Regin: The super-spyware the security industry has been silent about A public autopsy of sophisticated intelligence-gathering spyware Regin is causing waves today in the computer security world. But here's a question no one's answering: given this super-malware first popped up in 2008, why has everyone in the antivirus industry kept quiet about it until now? Has it really taken them years to …
Nice to know they are happy to target more than just us hoi polloi.
Money well spent.
Treasonous May wants new laws to spy on school-children, to protect us from... Exploding children! Or something.
What next? Paedo children? Children who want to have sex with other children? Rather than sex with fat MPs grown men? It must be stopped!
Holy shit, this country is fucked up!
Maybe we should all just offer ourselves up for re-education?
Holy shit, this country is fucked up!
At least one commentard disagreed. Having visited the reeducation facilities which are in impeccable condition and maintained to the highest sanitary standards, a consequential downvote was just the right action to perform.
"I also have a problem. I'm not sure which side runs this Village."
We've discovered the government malware.
You click through to comment upon it - and then you see a post that distracts you, and causes you to write something else.
Who benefits from this distraction? Who might have caused it? Surely you don't believe there's really anybody quite so retarded?
*raises eyebrow*
WTF is an AV outfit doing NOT dealing with or reporting on a sophisticated piece of malware "because their client" asked them not to? Are the people who PAY for their AV products not clients? It's not as if they are obligated to list the names and addresses of their infected "clients".
"Their client" might have been penetrated by Regin because the client was or was perceived to be doing something that got them in the sights of one or more sigint agencies, and when they found out they were being targeted they decided to make nice with the government(s) involved. Part of the plea bargain is that the client in question not talk about the vehicle used to surveil them. Or they just decided not to make matters worse and risk going from acceptable levels of surveillance by shadowy sigint forces to all-out penetration of their infrastructure.
"WTF is an AV outfit doing NOT dealing with or reporting…"
From the article, F-Secure did deal with the malware, Mikko's tweet was, "Malware decoded, detection added". When you're receiving hundreds of thousands of samples of dozens of varieties of malware a day, something has to be pretty exceptional to deserve a press release, if the only known victim doesn't want it publicised, what's left to talk about?
Full disclosure - Mikko is a nice guy to have a drink with.
Because the Irish throw the biggest boozeouts, and somebody in the shadows wanted to know where the next party was being held?
More seriously, possibly the shadowy "they" are watching all this corporate revenue being moved through Ireland for tax purposes.
Or (less seriously--I hope) maybe because the Irish stood on the sidelines during WW2 and the Cold War, the lot of them must be nazi/commie sympathizers!! By that logic, these days the Irish must be the "have a wee drink" arm of Al Qaeda!!
Various parts of the US government can forward their interests to the NSA. So, the diplomats and arms makers will ask for information on Russia, the terrorism watchers will have questions about Saudi Arabia, the drug investigators will have questions about Mexico, and the tax office will have questions about companies who use Ireland as a tax haven.
Something like Regin would get developed by the "product development" department as a general purpose spy toolkit. A lot of the actual R&D probably gets outsourced. The NSA has an internal catalogue that their application spies can pick from. The list of countries we see here just happens to be the aggregate of all the different internal departments that used it for different purposes. This sort of stuff about how they operate came out in the Snowden documents.
It makes more sense if you think about the NSA (and to a lesser extent GCHQ) as a big conglomerate with different "business units" serving different "markets". Spying is what they do, and they try to expand into any and all markets.
Because corruption in Ireland is pretty blatant, but there's probably a lot more material not yet public, that would be excellent for blackmailing senior politicians into compliance with external interests.
Or possibly just to make up a price list to see which ones to buy.
It's the safecracker/national security hacker of choice, but it is also in charge of cybersecurity for the U.S. On top of that through it's big budget, relationships with other sigint agencies, alumni community in private industry and the ability to rouse support from various arms of the military-industrial, intelligence or law enforcement communities in the U.S. and probably a lot of U.S. allies, it has huge influence in IT security around the world.
So if you are an IT security company, the NSA can really hold your feet to the fire. If you tweak them by outing their malware without permission, you can find your products getting bad security reviews from the NSA, or no reviews at all, or getting inexplicably edged out of government contracts or work with defense/government contractors in the U.S. and overseas. That's a lot of potential customers to risk losing by through exposing an NSA or 5 Eyes operation, even if that operation is a threat to IT security in general.
Plus there is just the national security/sigint aspect of their organization. If you are the CEO of even a huge IT security vendor like Symantec and you get a call from the Director of the NSA, you are probably going to take the call simply out of interest in what he is going to ask you about and what he thinks the potential alignment might be between the world's premier sigint agency and your company.
