So, who *did* write the Regin malware?

Graham Cluley

CricketNo-one knows for sure who created the highly-sophisticated Regin malware that appears to have been spying on organisations in the telecommunications, energy and health sectors for some years.

What we do know, however, is that it appears to have been used in attacks against the European Commission, Belgian telecoms giant Belgacom and Belgian cryptography expert Jean-Jacques Quisquater.

Other victims appear to have included organisations in Russia, Saudi Arabia, Mexico, Iran, Syria, Pakistan, Afghanistan and Ireland – with telecoms companies apparently particularly finding themselves in the firing line.

Regin chart

What’s curious, as the above chart from Symantec reveals, is that some countries don’t make the chart at all.

For instance, none of the “Five Eyes” countries (Australia, Canada, New Zealand, the UK, and the United States) make an appearance.

If Regin was written by conventional cybercriminals it would seem strange for them to avoid such potential rich targets.

So, chances are, it wasn’t written by traditional cybercrooks. Regin, it is widely suspected, was written by an intelligence agency.

So, if the suspicion that a state-sponsored actor is responsible for Regin is correct, who was it?

The truth is, I don’t know. Attribution of attacks is always tremendously difficult. But let me put it this way – I wouldn’t be at all surprised if the UK’s GCHQ and/or the NSA were involved.

And I’m not in anyway dissuaded as more clues come to light, such as those included in this tweet from Costin Raiu, a security researcher at Kaspersky Lab:

For those who don’t know Leg spin is a cricket term, and Bob Willis was a famous English cricketer (and is now a well-known commentator on the game).

America isn’t known for its love of cricket. England is. But it hardly has a monopoly on love for the sound of leather on willow. After all, Australia, India, Pakistan and some Caribbean islands have been known to be quite partial to wasting days on end watching a game which may very well end in a draw.

So, is it possible that Regin was coded by a GCHQ operative who is also a cricket obsessive, or someone else who is trying to point the blame in that direction?

You decide.

Further reading on Regin:

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

10 Replies to “So, who *did* write the Regin malware?”

  1. amazing targetting since its believedto have been in the wild at least 6 years. Really surprised theres been no collateral infection outside of the targets.

    1. i find the targets interresting, since when is the european parliament funding terrorism? (one of the first believed to be targets that has been found been belgacom (belgian isp). which is hosting part of the networks of the eu)

  2. So, why *did* you moderate the Regina reply? Flippant, libellous, offensive? I was actually serious.

    1. Keep your hair on old bean. If you've never had an approved comment on the site before you go into a holding pen, where (eventually) I will approve your comment unless you are spamming or likely to cause offence.

      Sometimes it takes me a while to clear the holding pen for new commenters, but I get there eventually.. :)

  3. Um, if I was smart enough to write Regin I *might* be smart enough not to leave pointers to my nationality.

  4. Malware that is able to spread to specific targets and not hit others by 'mistake' ? Now that is… interesting. It is especially interesting if a nation managed it… because let's be honest: there is a reason the malware (etc.) black market is so strong and countries purchasing from (them) is one of those reasons (and last I knew the US Is one of the top spenders although I admit I'm not sure where the reference was… and it was a few years back). You (i.e., the victims) can point the finger but the reality is it isn't that simple (and the fact nations do that back and forth at each other only makes it worse… even if it is the case some times, if they have no other evidence aside from IP addresses – which means little – then they are playing blame game at an international level).

    Let's also be honest here on the subject of pointing the finger and a certain worm: Robert Tappan Morris made the infamous Morris Worm appear to come from another school… and if it wasn't for some miscalculations on his part (and therefore causing a DoS on the systems… more like complete halt), he might have had more luck getting away with it.

    Incidentally though, his father, as far as I'm aware, was head of a department of the NSA (or maybe it was a division of). While this is perhaps a coincidence, many still believe the NSA is only doing (whatever) in recent years… but make no mistake, it isn't anything new. Still, it is amusing.

  5. India? Pakistan? Jamaica? Niger, the huge country between Libya and Nigeria? "Niger" spelled backwards is Regin. Okay, I am obviously just guessing, and motive remains unclear in any case.

    This is unsettling though: "Regin detected at the Atomic Energy Agency in Vienna"
    http://mobil.derstandard.at/2000008742912/Spionagesoftware-Regin-nahmAtomenergiebehoerde-in-Wien-ins-Visier

  6. Nobody is even going to consider that the reason whomever wrote this code designed it to not attack the "Five Eyes" in an effort to stay below the radar? Im gonna take a guess and venture to say that if this were not a feature of the malware it may well have been exposed a long time ago. I dont know who is responsible, but my money is on anyone but Can., U.S., Aus., etc.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES