So, who *did* write the Regin malware?

CricketNo-one knows for sure who created the highly-sophisticated Regin malware that appears to have been spying on organisations in the telecommunications, energy and health sectors for some years.

What we do know, however, is that it appears to have been used in attacks against the European Commission, Belgian telecoms giant Belgacom and Belgian cryptography expert Jean-Jacques Quisquater.

Other victims appear to have included organisations in Russia, Saudi Arabia, Mexico, Iran, Syria, Pakistan, Afghanistan and Ireland - with telecoms companies apparently particularly finding themselves in the firing line.

Regin chart

What's curious, as the above chart from Symantec reveals, is that some countries don't make the chart at all.

For instance, none of the "Five Eyes" countries (Australia, Canada, New Zealand, the UK, and the United States) make an appearance.

If Regin was written by conventional cybercriminals it would seem strange for them to avoid such potential rich targets.

So, chances are, it wasn't written by traditional cybercrooks. Regin, it is widely suspected, was written by an intelligence agency.

So, if the suspicion that a state-sponsored actor is responsible for Regin is correct, who was it?

The truth is, I don't know. Attribution of attacks is always tremendously difficult. But let me put it this way - I wouldn't be at all surprised if the UK's GCHQ and/or the NSA were involved.

And I'm not in anyway dissuaded as more clues come to light, such as those included in this tweet from Costin Raiu, a security researcher at Kaspersky Lab:

For those who don't know Leg spin is a cricket term, and Bob Willis was a famous English cricketer (and is now a well-known commentator on the game).

America isn't known for its love of cricket. England is. But it hardly has a monopoly on love for the sound of leather on willow. After all, Australia, India, Pakistan and some Caribbean islands have been known to be quite partial to wasting days on end watching a game which may very well end in a draw.

So, is it possible that Regin was coded by a GCHQ operative who is also a cricket obsessive, or someone else who is trying to point the blame in that direction?

You decide.

Further reading on Regin:

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

10 Responses

  1. Martin Hepworth

    November 27, 2014 at 6:37 am #

    amazing targetting since its believedto have been in the wild at least 6 years. Really surprised theres been no collateral infection outside of the targets.

    • olli in reply to Martin Hepworth.

      November 27, 2014 at 11:09 am #

      i find the targets interresting, since when is the european parliament funding terrorism? (one of the first believed to be targets that has been found been belgacom (belgian isp). which is hosting part of the networks of the eu)

  2. Peter Edmunds

    November 27, 2014 at 6:55 am #

    Really? Seriously, who needs to ask? Cricket AND Regin … Regina … Elizabeth Regina.

  3. Peter Edmunds

    November 27, 2014 at 8:44 am #

    So, why *did* you moderate the Regina reply? Flippant, libellous, offensive? I was actually serious.

    • Graham Cluley in reply to Peter Edmunds.

      November 27, 2014 at 9:22 am #

      Keep your hair on old bean. If you've never had an approved comment on the site before you go into a holding pen, where (eventually) I will approve your comment unless you are spamming or likely to cause offence.

      Sometimes it takes me a while to clear the holding pen for new commenters, but I get there eventually.. :)

      • Peter Edmunds in reply to Graham Cluley.

        November 27, 2014 at 9:56 pm #

        I've donned sackcloth and ashes :)

  4. BillBlagger

    November 27, 2014 at 10:57 am #

    Um, if I was smart enough to write Regin I *might* be smart enough not to leave pointers to my nationality.

  5. Coyote

    November 30, 2014 at 3:34 pm #

    Malware that is able to spread to specific targets and not hit others by 'mistake' ? Now that is… interesting. It is especially interesting if a nation managed it… because let's be honest: there is a reason the malware (etc.) black market is so strong and countries purchasing from (them) is one of those reasons (and last I knew the US Is one of the top spenders although I admit I'm not sure where the reference was… and it was a few years back). You (i.e., the victims) can point the finger but the reality is it isn't that simple (and the fact nations do that back and forth at each other only makes it worse… even if it is the case some times, if they have no other evidence aside from IP addresses – which means little – then they are playing blame game at an international level).

    Let's also be honest here on the subject of pointing the finger and a certain worm: Robert Tappan Morris made the infamous Morris Worm appear to come from another school… and if it wasn't for some miscalculations on his part (and therefore causing a DoS on the systems… more like complete halt), he might have had more luck getting away with it.

    Incidentally though, his father, as far as I'm aware, was head of a department of the NSA (or maybe it was a division of). While this is perhaps a coincidence, many still believe the NSA is only doing (whatever) in recent years… but make no mistake, it isn't anything new. Still, it is amusing.

  6. Ellie Kesselman

    December 1, 2014 at 1:21 am #

    India? Pakistan? Jamaica? Niger, the huge country between Libya and Nigeria? "Niger" spelled backwards is Regin. Okay, I am obviously just guessing, and motive remains unclear in any case.

    This is unsettling though: "Regin detected at the Atomic Energy Agency in Vienna"
    http://mobil.derstandard.at/2000008742912/Spionagesoftware-Regin-nahmAtomenergiebehoerde-in-Wien-ins-Visier

  7. Joe Lowe

    December 6, 2014 at 10:26 am #

    Nobody is even going to consider that the reason whomever wrote this code designed it to not attack the "Five Eyes" in an effort to stay below the radar? Im gonna take a guess and venture to say that if this were not a feature of the malware it may well have been exposed a long time ago. I dont know who is responsible, but my money is on anyone but Can., U.S., Aus., etc.

Leave a Reply