Regin (also known as Prax or QWERTY) is a sophisticated malware and hacking toolkit used by United States'

National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collect ...

(NSA) and its British counterpart, the

Government Communications Headquarters Government Communications Headquarters, commonly known as GCHQ, is an intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance (IA) to the government and armed forces of the Uni ...

(GCHQ). It was first publicly revealed by

Kaspersky Lab Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...

, Symantec, and

The Intercept ''The Intercept'' is an American left-wing news website founded by Glenn Greenwald, Jeremy Scahill, Laura Poitras and funded by billionaire eBay co-founder Pierre Omidyar. Its current editor is Betsy Reed. The publication initially reporte ...

in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

and its British counterpart, the

GCHQ Government Communications Headquarters, commonly known as GCHQ, is an intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance (IA) to the government and armed forces of the Uni ...

. ''The Intercept'' provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider,

Belgacom The Proximus Group is a provider of digital services and communication in Belgium and the international markets. In Belgium, its main products and services are offered under the Proximus, Scarlet, and Mobile Vikings brands. The Group is also ac ...

. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. (The name Regin is first found on the VirusTotal website on 9 March 2011.) Among computers infected worldwide by Regin, 28 percent were in

Russia Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eig ...

, 24 percent in

Saudi Arabia Saudi Arabia, officially the Kingdom of Saudi Arabia (KSA), is a country in Western Asia. It covers the bulk of the Arabian Peninsula, and has a land area of about , making it the fifth-largest country in Asia, the second-largest in the A ...

, 9 percent each in

Mexico Mexico (Spanish: México), officially the United Mexican States, is a country in the southern portion of North America. It is bordered to the north by the United States; to the south and west by the Pacific Ocean; to the southeast by Guatema ...

and

Ireland Ireland ( ; ga, Éire ; Ulster Scots dialect, Ulster-Scots: ) is an island in the Atlantic Ocean, North Atlantic Ocean, in Northwestern Europe, north-western Europe. It is separated from Great Britain to its east by the North Channel (Grea ...

, and 5 percent in each of

India India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...

Afghanistan Afghanistan, officially the Islamic Emirate of Afghanistan,; prs, امارت اسلامی افغانستان is a landlocked country located at the crossroads of Central Asia and South Asia. Referred to as the Heart of Asia, it is bordere ...

Iran Iran, officially the Islamic Republic of Iran, and also called Persia, is a country located in Western Asia. It is bordered by Iraq and Turkey to the west, by Azerbaijan and Armenia to the northwest, by the Caspian Sea and Turkmeni ...

Belgium Belgium, ; french: Belgique ; german: Belgien officially the Kingdom of Belgium, is a country in Northwestern Europe. The country is bordered by the Netherlands to the north, Germany to the east, Luxembourg to the southeast, France to th ...

Austria Austria, , bar, Östareich officially the Republic of Austria, is a country in the southern part of Central Europe, lying in the Eastern Alps. It is a federation of nine states, one of which is the capital, Vienna, the most populous ...

, and

Pakistan Pakistan ( ur, ), officially the Islamic Republic of Pakistan ( ur, , label=none), is a country in South Asia. It is the world's fifth-most populous country, with a population of almost 243 million people, and has the world's second-lar ...

. Kaspersky has said the malware's main victims are private individuals, small businesses and telecom companies. Regin has been compared to

Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing subs ...

and is thought to have been developed by "well-resourced teams of developers", possibly a

Western Western may refer to: Places *Western, Nebraska, a village in the US *Western, New York, a town in the US *Western Creek, Tasmania, a locality in Australia *Western Junction, Tasmania, a locality in Australia *Western world, countries that id ...

government, as a targeted multi-purpose data collection tool. According to ''

Die Welt ''Die Welt'' ("The World") is a German national daily newspaper, published as a broadsheet by Axel Springer SE. ''Die Welt'' is the flagship newspaper of the Axel Springer publishing group. Its leading competitors are the ''Frankfurter All ...

'', security experts at

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...

gave it the name "Regin" in 2011, after the cunning Norse dwarf

Regin In Norse mythology, Reginn (Old Norse: ᚱᛁᚼᛁᚾ/ᚱᛁᚽᛁᚿ ; often anglicized as Regin or Regan) is a son of Hreiðmarr and the foster father of Sigurd. His brothers are Fafnir and Ótr. Regin in the sagas When Loki mistakenly ...

Operation

Regin uses a modular approach allowing it to load features that exactly fit the target, enabling customized spying. The design makes it highly suited for persistent, long-term mass surveillance operations against targets. Regin is stealthy and does not store multiple files on the infected system; instead it uses its own encrypted

virtual file system A virtual file system (VFS) or virtual filesystem switch is an abstract layer on top of a more concrete file system. The purpose of a VFS is to allow client applications to access different types of concrete file systems in a uniform way. A VFS ...

