Post by Wes Gear on Jan 30, 2015 23:20:52 GMT 10
Cyber sleuths find 'smoking gun' linking British spy agency to Regin malware
Ever since the sophisticated and unprecedented cyberattack platform called "Regin" was uncovered in November, cyber sleuths have been working hard to put together all the pieces of this complicated puzzle.
Regin was like a dinosaur: many researchers found some of its bones throughout the years, but no one had the full skeleton, as a researcher put it at the time. Now, thanks to newly published Edward Snowden documents, some researchers might have found the smoking gun that conclusively connects the dinosaur to a specific spy agency, the British Government Communications Headquarters (GCHQ), a close ally of the National Security Agency (NSA).
Less than two weeks ago, Der Spiegel published a new trove of Snowden documents, exposing a series of previously unknown cyberweapons at the disposal of spies from the so-called "Five Eyes," the five countries that have a special relationship and share intelligence information with each other (U.S., UK, Australia, New Zealand, Canada).
Among the documents, the German magazine also released the code belonging to a type of malware called QWERTY, designed to monitor the keystrokes on a victim's computer.
When Kaspersky Lab researcher Costin Raiu saw the code, he immediately spotted a pattern and thought: "that's a Regin plugin!"
"I remember the strings from most of the couple hundred Regin plugins by heart," he told Mashable, adding that Kaspersky is in possession of "several hundred" plugins from the Regin framework.
After analyzing both QWERTY and Regin's 50251 plugin, Raiu and fellow researcher Igor Soumenkov concluded that the two files share a "significant" portion of the code and have the same functionality. For the two researchers this is "solid proof" that QWERTY is part of Regin.
While the researchers at Kaspersky did not want to point fingers, other independent researchers have no doubts: this is proof that GCHQ, and perhaps its spy allies of the Five Eyes, are behind Regin.
"This really is a smoking gun: a piece of code in the Snowden archive is substantially identical in key ways to a captured Regin keylogging module, including both a large block of identical binary," Nicholas Weaver, a computer science researcher at Berkeley University, told Mashable.
Claudio Guarnieri, an independent security researcher who worked with The Intercept to analyze Regin malware, pointed out that inside a QWERTY file there's a reference to a Five Eyes program called "WARRIORPRIDE," along with a reference to the Australian Signals Directorate (ASD), previously known as the Defense Signals Directorate (DSD).
So, based on Kaspersky's analysis, "if QWERTY is WARRIORPRIDE, and QWERTY is Regin, then Regin is WARRIORPRIDE," he told Mashable.
What this means is that Regin is probably a framework developed and shared among all the Five Eyes spy agencies, who call it WARRIORPRIDE, he said.
Each of the spy agencies then uses this framework for its own cyberattacks and intelligence operations, developing custom plugins, Guarnieri explained in a thorough blog post on Tuesday.
Additional proof of this theory is a line contained in a Snowden document published by Der Spiegel.
Read More.
Ever since the sophisticated and unprecedented cyberattack platform called "Regin" was uncovered in November, cyber sleuths have been working hard to put together all the pieces of this complicated puzzle.
Regin was like a dinosaur: many researchers found some of its bones throughout the years, but no one had the full skeleton, as a researcher put it at the time. Now, thanks to newly published Edward Snowden documents, some researchers might have found the smoking gun that conclusively connects the dinosaur to a specific spy agency, the British Government Communications Headquarters (GCHQ), a close ally of the National Security Agency (NSA).
Less than two weeks ago, Der Spiegel published a new trove of Snowden documents, exposing a series of previously unknown cyberweapons at the disposal of spies from the so-called "Five Eyes," the five countries that have a special relationship and share intelligence information with each other (U.S., UK, Australia, New Zealand, Canada).
Among the documents, the German magazine also released the code belonging to a type of malware called QWERTY, designed to monitor the keystrokes on a victim's computer.
When Kaspersky Lab researcher Costin Raiu saw the code, he immediately spotted a pattern and thought: "that's a Regin plugin!"
"I remember the strings from most of the couple hundred Regin plugins by heart," he told Mashable, adding that Kaspersky is in possession of "several hundred" plugins from the Regin framework.
After analyzing both QWERTY and Regin's 50251 plugin, Raiu and fellow researcher Igor Soumenkov concluded that the two files share a "significant" portion of the code and have the same functionality. For the two researchers this is "solid proof" that QWERTY is part of Regin.
While the researchers at Kaspersky did not want to point fingers, other independent researchers have no doubts: this is proof that GCHQ, and perhaps its spy allies of the Five Eyes, are behind Regin.
"This really is a smoking gun: a piece of code in the Snowden archive is substantially identical in key ways to a captured Regin keylogging module, including both a large block of identical binary," Nicholas Weaver, a computer science researcher at Berkeley University, told Mashable.
Claudio Guarnieri, an independent security researcher who worked with The Intercept to analyze Regin malware, pointed out that inside a QWERTY file there's a reference to a Five Eyes program called "WARRIORPRIDE," along with a reference to the Australian Signals Directorate (ASD), previously known as the Defense Signals Directorate (DSD).
So, based on Kaspersky's analysis, "if QWERTY is WARRIORPRIDE, and QWERTY is Regin, then Regin is WARRIORPRIDE," he told Mashable.
What this means is that Regin is probably a framework developed and shared among all the Five Eyes spy agencies, who call it WARRIORPRIDE, he said.
Each of the spy agencies then uses this framework for its own cyberattacks and intelligence operations, developing custom plugins, Guarnieri explained in a thorough blog post on Tuesday.
Additional proof of this theory is a line contained in a Snowden document published by Der Spiegel.
Read More.