Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds... After Symantec published its report on the Regin super-spyware, there were many questions raised. Who coded it? What can it do? And – above all – why did it take so long for security vendors to notice it? Regin is a sophisticated piece of software. It can be customized for particular missions by inserting into its framework …
I wonder if the persons who wrote this (and presumably know what its for) sleep well at night.
It might not be an actual weapon with a trigger firing metal slugs, but it's still pretty damn close.
But of course we know its there to protect the general public against terrorists, so now at least we get to sleep better at night
If you were working on something like this, you should probably know that development would be compartmented all to hell, you'd never know exactly what it is you were actually doing. Only the sysadmin, the devops manager, and maybe even security might have an inkling. However I doubt the sysadmins really know any longer.
...what exactly is it about a piece of (even significantly complex) software that makes it the privilege of "nation states" only? A couple of guys in front of a bunch of computers day in and day out for years is simply called "pretty much any software project you can think of" - sure, it's not something a "hobbyist" would afford but why would it be beyond the financial clout of any vaguely large-ish business...? It's not like even complex malware requires a dozen supercomputers to write or something...! Okay, so these probably are pretty smart guys, but are you really saying running them would be more expensive than running, say, a football team (a popular pastime these days even among well-off individuals, FFS!)...?
Motivation, m'boy, motivation.
For anything other than a nation state, it would be financial gain. Regin is an improbable means.
For nation states, paranoia + aggression + espionage = power. Eureka!
(Fortunately, the protections of the Constitution of the United States precludes any such ... ? ... )
There are non-nation state groups out there who have the capability to build and deploy sophisticated malware/spyware what ever ware. Financial gain is not just about ripping credit card details, but also about knowledge, and knowledge is power. The same sort of information that police and security services look for is also useful to criminal and other organisations. A little bit of insider trading, put a competitor out of business, infiltrate law enforcement and so on. Cat and mouse is right, but who is the cat and who is the mouse will never be black and white.
Still no matter what, the AV vendors make money. Perhaps the conspiracy theorists should follow the money and see who make the most out of Malware, Just think how much harder it would all be it we didn't mostly use Windows and x86. I assume that if they think Linux and Solaris, persumably the x86 variants, are vulnerable, then so is OSX. So there's a reason to think ARM, Power, Sparc etc.
There are other actors that are at least when your remove power and money. Ideology, conscience, and ego are also in the mix. The question I would like to ask us there any non-state/non-criminal actors that can pull it off and if so, what are the resources (human and other) required to pull it off.
For all that, I have a real short list: NSA, GCHQ, & Israel. (Israel could be supporting the other two for favors received.) Maybe Russia, but I seriously doubt it.
I think its Chinese after reading the Kaspersky technical paper on it, since none of the C&C servers they've seen are in China, but there is one in Taiwan, one in Brussels, and two in India. It makes it easy to claim NATO's doing it, especially with samples coming from Afghanistan and Iran. A little too easy I'd figure. Especially since there are no known samples from anywhere China may want to fuck with a little, like Taiwan, Vietnam, the Philippines, Japan, Russia, South Korea and the DPRK government, the US and the vast majority of NATO, etc. Its a little too convenient for my liking.
It could also be France, all of the countries that submitted samples are of an interest of France, and one country is very noticeably absent from the list, Iraq. France gives fuck all about Iraq. It was never their problem except when they were selling Saddam Hussein nuclear technology and nerve gas. I'd be interested to know if any of the European microstates have infections, especially Monaco.
However, it might be five eyes and with Fiji and Kiribati being targeted its sort of easy to believe (I believe New Zealand has responsibility for them) but then again, its a little too obvious for anyone involved with UKUSA, especially with cryptonyms in the Virtual File Systems. NSA/CSS and I'm presuming GCHQ would strip it out. Also whoever it is isn't very familiar with UKUSA classification levels, because one of them looks like it is labeled as Unclassified just before a supposed cryptonym.
...what exactly is it about a piece of (even significantly complex) software that makes it the privilege of "nation states" only?