(EVFS) entirely contained within what looks like a single file with an innocuous name to the host, within which files are identified only by a numeric code, not a name. The EVFS employs a variant encryption of the rarely used

RC5 cipher In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, ''RC'' stands for "Rivest Cipher", or alternatively, "Ron's Code" (compare RC2 and RC4). The Advanced Encryption Standard (AES) ...

. Regin communicates over the Internet using ICMP/

ping Ping may refer to: Arts and entertainment Fictional characters * Ping, a domesticated Chinese duck in the illustrated book '' The Story about Ping'', first published in 1933 * Ping, a minor character in ''Seinfeld'', an NBC sitcom * Ping, a c ...

, commands embedded in

HTTP cookies HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's we ...

and custom TCP and UDP protocols with a command and control server which can control operations, upload additional

payloads Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...

, etc.

Identification and naming

Symantec says that both it and Kaspersky identified the malware as ''Backdoor.Regin''. Most antivirus programs, including Kaspersky, (as of October 2015) do NOT identify the sample of Regin released by The Intercept as malware. On 9 March 2011 Microsoft added related entries to its Malware Encyclopedia; later two more variants, ''Regin.B'' and ''Regin.C'' were added. Microsoft appears to call the 64-bit variants of Regin ''Prax.A'' and ''Prax.B''. The Microsoft entries do not have any technical information. Both Kaspersky and Symantec have published

white paper A white paper is a report or guide that informs readers concisely about a complex issue and presents the issuing body's philosophy on the matter. It is meant to help readers understand an issue, solve a problem, or make a decision. A white pape ...

s with information they learned about the malware.

Known attacks and originator of malware

German news magazine '' Der Spiegel'' reported in June 2013 that the US

intelligence Intelligence has been defined in many ways: the capacity for abstraction, logic, understanding, self-awareness, learning, emotional knowledge, reasoning, planning, creativity, critical thinking, and problem-solving. More generally, it can be des ...

(NSA) had conducted online surveillance on both

European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been de ...

(EU) citizens and EU institutions. The information derives from secret documents obtained by former NSA worker Edward Snowden. Both ''Der Spiegel'' and ''

'' quote a secret 2010 NSA document stating that it made cyberattacks that year, without specifying the malware used, against the EU diplomatic representations in

Washington, D.C. ) , image_skyline = , image_caption = Clockwise from top left: the Washington Monument and Lincoln Memorial on the National Mall, United States Capitol, Logan Circle, Jefferson Memorial, White House, Adams Morgan, ...

and its representations to the

United Nations The United Nations (UN) is an intergovernmental organization whose stated purposes are to maintain international peace and security, develop friendly relations among nations, achieve international cooperation, and be a centre for harmoniz ...

. Signs identifying the software used as Regin were found by investigators on infected machines. ''The Intercept'' reported that, in 2013, the UK's

attacked

, Belgium's largest telecommunications company. These attacks may have led to Regin coming to the attention of security companies. Based on analysis done by IT security firm Fox IT, ''Der Spiegel'' reported in November 2014, that Regin is a tool of the UK and USA intelligence agencies. Fox IT found Regin on the computers of one of its customers, and according to their analysis parts of Regin are mentioned in the

NSA ANT catalog The ANT catalog (or TAO catalog) is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine ''Der Spiegel'' in December 2013. Forty-nine catalog ...

under the names "Straitbizarre" and "Unitedrake". Fox IT did not name the customer, but ''Der Spiegel'' mentioned that among the customers of Fox IT is Belgacom and cited the head of Fox IT, Ronald Prins, who stated that they are not allowed to speak about what they found in the Belgacom network.Christian Stöcker, Marcel Rosenbach " Spionage-Software: Super-Trojaner Regin ist eine NSA-Geheimwaffe" Der Spiegel, November 25, 2014
/ref> In December 2014, German newspaper '' Bild'' reported that Regin was found on a

USB flash drive Universal Serial Bus (USB) is an industry standard that establishes specifications for cables, connectors and protocols for connection, communication and power supply ( interfacing) between computers, peripherals and other computers. A bro ...

used by a staff member of Chancellor

Angela Merkel Angela Dorothea Merkel (; ; born 17 July 1954) is a German former politician and scientist who served as Chancellor of Germany from 2005 to 2021. A member of the Christian Democratic Union (CDU), she previously served as Leader of the Opp ...

. Checks of all high-security laptops in the

German Chancellery The German Chancellery (german: Bundeskanzleramt, , more faithfully translated as ''Federal Chancellery'' or ''Office of the Federal Chancellor'') is an agency serving the executive office of the chancellor of Germany, the head of the federal go ...

revealed no additional infections. Regin was used in October and November 2018 to hack the research and development unit of

Yandex Yandex LLC (russian: link=no, Яндекс, p=ˈjandəks) is a Russian multinational technology company providing Internet-related products and services, including an Internet search engine, information services, e-commerce, transportation, map ...

References

{{reflist, 30em} Rootkits Computer access control Privilege escalation exploits Cryptographic attacks Exploit-based worms 2014 in computing Hacking in the 2010s Spyware used by governments Cybercrime in India

Operation

Identification and naming

Known attacks and originator of malware

See also

References