News of an extremely advanced malware attack on Belgacom, members of the European Union and a well-known Belgian cryptographer, has been downplayed by stakeholders in the information security (infosec) industry.
Subsequently, IT security experts involved with the Belgacom case are convinced the attack is state-sponsored, with the NSA in the US and GCHQ in the UK the most likely orchestrators, according to a report by The Intercept.
“Having analysed this malware and looked at the previously published Snowden documents, I’m convinced Regin is used by British and American intelligence services,” said Ronald Prins from security specialist Fox IT, which was hired by Belgacom to rid its systems of the malware, in the report.
Symantec’s report certainly does not play down the sophistication of the malware, claiming it combines many of the most advanced techniques ever seen. It later goes on to liken its approach to that of Stuxnet, a state-sponsored form of malware deployed by the USA and Israel to shut down an Iranian nuclear power station in 2010.
“The main purpose of Regin is intelligence gathering and it has been implicated in data collection operations against government organisations, infrastructure operators, businesses, academics and private individuals. The level of sophistication and complexity of Regin suggests that the development of this threat could have taken well-resourced teams of developers many months or years to develop and maintain,” the report stated.
The date of origin of Regin seems to be a point of contention in the industry. Symantec claims the malware originated in 2008, Kaspersky Labs’ global research and analysis team reckons early traces of the virus became known in 2003, and a Telecoms.com source from the infosec industry told us that it was around even before then.
Finnish security vendor F-Secure says it came across the virus in 2009, and claims it’s a purely cyber-espionage toolkit used for intelligence gathering. “It’s one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe,” the firm says on its website.
“The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of ‘pciclass.sys’ seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.”
Since Symantec came out with its whitepaper this week, Kaspersky and F-Secure have both done the same. Now that Regin is firmly back in the spotlight, a number of other security firms are likely to pitch their stance too.
Our aforementioned source remains unconvinced, however, and believes the Regin threat is one that has come and gone. Alas, the Belgacom incident took place in 2010, and we’re yet to see any form of persistence with the threat made public in the years since. Infosec vendors are at the epicentre of the malware’s re-emergence in the public domain, and one ponders whether this simply comes down to publicity hype before an announcement of new products and services aimed at tackling the malware.