Its complexity means it was costly to develop, and most (other :) ) criminal outfits tend to look for a much quicker return on investment and focus on volume rather than specific, individual targets. Governments can much easier fund such an effort as it is covert, and thus most likely not subject to public oversight.
nahhh, that's too simple. media (aka software giants) need these mystery 'crisis' to self sustain themselves, maintain the public in a state of constant fear and give employment to the ones who cannot create systems ware impermeable to defeat or injection. since 99 percent of the users (is that too generous?) are actually honest and properly dazzled by the glut of software, internet traffic (aka useless advertising and hollywood junk) and desire to have the 'bestest and fastest' regardless of cost or actual functionality, then this one Regin thing has actually next to nothing for them to be concerned with. it's the people who derive financial gain, and control over others that really shake in their boots when they find someone has been banging their bride behind their back, in their own bed. i agree, this could be a really smart attempt at truly subversive stealth by some real cornball MIT, Eton, Princeton type or even a 14 year old genius (like the sandy hook school massacre brat) with no thing else to do. some people just do it for fun, as a challenge. elevating this to 'nation state' status makes for great popular entertainment, at the nation state level at least. again, we are all swapping petabytes of code with no real 'sheriff' to keep the mayhem in check. why would anyone want to screw with communications companies anyway? (sarcasm off)
The simple answer to your question is money. Even the most well funded mafia organization cannot afford the sheer cost of it. Not just the smart people, but the literally tens of millions of dollars of IT equipment required. Something this complex needs to be tested against literally every possible iteration of the OSes involved, patching levels, AV scanners, hypervisor software, you name it.
If you think coding this sumbitch is hard, try to imagine what the QA is like on something that must be the digital equivalent of a trained ninja?
These take years to develop, massive QA efforts, constant maintenance and costly experts. That's a massive up front cost before you ever reap anything (knowledge, money, etc.) Unsustainable for any but the largest of the large.
What's more...the instant you're discovered, all that investment is so much dust in the wind. *pffft* gone. If you keep using it you risk being discovered. Since being covert about things was quite obviously the most critical element of it's design then discovery means retirement...at least of the core dropper and execution platform.
And then there's the issue of what to do about all the people who had to work on this project? Governments have the resources to watch these people for the rest of time. Mafiosos don't. They could kill them all, but where do they get their next round of supernerds for their next round of cybercrime? If you whack everyone who works for you, you tend to get a bad rep as an employer...and you can't kidnap enough people to write software this big without causing an international manhunt.
So, let me put this to you another way: if this is anything other than a nation state's malware, we are all in very deep shit. Because it means that someone, somewhere has managed to overcome all (or at least most) of the problems I've listed above, and managed to commoditise the "cyber" equivalent of nuclear ordinance.
If that's the case, the internet's done for.
The reports don't mention anything about command & control, which is annoying - the Symantec one says that the compromised machine can initiate contact with the attacker so presumably they've seen evidence of this, but doesn't mention how or where this is done. An IP address? An IRC channel? I'm still frustrated by the lack of detail here.
(edit - found it elsewhere: http://blogs.cisco.com/security/talos/regin-campaign. Four IP addresses listed, one in Taiwan, two in India and one in Belgium)
OK, so we've been told for years not see conspiracies under every bed, but this looks like the real thing to me. In others words, the antivirus guys have known about this, and other government sponsored malware, for years and have kept quiet because the government organisations have appealed to their sense of patriotism, or bribed them, or bullied them, or blackmailed them, or...
And they're coming clean now because they're afraid of a second Edward Snowden spilling the beans and ruining their anti-malware credibility.
This post has been deleted by its author
I am sure they already have revamped it and are now many iterations ahead. From the look of things they were after timely intelligence at that given point in time and presumeably they got it. Any further info from those sources would be mere background noise now and they would move on for legal, financial, operational or other issues.
I am sure that more sophisticated versions are out there and by leaving obsolete kit around for people to find they are muddying the waters and obfuscating other nasties that they have unleashed,
Perhaps this malware is itself a decoy, to keep people from even looking for the undetectable malware.
