Researchers have uncovered a new evidence that a powerful computer program discovered last year, called "Regin", is "identical in functionality" to a piece of malware used by the National Security Agency (NSA) and its Five Eyes allies.
"Regin" is a highly advanced, sophisticated piece of malware the researchers believe was developed by nation state to spy on a wide-range of international targets including governments, infrastructure operators and other high-profile individuals since at least 2008.
Regin was first discovered in November 2014 by the researchers at antivirus software maker Symantec and was said to be more sophisticated than both Stuxnet and Duqu.
The malware alleged to have been used against targets in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia and Syria, among others.
The recent evidence comes from the journalists at Der Spiegel who published the source code for a malicious program code-named 'QWERTY' – "a piece of software designed to surreptitiously intercept all keyboard keys pressed by the victim and record them for later inspection."
The malicious program was revealed earlier this month when Der Spiegel magazine published
a detailed article on the US National Security Agency's cyber espionage operations based on documents obtained from the former NSA contractor Edward Snowden
program is included in the malware products used by the NSA and other intelligence agencies worldwide that are part of the Five Eyes Alliance (US, Australia, Canada, New Zealand and the United Kingdom
) in order to eavesdrop and conduct destructive cyber operations on targets.
After examining QWERTY’s code, the security analysts at Kaspersky Labs concluded that the keylogger’s source code can be linked to 'Regin,' and that the malware developers of QWERTY and Regin are either the same, or work closely together.
Moreover, the researchers also found that both QWERTY and the 50251 plug-in depend on a different module of the Regin platform identified as 50225 which relies on kernel hooking functions. This strongly proves that QWERTY can only operate as part of the Regin platform.
"Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together," Costin Raiu and Igor Soumenkov, researchers at Kaspersky’s Securelist blog, said on Tuesday.
Der Spiegel reported that QWERTY is likely a plug-in of a unified malware framework codenamed WARRIORPRIDE that is been used by all Five Eye partners. Also, it is several years old and has likely already been replaced.
However, the link between QWERTY and Regin suggests that the cyber espionage malware platform, security researchers call Regin, is none other than WARRIORPRIDE.
Regin tool has also been linked to hacks which targeted the International Atomic Energy Agency based in Austria and the 2011 attack on European Commission computers, Spiegel said.