The NSA really needs to have it's cybersecurity responsibilities moved out from under the agency. It basically allows them to corrupt or appear to corrupt much of the IT security industry. I can understand why the NSA wants to keep that responsibility in-house, it allows them to control a lot of the industry. However, its a bad deal for IT customers and the IT security industry itself.
Good idea - separating the NSA spying/infiltrating/implanting from the NSA passively watching radio waves.
Sort of like getting other Intelligence Agencies to not meddle in other countries affairs in a disruptive manner.
I can't see getting ex-spooks/clandestine operatives that are running these agencies to relinquish their sense of satisfaction of being in control vs. being just observers.
Even if we/you were to split agencies into analysis/operational roles, we all know that the pathways between their buildings would be well worn.
Seems that it's more interested in the infrastructure much like Stuxnet but without the "destroy... destroy... destroy...." command. Or maybe there's a part of it that allows such commands to be entered. Nothing like shutting down power on a country to create problems for the leadership.
"virtually no infections have been reported in the US, UK or other Five Eyes nations, some to suspect it's the work of the NSA, GCHQ or their contractors."
What's even more fascinating is that the mainstream media (i.e. not the tech press) reports that I have been reading waffled like mad about the source of it, and then vaguely insinuated that Russia and China were to blame.
One news story quoted a "Gartner analyst Avivah Litan" as directly saying it was Russia, China, or North Korea, or even all three of them working together in a vast alliance. He didn't quite say "axis of evil", but the thought was there.
Given that the target list pretty much encapsulates the people the US wants to spy on, I don't think we're in too much doubt about who was behind it. The big question is why the mainstream media are afraid to admit the obvious?
"Given that the target list pretty much encapsulates the people the US wants to spy on"
Actually the US want to spy on everybody, including "allies" as the scandal over Merkel's phone showed. My guess is that the reported infections are a subset of the total, and there will be infections in Europe and the Anglophone countries.
for example by reading http://en.wikipedia.org/wiki/Udo_Ulfkotte
recent number one best-selling book on Amazon.de,
now
Nr. 1 in Bücher > Film, Kunst & Kultur > Medien
Nr. 1 in Bücher > Fachbücher > Medienwissenschaft > Publizistik > Journalismus
Nr. 1 in Bücher > Biografien & Erinnerungen > Weitere Berufe & Themen (Further Business & Themes)
The book "Bought Journalists" http://www.amazon.de/Gekaufte-Journalisten-Udo-Ulfkotte/dp/3864451434/
According to Ulfkotte, the CIA and German intelligence (BND) bribe journalists in Germany to write pro-NATO propaganda articles, and it is well understood that one may lose their media job if they fail to comply with the pro-Western agenda. In 2014, Ulfkotte published Bought Journalists ("Gekaufte Journalisten"), in which he reveals that the CIA and other secret services pay money to journalists to report a particular story in a certain light.
Is there any reason not to assume that our British dearly beloved journalists are not also "bought"?
(I write this as an anonymous commentard who was probably targeted/hit by the Regin attack)
The only good news is that since Udo's book was released, the German mainstream media (who ignore the book) have seen a free-fall in their unique visitors & might be suffering blowback!
<snip>
"One news story quoted a "Gartner analyst Avivah Litan" as directly saying it was Russia, China, or North Korea, or even all three of them working together in a vast alliance. He didn't quite say "axis of evil", but the thought was there"
<snip>
There is a man I would like to see pass the bacon sandwich test.
Wanders off singing medley of Hava nagilla and home on the range.
The Chinese government seems very interested in spying on the Chinese people (a bit like the American government being interested in spying on the American people, and the British government in spying on the British people) so if the software isn't found in China, that doesn't suggest it's of Chinese origin.
Well I was hit in Italy, having bought a HP Server from Canada, which was delivered to me via a software company in downtown Tel Aviv (Shipping label air-way bill sticker left on outside packing crate!) You really should learn to send viruses by road transport guys!, air just leaves so much metadata..
I suspect everyone, and I suspect no-one! as Inspector Clouseau would have said
Compliments to those who made this very subtle spy frame work. The word that is missing in publications about this latest collapse in privacy is Microsoft, it is them providing the fertile soil for spyware like this.
We need a new Ralph Nader, who will start addressing computer safety. It is a an outrage that desktops with updated windows versions running on idling i7's, are allowing silent insertion of new device drivers and kernel modifications. Until this is solved, the world can kiss NSA's feet if it continues its MS addiction. If we can verify https websites since over a decade, why can MS not verify low level drivers and other kernel extensions in 2014, and warn users that unknown software is inserted ?.
Users pay $100,- per license, that gives users rights on a product that is more then platform to run spyware on, until MS is dragged before court in a massive class action lawsuit, nothing will change.
MS lovers will probably down vote this post, compare Windows to a big TV manufacturer selling TV's with hidden camera's allowing spooks to spy in the living room, how would people feel about that ?.
