Researchers with Kaspersky Labs say all signs point to a malicious key logger called "QWERTY," reportedly leaked from the NSA (National Security Agency), coming from the same source as the Regin malware platform, likely developed with the support of a nation-state. They made the connection after examining files about QWERTY that were among the documents provided by former NSA contractor and whistleblower Edward Snowden.
"We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin," Kaspersky researchers, Costin Raiu and Igor Soumenkov, wrote on the cybersecurity firm's SecureList Web site. "Looking at the code closely, we conclude that the 'QWERTY' malware is identical in functionality to the Regin 50251 plugin."
Their analysis leads them to conclude that QWERTY is a plugin designed to work as part of the Regin platform. "Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together," the researchers said.
Regin a 'Sophisticated Attack Platform'
In a detailed lab report about the Regin platform published in November, Kaspersky researchers compared Regin to another malware called Turla and concluded, "Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analyzed." The Regin toolkit enables the actors deploying it to penetrate and monitor global system for mobile communications (GSM) networks.
While Kaspersky hasn't been able to pinpoint when Regin first appeared in the wild, it has found some instances with timestamps dating back to 2003.
"The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations," according to the Kaspersky report. "In today's world, we have become too dependent on cellphone networks that rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded that allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and then abuse it to launch other types of attacks against mobile users."
No Solid Proof of Origin
We reached out to Kaspersky's Soumenkov to get more information about their discovery. He told us that the researchers' latest analysis provides proof that QWERTY was made for working with Regin.
While documents from Snowden have shown that the U.K. spy agency, GCHQ (Government Communications Headquarters), used Regin to break into the networks of Belgium telco Belgacom in 2012, Kaspersky's analysis doesn't indicate where either Regin or QWERTY originated.
"We have no solid proof pointing at any concrete organization or country when it comes to attribution," Soumenkov said. "We only discovered strong similarities in the code of the two malicious programs." Systems administrators concerned about Regin can check for indicators of compromise that have been published by Kaspersky, he said.
"In general, we recommend installing a modern security suite on all endpoints and servers," Soumenkov added. "Log events and set up a centralized logging system. Make sure that you keep everything updated. And use whitelisting and default deny policies as much as possible."