Security researchers at anti-virus vendor Kaspersky Lab have released more information about two of the modules associated with the Regin malware, which many believe to be a surveillance tool designed to conduct espionage (see Regin Espionage Malware: 8 Key Issues).
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems
The identity of Regin's creators or users has yet to be proven. But whoever built the malware appears to have inadvertently left some clues. "With high-profile threats like Regin, mistakes are incredibly rare. However, when it comes to humans writing code, some mistakes are inevitable," Kaspersky Lab information security researchers Costin Raiu and Igor Soumenkov say in a blog post. "Among the most interesting things we observed in the Regin malware operation were the forgotten codenames for some of its modules."
But details on Regin attacks remain scarce. In a November 2014 report, Symantec said it had seen fewer than 100 related attacks to date, largely focused on Russia and Saudi Arabia. Kaspersky Lab, meanwhile, counted 27 victims - including some unnamed, large entities or networks - across 14 countries, including Afghanistan, Belgium, Germany, India, Pakistan, Russia and Syria.
Whoever built Regin also appears to have been engaged in related efforts for some time. While security researchers had previously traced back samples of the malware recovered in the wild to 2008, at least one of the related malware modules - which also works in stand-alone mode - appears to have been first compiled in 2003, according to Kaspersky
Potential Clues
The codenames recovered by Kaspersky - which include "Hopscotch," "Legspin" and "Willischeck" - may offer clues about Regin's builders. Virus Bulletin editor and security researcher Martijn Grooten has noted via Twitter: "'Leg spin' is a cricket term. In case you want to speculate whether NSA or GCHQ is behind #Regin." Some U.K. commentators have also noted that Willis may well refer to a famous British cricket player - turned commentator - named Bob Willis.
Many security experts have suggested that the United States and the United Kingdom - which are part of the Five Eyes surveillance intelligence alliance - may have collaborated to build Regin. Multiple news reports have also tied the malware to the hack of Belgian telecommunications firm Belgacom, as well as the European Parliament, and some reports suggest those attacks were the work of the U.S. National Security Agency and the UK's GCHQ intelligence agency (see Espionage Malware Alert Sounded).
Regin's History
Information about Regin first became public when Symantec released its November 2014 report, which offered the first-ever detailed technical analysis of the malware. "Regin bears the hallmarks of a state-sponsored operation and is likely used as an espionage and surveillance tool by intelligence agencies," Symantec said.
Fellow anti-virus vendors F-Secure and Kaspersky Lab, which had also been investigating the APT tool, in turn quickly issued their own reports.
Having three reports into an advanced espionage tool appear in such little time, for an APT campaign that appeared to have been operating for at least eight years, led some security experts to question the anti-virus vendors' timing (see AV Firms Defend Regin Alert Timing). But all three firms have defended the timing of the release of their reports, saying that it took substantial effort to identify and then analyze the APT. Researchers added that they didn't even begin paying close attention to Regin - which was designed to escape detection - until they recovered a more advanced version in 2013.