Now where did I put that hall of mirrors...
Proper paranoia HAS to be expensive... (searches for icon with Paris in a black helicoper)...
"Looking at the balance of probabilities, the possibility of Regin being the result of a non-nation-state coder is between slim and none," Thakur said.
Are you seriously trying to tell us that the coders behind the NHS patient records debacle or the MOD procurment process are somehow better then a couple of gifted and motivated amateurs? In fact, can you name a single piece of not-shit software that can be credited to a nation-state? Even BT's fucked up Phorm was written by a private entity.
"Are you seriously trying to tell us that the coders behind the NHS patient records debacle or the MOD procurment process are somehow better then a couple of gifted and motivated amateurs? In fact, can you name a single piece of not-shit software that can be credited to a nation-state? Even BT's fucked up Phorm was written by a private entity."
As a general rule, the "not shit" coders working for a state end up working for the spooks, or the banks. Unimportant things like health care get the mediocre of what's left. They don't really pay all that well to code for health care.
Plenty.
But what I wonder is why so much insistence on "only a state can write this"
No, we do not know for sure this is not the case, just because they do not know of enough competent low level programmers doesn't mean it was a state. Unless they had help from the vendor, if they could only write it using non-public information from our MS friends this is another matter.
But alas, all you need to create an undetectable malware is keep a very low profile.
But what I wonder is why so much insistence on "only a state can write this"
It's an assessment based on probability. To create something that complex needs a LOT of funding, and putting money in something creates an expectation that there is somewhere a return on investment. There are few entities large enough to risk a large dollop of cash on something that is at best uncertain in the returns category, but governments tend to have less of a problem with that. It's not really their money to start with, and covert ops budgets tend to be free from pesky scrutiny anyway so they can afford to take a punt and hide it with the other skeletons if it doesn't pay off.
I would suggest to be more accurate though: I think the actual statement is that only a state would COMMISSION this - I agree with others on this forum that such expertise is nowadays in private hands, so it's probably a subcontracted job with a boatload of threats to stop people from pulling a Snowden on the project and leaking it. But the complexity suggests state funding.
I just seems peculiar that the targers were limited in scope if we believe what we've heard. Big if there. An encryption expert, telecoms and power grid companies with telecoms seeming to be the main. Not slurping the user throughput such as phone calls but the inner workings. Very strange indeed.
Actually, the targeting - more than the code quality - suggests a nation origin. Telecom and power dispatch systems in workings, as well as encryption experts, paints a very specific picture. Presumably with adequate knowledge of those areas you can 1) disrupt power distribution over nay geographic scale; 2) disrupt or intercept commuications over any geographic scale, and 3) encrypt securely, or potentially decrypt encrypted information with proper information regarding how the data was encrypted.
Project Seti has looked in the wrong place for ET life. It turns out they have been looking at us.
The cunning part is how they get their results back to Alpha Centauri, or the Andromeda galaxy.
Why the secrecy? Remember that when the first pulsar was discovered, and was thought to be an ET clock signal, the facts were kept secret for six months. The lamest excuses were given when things were published.
Unlikely to be a corporate job, as others have pointed out the return on investment just wouldn't be there and the size of the team required would mean leaks and a loss of secrecy almost immediately. The resultant publicity would be a disaster. Only a nation state or a very dedicated and small team could keep a secret like this. I'd rule out a small private team as why would they write this with unclear benefits and not just go for the money with more traditional spyware, ransom-ware etc?
It's looking like cyber-warfare practice by the Russians or the Americans to be, power & telecoms would be the best targets for disruption.
While I'm silghtly inclined to agree, the only thing wrong with that is that there have been no samples from Iraq or other places of Five Eyes interest. If it was Five Eyes, you'd better bet your ass there'd be targets in Iraq, Russia, Ukraine, Cuba, Quebec, the United States, the UK, and China and quite a number of them.
However, with Fiji, Kiribati and Indonesia being targeted, it does seem a bit Aus/NZ-ish. That could be just to throw people off though, it's not really possible to say until more samples are found.
Might also be France or China, see my comment above.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
