a fact which was driven home that only one person I know (a curmudgeonly ancient geek like myself) has heard of Heartbleed.

      Apparently the media has not seen fit to report on this or other topics of iThingies/aThingies/router/thermostats/cars/software/etc. security flaws to regular folks at all..

      They don't want to scare the consumer units I'm guessing, but I find it interesting that as far as I know, there are no news reports outside of specialized outlets on flaws in our basic internet infrastructure.

      They do, from what my sister tells me, report on credit card problems with Target, the Home Depot, Goodwill et al, but these are covered on a case by case basis. Not as a trend.

      I don't have a TV, so all my information about the media is second hand or through YouTube (thus selective) but the past six months of ever more rapid *deep infrastructure* flaw revelations is freaking me out.

      I suspect we are on a exponentially accelerating flaw discovery curve..

  13. David Lewis 2

    Double Speak

    "virtually no infections have been reported in the US, UK or other Five Eyes nations"

    is NOT the same as

    "virtually no infections have occurred in the US, UK or other Five Eyes nations"

    Just because something hasn't been reported doesn't mean is hasn't happened.

  14. Anonymous Coward
    Anonymous Coward

    Which MSFT 'critical update' was this delivered via?

  15. Anonymous Coward
    Anonymous Coward

    NSA bandwagon?

    Why is everyone hopping on the NSA bandwagon? Sure, they're responsible for a lot of spying. They're spies. They've been in excessive media highlights since Snowden.

    But let's look at this a moment.

    Regin. Could be the reverse of In Reg (or In registry). It is also a figure from Nordic mythology (Reginn)

    Hopscotch - game attributed to have originated in England.

    Legspin - a specific play used in the game Cricket.

    Willis - Risk analysis and cyber risk company based/founded in London. (note that a "customer" asked that there be no press relese)

    Ericsson phones - Most widely distributed throughout Europe (at the height of Regin) and increased in China and APAC (Asia-Pacific).

    Ericsson is HQ'd in Stockholm. (So, Ericsson HQ in Stockholm, Ericsson is prime carrier/mover of the software, Software named after a figure in Nordic mythology) http://en.wikipedia.org/wiki/Regin

    The known distribution is highest in the APAC region, India, as well as, Eastern Europe... the three largest subscribers to Ericsson (Aside from China, which has tighter control on the available hardware)

    The starbucks module coincides with the distribution locations as well. The higher points of distribution aligns with global Starbucks locations. The exception being North America, which has a low Ericsson distribution.

    Ericsson is the carrier. Starbucks being a primary source of spreading the infection (most likely due to insecure Wi-Fi hotspots)

    Hopscotch being the point to point transfer method, legspin being detection avoidance.

    GCHQ has already been in the cross hairs for spying on Belgium: (http://www.wired.com/2014/07/gchq-illegal-spying/)

    Vodafone telecom spying:

    http://www.theguardian.com/business/2013/aug/02/telecoms-bt-vodafone-cables-gchq

    Snowden & GCHQ/NSA:

    http://www.bbc.com/news/world-us-canada-23123964

    PRISIM: (Note that PRISIM, the NSA founded and GCHQ supported program, began in 2007. Regin detection noted as early as 2008)

    http://en.wikipedia.org/wiki/PRISM_(surveillance_program)

    GCHQ tapping India telecom cables:

    http://www.theregister.co.uk/2014/11/21/mastering_the_internet_snowden_disclosure/

    Amazingly enough, Regin uses C&Cs in those locations:

    C&C server IP Location Description

    61.67.114.73 Taiwan, Province Of China Taichung Chwbn

    202.71.144.113 India, Chetput Chennai Network Operations (team-m.co)

    203.199.89.80 India, Thane Internet Service Provider

    194.183.237.145 Belgium, Brussels Perceval S.a.

    My money is on GCHQ, rather than NSA, being behind this one (Though I'm not saying that the NSA didn't have a dog in this fight).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020