IS ISRAEL BEHIND ‘REGIN’ SPYING MALWARE CYBER THREAT?
Is Israel behind the ‘Regin’ cyber-threat?
by Asa Winstanley*
Last weekend the anti-virus company Symantec released details of a newly-detected piece of malware that it had intercepted and been decoding for some time. Several other anti-virus vendors released their own papers on this advanced piece of malicious software soon after.
“Regin”, a sophisticated spying tool, is highly likely to have been the work of a Western state, say experts. The malware can do things like take screenshots and steal passwords, or even take control of the mouse and keyboard.
According to Symantec: “The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.”
The sheer scale of work that has gone into this programme makes it unlikely that non-state, independent hackers are behind it. “It is likely that its development took months, if not years, to complete,” said Symantec, “and its authors have gone to great lengths to cover its tracks.”
Regin’s targets were found in 14 countries including Indonesia
Regin’s targets were found in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria and Russia, according to Kasperskey, a Russian anti-virus vendor. Symantec claims that the majority of the targeted machines were found in Russia and Saudi Arabia.
Although the anti-virus vendors have not named the culprit explicitly (absent a “smoking gun” they tend not to), my working assumption is that Israel is likely to have been involved in creating and/or operating this project. One expert told The Guardian that “there are no other countries I can think of” aside from the US, the UK or Israel who could have created Regin. I agree that these are the most likely culprits.
In May 2012, a very similar cyber-threat was exposed, dubbed Flame, or Flamer. Like Regin, Flame was designed to spy on (rather than sabotage, like another infamous piece of malware called Stuxnet) targeted computers. Like Regin, Flame was found on computers in states throughout the Middle East. Like Regin, Flame was crafted using a sophisticated and flexible modular design. Both Regin and Flame made advanced use of encryption to avoid detection for years.
America’s National Security Agency (NSA) and Israel
When I reported on the exposure of Flame in 2012, my conclusion was that it was most likely created by America’s National Security Agency (NSA), with the Israelis working as a junior partner in its engineering. They are also likely to have operated it.
The Israelis and the NSA also worked together on Stuxnet, the cyber-weapon which physically sabotaged an Iranian nuclear power facility in 2008 and 2009. As I detailed in my analysis at the time, Flame and Stuxnet, although very different in most respects, shared some identical code in certain key areas. It seems likely that the two were part of the same wave of cyber-war authorised by the George W. Bush and the first-term Obama administrations.
Since then, the NSA whistle-blower Edward Snowden has confirmed that Stuxnet was co-authored by the NSA and Israel. It seems more than likely then, that Flame was also created by America and Israel, and the similarities between Flame and Regin suggest that this new cyber-threat was also created by the two allies, especially when considering its targets.
Russian cyber security firm Kasperskey said in its analysis of Regin that the main victims were “telecom operators, governments, financial institutions, research organisations, multinational political bodies and individuals involved in advanced mathematical/cryptographical research.”
So, rather than the type of mass-surveillance typically favoured by the NSA (which as we now know for a fact thanks to Snowden, hoovers up pretty much anything on the internet that it can get its hands on), Regin is more focused and choosy. Its modular design means that its capabilities can be expanded easily and targeted very specifically on custom missions.
Regin is capable of monitoring GSM base station controllers
Something that seems new to Regin is the way that it targets mobile phone networks too, according to Kaspersky: “One particular Regin module is capable of monitoring GSM base station controllers, collecting data about GSM cells and the network infrastructure.”
It’s too early to say who exactly is behind this new cyber-threat, but it is possible that Regin was used partially as a replacement for Flame. When the latter was exposed by Kaspersky in 2012, its controllers issued an emergency shutdown of the malware. Regin may have been used by the same attacker as a replacement.
The sheer complexity of Regin meant that it took years for the cyber-security firms to even understand what they had on their hands. This is why it was not revealed to the world until last weekend, despite the fact that it has been around since at least 2008, possibly even earlier.
Moreover, although it will now start to be targeted by anti-virus software, the full force of the threat has yet to be uncovered. Symantec, for one, believes that “many components of Regin remain undiscovered and additional functionality and versions may exist.” (T/P3/R01)
Mi’raj Islamic News Agency (MINA)
*Asa Winstanley is an investigative journalist who lives in London. He is an associate editor with The Electronic Intifada.
Source: https://www.middleeastmonitor.com/articles/middle-east/15564-is-israel-behind-the-regin-cyber-threat