*Setup*
I live in the home town of a certain ubiquitous caffeine addiction dealer as well as a certain massive (yet unprofitable) bookstore destroying pyramid scheme, AS WELL as neighbors to a certain dark fortress in nearby Redmond who makes "really good" software. You know the place.
[It must be really good as it's ubiquitous]
Elvis even did a strangely rapey movie about us back in the 60's..
Our local news reporting (no different from the national coverage I might add) was (and is) very warm to these three entities needless to say..
Back sometime in the 90's the local and national news started reporting increasingly breathless stories about how our precious software fluids were being invaded by things called virus and worms which were "somehow" taking up residence in our computer devices connected to the interwebs.
They curiously never seemed to specifically mention *which* computers were at risk and how exactly the infection was spreading (IE, Outlook, activeX usually).
Mac users hopefully knew that they were exempt, and the rare Unix and Linux almost certainly knew that this didn't apply to them, *BUT THE WINDOWS* users just assumed that this applied to EVERYONE including them.
After all that's what the news stories said.
Our media was thus protecting Microsoft by never raising the obvious question in the viewers mind "so why are these other operating systems safe?"
Until one evening.
One night our local news anchor accidentally (?) let slip by stating at the end of the report that this worm only affected Windows users!
That was the only time.
After that both the local and national news immediately STOPPED reporting on malware outbreaks.
Interesting..
In fact the regular news still does not report on security concerns anymore- a fact which was driven home that only one person I know (a curmudgeonly ancient geek like myself) has heard of Heartbleed.
Apparently the media has not seen fit to report on this or other topics of iThingies/aThingies/router/thermostats/cars/software/etc. security flaws to regular folks at all..
They don't want to scare the consumer units I'm guessing, but I find it interesting that as far as I know, there are no news reports outside of specialized outlets on flaws in our basic internet infrastructure.
They do, from what my sister tells me, report on credit card problems with Target, the Home Depot, Goodwill et al, but these are covered on a case by case basis. Not as a trend.
I don't have a TV, so all my information about the media is second hand or through YouTube (thus selective) but the past six months of ever more rapid *deep infrastructure* flaw revelations is freaking me out.
I suspect we are on a exponentially accelerating flaw discovery curve..
Why is everyone hopping on the NSA bandwagon? Sure, they're responsible for a lot of spying. They're spies. They've been in excessive media highlights since Snowden.
But let's look at this a moment.
Regin. Could be the reverse of In Reg (or In registry). It is also a figure from Nordic mythology (Reginn)
Hopscotch - game attributed to have originated in England.
Legspin - a specific play used in the game Cricket.
Willis - Risk analysis and cyber risk company based/founded in London. (note that a "customer" asked that there be no press relese)
Ericsson phones - Most widely distributed throughout Europe (at the height of Regin) and increased in China and APAC (Asia-Pacific).
Ericsson is HQ'd in Stockholm. (So, Ericsson HQ in Stockholm, Ericsson is prime carrier/mover of the software, Software named after a figure in Nordic mythology) http://en.wikipedia.org/wiki/Regin
The known distribution is highest in the APAC region, India, as well as, Eastern Europe... the three largest subscribers to Ericsson (Aside from China, which has tighter control on the available hardware)
The starbucks module coincides with the distribution locations as well. The higher points of distribution aligns with global Starbucks locations. The exception being North America, which has a low Ericsson distribution.
Ericsson is the carrier. Starbucks being a primary source of spreading the infection (most likely due to insecure Wi-Fi hotspots)
Hopscotch being the point to point transfer method, legspin being detection avoidance.
GCHQ has already been in the cross hairs for spying on Belgium: (http://www.wired.com/2014/07/gchq-illegal-spying/)
Vodafone telecom spying:
http://www.theguardian.com/business/2013/aug/02/telecoms-bt-vodafone-cables-gchq
Snowden & GCHQ/NSA:
http://www.bbc.com/news/world-us-canada-23123964
PRISIM: (Note that PRISIM, the NSA founded and GCHQ supported program, began in 2007. Regin detection noted as early as 2008)
http://en.wikipedia.org/wiki/PRISM_(surveillance_program)
GCHQ tapping India telecom cables:
http://www.theregister.co.uk/2014/11/21/mastering_the_internet_snowden_disclosure/
Amazingly enough, Regin uses C&Cs in those locations:
C&C server IP Location Description
61.67.114.73 Taiwan, Province Of China Taichung Chwbn
202.71.144.113 India, Chetput Chennai Network Operations (team-m.co)
203.199.89.80 India, Thane Internet Service Provider
194.183.237.145 Belgium, Brussels Perceval S.a.
My money is on GCHQ, rather than NSA, being behind this one (Though I'm not saying that the NSA didn't have a dog in this fight).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
