Regin (also known as Prax or QWERTY) is a sophisticated

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

and hacking toolkit used by United States'

National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

(NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by

Kaspersky Lab Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...

Symantec Symantec may refer to: *An American consumer software company now known as Gen Digital Inc. *A brand of enterprise security software purchased by Broadcom Inc. Broadcom Inc. is an American designer, developer, manufacturer and global supplier ...

, and

The Intercept ''The Intercept'' is an American left-wing news website founded by Glenn Greenwald, Jeremy Scahill, Laura Poitras and funded by billionaire eBay co-founder Pierre Omidyar. Its current editor is Betsy Reed. The publication initially reported ...

in November 2014. The malware targets specific users of

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

-based computers and has been linked to the US intelligence-gathering agency

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collectio ...

and its British counterpart, the GCHQ. ''The Intercept'' provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. (The name Regin is first found on the

VirusTotal VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google. Viru ...

website on 9 March 2011.) Among computers infected worldwide by Regin, 28 percent were in

Russia Russia (, , ), or the Russian Federation, is a List of transcontinental countries, transcontinental country spanning Eastern Europe and North Asia, Northern Asia. It is the List of countries and dependencies by area, largest country in the ...

, 24 percent in

Saudi Arabia Saudi Arabia, officially the Kingdom of Saudi Arabia (KSA), is a country in Western Asia. It covers the bulk of the Arabian Peninsula, and has a land area of about , making it the fifth-largest country in Asia, the second-largest in the A ...

, 9 percent each in

Mexico Mexico (Spanish: México), officially the United Mexican States, is a country in the southern portion of North America. It is bordered to the north by the United States; to the south and west by the Pacific Ocean; to the southeast by Guatema ...

and

Ireland Ireland ( ; ga, Éire ; Ulster Scots dialect, Ulster-Scots: ) is an island in the Atlantic Ocean, North Atlantic Ocean, in Northwestern Europe, north-western Europe. It is separated from Great Britain to its east by the North Channel (Grea ...

, and 5 percent in each of

India India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...

Afghanistan Afghanistan, officially the Islamic Emirate of Afghanistan,; prs, امارت اسلامی افغانستان is a landlocked country located at the crossroads of Central Asia and South Asia. Referred to as the Heart of Asia, it is bordere ...

Iran Iran, officially the Islamic Republic of Iran, and also called Persia, is a country located in Western Asia. It is bordered by Iraq and Turkey to the west, by Azerbaijan and Armenia to the northwest, by the Caspian Sea and Turkmeni ...

Belgium Belgium, ; french: Belgique ; german: Belgien officially the Kingdom of Belgium, is a country in Northwestern Europe. The country is bordered by the Netherlands to the north, Germany to the east, Luxembourg to the southeast, France to th ...

Austria Austria, , bar, Östareich officially the Republic of Austria, is a country in the southern part of Central Europe, lying in the Eastern Alps. It is a federation of nine states, one of which is the capital, Vienna, the most populous ...

, and

Pakistan Pakistan ( ur, ), officially the Islamic Republic of Pakistan ( ur, , label=none), is a country in South Asia. It is the world's List of countries and dependencies by population, fifth-most populous country, with a population of almost 24 ...

Kaspersky Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...

has said the malware's main victims are private individuals, small businesses and telecom companies. Regin has been compared to Stuxnet and is thought to have been developed by "well-resourced teams of developers", possibly a Western government, as a targeted multi-purpose data collection tool. According to ''

Die Welt ''Die Welt'' ("The World") is a German national daily newspaper, published as a broadsheet by Axel Springer SE. ''Die Welt'' is the flagship newspaper of the Axel Springer publishing group. Its leading competitors are the ''Frankfurter Allg ...

'', security experts at

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

gave it the name "Regin" in 2011, after the cunning Norse dwarf Regin.

Operation

Regin uses a modular approach allowing it to load features that exactly fit the target, enabling customized spying. The design makes it highly suited for persistent, long-term mass surveillance operations against targets. Regin is stealthy and does not store multiple files on the infected system; instead it uses its own encrypted virtual file system (EVFS) entirely contained within what looks like a single file with an innocuous name to the host, within which files are identified only by a numeric code, not a name. The EVFS employs a variant encryption of the rarely used RC5 cipher. Regin communicates over the Internet using ICMP/ ping, commands embedded in

HTTP cookies HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's we ...

and custom

TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...

and UDP protocols with a command and control server which can control operations, upload additional

payloads Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...

