Computer security industry adds state agencies to global malware blacklist

Against the backdrop of Edward Snowden's revelations of the UK's GCHQ mass data-harvesting from cables linking Ireland to Britain and North America, the multibillion-dollar computer security industry has become locked in a perpetual cat-and-mouse arms race – not just with vandals, activists and cybercriminals, but now with state agencies and their sophisticated spyware aimed at Windows systems, tablets and smartphones.

These highly sophisticated and stealthy APTs (advanced persistent threats) specifically target foreign government organisations, military installations, defence contractors and research institutions. But they can also quietly log our movements, potentially transforming the world’s mobile phones into multimedia bugging devices.

Discovered in the past five years, APTs such as GhostNet, Shady Rat and Operation Aurora (believed to be Chinese) have attacked western cloud computing firms, banks, defence and aerospace corporations as well as dissidents.

Red October and Turla are believed to be Russian, while in recent weeks and months, other suspected Russian-backed groups have hacked the White House, Ukraine, Georgia, the Caucasus and other former eastern bloc countries, as well as Nato and defence contractors across Europe.

Western agencies such as the NSA, GCHQ and Israeli military intelligence have been widely credited with ingenious platforms such as Flamer, which hit systems and individuals all over the Middle East, mainly Iran; it was reportedly primed for turning infected computers into "Bluetooth beacons", sucking data from nearby devices.

In February this year, experts extolled The Mask (supposedly of Spanish origin) as more ingenious still. It targeted embassies, energy companies and research organisations from Morocco to Brazil.

Attack in Iran

In 2010, Stuxnet, the notorious worm, was reported as having taken control of industrial systems in Iran’s uranium enrichment plant at Natanz, and, by interfering with speed-settings, damaged up to 20 per cent of their centrifuges.

Credited as the world’s first real cyberweapon, Stuxnet set off existential fears of a Pandora’s toolbox which, in the wrong hands or during wartime, could take down air-traffic control systems, power grids, water-treatment plants and the like.

Now experts seem to agree that the latest cyberespionage tool, Regin, is one of the most sophisticated attack platforms ever analysed.

Symantec, owner of Norton Anti-Virus, revealed the existence of Regin globally on November 23rd as a "groundbreaking and almost peerless" intelligence-gathering stealth tool. Regin individually targets government agencies, telecoms, research institutes (particularly those involved in advanced maths and cryptography), even hotels (perhaps for intelligence on guests' movements).

Its ingenious modular design of interdependent components involved a dropper and five-stage loading architecture (similar to Stuxnet and the related Duqu). A suite of payloads are controlled by the attacker via remote command-and-control servers scattered around the internet. So far it’s been used to conduct “continuous monitoring of targeted organisations or individuals”.

Regin captures screenshots and steals logs and passwords, retrieving even deleted files. It monitors emails, web and network traffic, even mobile telephony base station controllers, which it can intercept and interfere with.

The sheer time, resources and skill involved in creating Regin could only have come from a "nation state" intelligence agency, according to Symantec. Others again cited the US, UK or Israel as the most likely candidates, and world news outlets rang the alarm.

Neutralising infection

Symantec’s Dublin director of security,

Orla Cox

, says there has been “nothing of significance since the initial announcement”. Anti-virus protection should neutralise infection by removing Regin’s initial drivers, although the firms are on the lookout for other variants.

Cox acknowledges that they have not got a full picture of the latest version, and that such a flexible sophisticated tool could easily be adapted by intelligence agencies. But the average user needn’t be too concerned, she says, as safeguards are now in place.

Symantec’s Dublin office, as part of the global team, was involved in decrypting, reverse-engineering and piecing together various Regin components. Symantec says this stealth tool simply collects data and monitors targets using a multistage approach, where each stage (bar the first) is hidden and encrypted; as is the stolen data.

Even when detected, it can be difficult to ascertain Regin’s motives. Symantec admitted it could only analyse the payload after decrypting numerous sample files.

The initial driver is the only code left visible on the computer. The rest is stored as “encrypted data blobs” deep in with unusual file storage, such as in the registry, virtual file systems or raw sectors at the end of disk, which could be sitting on machines for years before detection.

“It’s a full-feature spying tool for long- term surveillance and mass data-gathering,” Cox says, “a whole framework which can be adapted or updated to take on extra payloads or functions, depending on the system or organisation they are targeting. It’s fully customisable for whatever the operator wants it to do.”

Symantec tracked one version of the malware from 2008 to 2011, when it disappeared. Version “2.0” resurfaced in 2013. The firm admits it took a long time to piece together the jigsaw, and they still haven’t detected all modules of the new version. And more versions likely exist.

Symantec has verified about 100 infections globally, categorised as private individuals or small businesses (48), telecoms backbones (28), hospitality sector (9), energy sector (5), airlines (5), and research facilities (5).

In terms of a geographic breakdown, the 100 verified infections struck Russia (28) and Saudi Arabia (24), with Ireland and Mexico at joint third on nine, followed by India, Afghanistan, Iran, Belgium, Austria and Pakistan on five.

