Listen Live
    Links Exposed Between Regin Malware and NSA QWERTY Spy Tool

    Links Exposed Between Regin Malware and NSA QWERTY Spy Tool

    © Flickr/ Jamie Henderson
    US
    Get short URL
    0 46

    New evidence has emerged linking the infamous cyber-weapon Regin malware, used for more than a decade to spy on businesses, government agencies and private individuals, to a National Security Agency keylogging program.

    Spiegel International published an article earlier this month based on a series of documents made public by whistleblower Edward Snowden that described an elaborate digital weapons program the U.S. is developing to combat cyber terrorism. Included in Snowden’s disclosures was a sample of the source for for QWERTY, a malware keylogging program developed by the NSA for spying.

    Experts at Russian IT security company Kaspersky compared the pages of code to what they had in their archives. What they found was that it matched the code used in a devastating cyber attack that occurred last November.

    Former U.S. National Security Agency contractor Edward Snowden.
    © AP Photo / Charles Platiau
    Former U.S. National Security Agency contractor Edward Snowden.
    We’ve obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin,” Kaspersky researchers wrote Tuesday in a blog post. "Looking at the code closely, we conclude that the ‘QWERTY’ malware is identical in functionality to the Regin 50251 plugin.”

    Last fall, Kaspersky and Symantec, the U.S. cyber security company, discovered Regin, a “highly complex” backdoor program that had been in circulation for ten years, which had been used to attack computers in Russia, the U.S., Germany, Belgium, Brazil,  Afghanistan, and even Ireland. They called it a "top-tier espionage tool" and the most dangerous cyber-weapon since Stuxnet, the notorious malware program used to attack the Iranian nuclear program in 2010.

    "We are certain that we are looking at the keylogger-module from Regin," said Costin Raiu, head of research for Kaspersky, when looking at QWERTY’s source code published by Spiegel.

    Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source code, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” the researchers said. 

    Though Kaspersky stopped short of commenting on the identity of the malware’s creator, the new analysis strongly hints at the Five Eyes alliance, which includes the US, Britain, Canada, Australia and New Zealand, according to Spiegel.

    Kaspersky isn’t the first to make the connection. Regin malware was linked to the attack on Begian telecom company Belgacom, a target of British intelligence agency GCHQ, in 2013.  Ronald Prins, a Dutch security expert, told Spiegel two years prior that Regin “appeared to be a tool belonging to the NSA and GCHQ.”  

    Other known targets of Regin are consistent with Five Eyes surveillance targets as disclosed by Snowden leaks, according to Spiegel. 

    Kaspersky also points out that there are many references to cricket, a hugely popular sport in the Commonweath, within the QWERTY code.  

    Community standardsDiscussion
    Comment via FacebookComment via Sputnik