Spiegel International published an article earlier this month based on a series of documents made public by whistleblower Edward Snowden that described an elaborate digital weapons program the U.S. is developing to combat cyber terrorism. Included in Snowden’s disclosures was a sample of the source for for QWERTY, a malware keylogging program developed by the NSA for spying.
Experts at Russian IT security company Kaspersky compared the pages of code to what they had in their archives. What they found was that it matched the code used in a devastating cyber attack that occurred last November.
Last fall, Kaspersky and Symantec, the U.S. cyber security company, discovered Regin, a “highly complex” backdoor program that had been in circulation for ten years, which had been used to attack computers in Russia, the U.S., Germany, Belgium, Brazil, Afghanistan, and even Ireland. They called it a "top-tier espionage tool" and the most dangerous cyber-weapon since Stuxnet, the notorious malware program used to attack the Iranian nuclear program in 2010.
"We are certain that we are looking at the keylogger-module from Regin," said Costin Raiu, head of research for Kaspersky, when looking at QWERTY’s source code published by Spiegel.
“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source code, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” the researchers said.
Though Kaspersky stopped short of commenting on the identity of the malware’s creator, the new analysis strongly hints at the Five Eyes alliance, which includes the US, Britain, Canada, Australia and New Zealand, according to Spiegel.
Kaspersky isn’t the first to make the connection. Regin malware was linked to the attack on Begian telecom company Belgacom, a target of British intelligence agency GCHQ, in 2013. Ronald Prins, a Dutch security expert, told Spiegel two years prior that Regin “appeared to be a tool belonging to the NSA and GCHQ.”
Other known targets of Regin are consistent with Five Eyes surveillance targets as disclosed by Snowden leaks, according to Spiegel.
Kaspersky also points out that there are many references to cricket, a hugely popular sport in the Commonweath, within the QWERTY code.