1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Intel groups suspected in Regin virus

November 25, 2014

Software analysts seem to agree that the Regin malware program is so advanced and discreet that it was most likely produced by an intelligence agency. The now-infamous initials NSA and GCHQ are being bandied about.

Cyber Angriff Symbol
Image: Fotolia/Sergey Nivens

Computer security firms Symantec, Kaspersky, and Fox IT have all issued preliminary findings on the Regin malware program, since Symantec first raised the public alarm on the virus on Sunday.

"Regin is a highly complex threat which has been used in systematic data collection or intelligence-gathering campaigns," Symantec said in a paper on the virus published late Monday. "The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation-state is responsible."

Symantec virus hunter Candid Wüest told DW that it was "quite clear that this is a mass-surveillance tool," detailing the Trojan's advanced data-gathering capabilities. He also noted that the major targets of the program, found in the greatest concentration in Russia and Saudi Arabia, offered potential clues as to the country of origin.

The Kaspersky Lab similarly spoke of "mind-blowing" sophistication in its report, saying it now believes that it first saw a version of Regin in 2012. In Finland, Antti Tikkanen from F-Secure perhaps came the closest to dropping a name: "Our belief is that this malware, for a change, isn't coming from Russia or China."

An unidentified state security source warned the Financial Times that the target countries could prove a red herring, saying: "Certain states and agencies may well use tools of this sort domestically."

Dutch expert convinced

German news magazine Der Spiegel reported on Tuesday that Ronald Prins, the head of Dutch computer security firm Fox IT, was "sure" that either the US National Security Agency or its UK equivalent, the GCHQ, appeared the most likely source of the malware. According to the report, Prins was confident he had found elements within the Regin architecture explicitly mentioned in now-public NSA documents listing its tools, namely Straitbizarre and Unitedrake.

Online magazine The Intercept, founded by journalist and erstwhile Edward Snowden confidant Glenn Greenwald, reported that the virus had been used for the alleged GCHQ cyberattacks on Belgacom and some EU computer systems.

The information made public by the former NSA contractor Snowden last year revealed the close working relationship between the "five eyes" alliance of Anglophone countries, especially between Britain and the US.

The Stuxnet virus discovered in 2010, targeting Iran's nuclear facilities in particular, is now broadly believed to have been a US-Israeli development aimed at Tehran, according to stories reported in outlets including The New York Times and Washington Post. Regin appears, unlike Stuxnet, to focus entirely on the gathering of information, rather than sabotage, Symantec's Wüest told DW.

msh/mkg (AFP, AP,dpa)