Of the nine Irish infections, all afflicted just one “very surprised” Irish company, “not a particularly high-profile organisation”, which Cox declines to identify.

Countries unaffected included the UK, US and the other three "five eyes" cybersurveillance alliance countries: Canada, Australia and New Zealand.

Regin announced

Symantec’s understanding of Regin is still incomplete. That makes the timing of the announcement rather odd, coming after it learned that online news site

The Intercept

was about to announce Regin and its US connections.

The Intercept

is edited by

Glenn Greenwald

and

Laura Poitras

, both of whom are closely connected with Snowden’s emergence.

When Symantec went public, the other big anti-virus companies (Kaspersky and F-Secure) immediately followed suit, also stating they had been tracking Regin samples, which were in their files since 2008 or earlier.

Indeed, the VirusTotal website flagged one component in 2011, when Microsoft began removing it. Mikko Hyponnen of F-Secure said that certain customers asked him not to discuss the malware found on their networks.

Meanwhile, Kaspersky identified 27 further victims from countries such as Brazil, Algeria, Germany, Syria, Malaysia, Indonesia, Fiji and the tiny Pacific island-nation of Kiribati.

Belgian hack

On December 13th

The Intercept

posted a compelling narrative of the extensive Regin hack during 2010 and 2011 of

Belgacom

, the partly state-owned Belgian telecom firm, by GCHQ – tying in neatly with Snowden’s revelation.

Apparently, GCHQ began by targeting engineers and administrators with full access to the system, and using IP addresses, web traffic and cookies, targeted each individually with malware to spread across the system.

According to The Intercept, GCHQ identified other cellphone operators connected to Belgacom through international roaming partnerships, and hacked into data links over a protocol called GPRS, which handles cellphone internet browsing and multimedia messages. The hack remained undetected until spring 2013.

Belgacom hired a Dutch security firm, Fox-IT, which found that Regin had infected more than 120 computer systems, and up to 70 personal computers.

The most “mind-blowing” Regin infection Kaspersky saw occurred in an unnamed Middle Eastern country, on an elaborate web of networks the attackers infected and then bridged together between the country’s presidential office, a research centre, an educational institute and a bank.

Instead of having each infected network communicate with the attackers’ command server, the attackers set up an elaborate web so that commands passed between them as if through a peer-to-peer network. Only the educational institute served as a hub for communicating externally with the attackers.

Meanwhile, last February 1st, again from Belgium, it was reported that Regin had hacked the PC of Jean-Jacques Quisquater, a cryptography professor and security specialist at the Université Catholique de Louvain, after he clicked a bogus LinkedIn page of a non-existent employee of the European patent office.

Espion technician Conor O'Neill says the Symantec announcement certainly alarmed his clients. Like Brian Honan, who consults for Irish government departments, the UN and Interpol, O'Neill had never heard of Regin before this.

Legally, such hacking and data retention exists in a grey area. Privacy International's Dr Richard Tynan notes that the UK Intelligence Services Act 1994 can be called upon to justify hacking "in the interests of the economic well-being of the United Kingdom in relation to the actions or intentions of persons outside the British Islands".

Meanwhile, last April, an EU directive governing data retention was overturned by the EU Court of Justice, after Digital Rights Ireland referred Ireland’s Criminal Justice (Terrorist Offences) Act, 2005 to the court.

In a move that seems at odds with that ruling, Minister for Justice Frances Fitzgerald signed into law a statutory instrument on November 26th, enacting the dormant third part of the 2008 Criminal Justice (Mutual Assistance). This allows foreign law enforcement agencies to tap Irish phone calls and emails. Telecoms that refuse to comply with an intercept order could be brought before a private "in camera" court.

Their own law

Technology gallops ahead of the law, while intelligence agencies often operate as a law unto themselves. Meanwhile, surveillance companies such as Gamma International (Finfisher) and Hacking Team (Da Vinci) openly market a staggering range of malware to governments, even those with unsavoury human rights records.

As in other industries, there is a revolving door between the private sector and government agencies such as GCHQ/NSA – from the top. Gen Keith Alexander, former US Cyber Command and NSA head, now attracts vast seven-figure consulting fees for his IronNet Cybersecurity firm.

This after Alexander left the NSA under a cloud in March over Snowden’s revelations of NSA bulk surveillance and warrantless wire-tapping. There were revelations of a secret deal by which the NSA paid RSA, the security company, $10 million (€8.3 million) for RSA to incorporate a backdoor into its encryption product, BSafe.

According to Espion’s O’Neill: “These threats are here to stay, and AV is not a silver bullet, but everyone should be taking measures. For organisations, that includes general security awareness and network monitoring: appropriate segregation of networks, firewall rules; threat modelling exercises; and even the inevitable disaster recovery plans.”

However all these warnings should be taken in light of Belgacom boss Dirk Lybaert’s description of the Regin malware: “This is a kind of attack that a single company or country would be unable to withstand on its own.”

As security guru Bruce Schneier said recently, we are all potentially collateral damage of state-sponsored malware, particularly if we're "unlucky enough to be sitting in the blast radius".