, etc.

Identification and naming

Symantec says that both it and Kaspersky identified the malware as ''Backdoor.Regin''. Most antivirus programs, including Kaspersky, (as of October 2015) do NOT identify the sample of Regin released by The Intercept as malware. On 9 March 2011 Microsoft added related entries to its Malware Encyclopedia; later two more variants, ''Regin.B'' and ''Regin.C'' were added. Microsoft appears to call the 64-bit variants of Regin ''Prax.A'' and ''Prax.B''. The Microsoft entries do not have any technical information. Both Kaspersky and Symantec have published

white paper A white paper is a report or guide that informs readers concisely about a complex issue and presents the issuing body's philosophy on the matter. It is meant to help readers understand an issue, solve a problem, or make a decision. A white paper ...

s with information they learned about the malware.

Known attacks and originator of malware

German news magazine ''

Der Spiegel ''Der Spiegel'' (, lit. ''"The Mirror"'') is a German weekly news magazine published in Hamburg. With a weekly circulation of 695,100 copies, it was the largest such publication in Europe in 2011. It was founded in 1947 by John Seymour Chaloner ...

'' reported in June 2013 that the US

intelligence Intelligence has been defined in many ways: the capacity for abstraction, logic, understanding, self-awareness, learning, emotional knowledge, reasoning, planning, creativity, critical thinking, and problem-solving. More generally, it can b ...

(NSA) had conducted online surveillance on both

European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...

(EU) citizens and EU institutions. The information derives from secret documents obtained by former NSA worker

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...

. Both ''Der Spiegel'' and ''

'' quote a secret 2010 NSA document stating that it made

cyberattacks A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

that year, without specifying the malware used, against the EU diplomatic representations in

Washington, D.C. ) , image_skyline = , image_caption = Clockwise from top left: the Washington Monument and Lincoln Memorial on the National Mall, United States Capitol, Logan Circle, Jefferson Memorial, White House, Adams Morgan, ...

and its representations to the

United Nations The United Nations (UN) is an intergovernmental organization whose stated purposes are to maintain international peace and international security, security, develop friendly relations among nations, achieve international cooperation, and be ...

. Signs identifying the software used as Regin were found by investigators on infected machines. ''The Intercept'' reported that, in 2013, the UK's GCHQ attacked Belgacom, Belgium's largest telecommunications company. These attacks may have led to Regin coming to the attention of security companies. Based on analysis done by IT security firm Fox IT, ''Der Spiegel'' reported in November 2014, that Regin is a tool of the UK and USA intelligence agencies. Fox IT found Regin on the computers of one of its customers, and according to their analysis parts of Regin are mentioned in the

NSA ANT catalog The ANT catalog (or TAO catalog) is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine ''Der Spiegel'' in December 2013. Forty-nine catalog ...

under the names "Straitbizarre" and "Unitedrake". Fox IT did not name the customer, but ''Der Spiegel'' mentioned that among the customers of Fox IT is Belgacom and cited the head of Fox IT, Ronald Prins, who stated that they are not allowed to speak about what they found in the Belgacom network.Christian Stöcker, Marcel Rosenbach " Spionage-Software: Super-Trojaner Regin ist eine NSA-Geheimwaffe" Der Spiegel, November 25, 2014
/ref> In December 2014, German newspaper ''

Bild ''Bild'' (or ''Bild-Zeitung'', ; ) is a German tabloid newspaper published by Axel Springer SE. The paper is published from Monday to Saturday; on Sundays, its sister paper ''Bild am Sonntag'' ("''Bild on Sunday''") is published instead, which ...

'' reported that Regin was found on a

USB flash drive A USB flash drive (also called a thumb drive) is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than . Since firs ...

used by a staff member of Chancellor Angela Merkel. Checks of all high-security laptops in the

German Chancellery The German Chancellery (german: Bundeskanzleramt, , more faithfully translated as ''Federal Chancellery'' or ''Office of the Federal Chancellor'') is an agency serving the executive office of the chancellor of Germany, the head of the federal gov ...

revealed no additional infections. Regin was used in October and November 2018 to hack the research and development unit of Yandex.

References

{{reflist, 30em} Rootkits Computer access control Privilege escalation exploits Cryptographic attacks Exploit-based worms 2014 in computing Hacking in the 2010s Spyware used by governments Cybercrime in India

Operation

Identification and naming

Known attacks and originator of malware

See also

References