Regin Malware, Commonly Associated With NSA, Found on German Government Laptop
A senior aide to German Chancellor Angela Merkel has supposedly become a victim of a computer virus linked to the United States and United Kingdom, according to various German news reports.
The attack is either a case of international spying or an infection due to negligence.
As reported by Bild newspaper, a senior staff member plugged in a USB drive to Merkel’s computer to carry a speech home to finish on her laptop. Upon returning, she scanned for viruses and uncovered that there was a malware transmitted known as Regin.
German Reaction to the Malware Discovery
After finding Regin infecting a single computer, 200 other high-security laptops in the Chancellery were screened. After testing, no other computers were seen to carry the malware according to German security services.
A German government spokesperson then refuted claims that the Regin malware was an attack made by the U.S. government.
“Such a pattern of attack has explicitly not occurred,” Christiane Wirtz said in Berlin, adding that the IT systems of the Federal Chancellery were not infected. “That is, in this context, the most important statement.”
What is Regin?
Regin was uncovered earlier this year by Kaspersky and other security researchers. While there’s no proof that Regin was developed by the U.S. or the U.K., it targets nations of interest of both parties.
Afghanistan, Pakistan, Iran, Mexico and the Russia were all found to have Regin infiltrated into their telecommunication systems upon discovery of the malware.
All the countries listed are practical targets for the U.S., but a major inference that its U.S. created is the degree of sophistication. Accusations say that if it wasn’t created by the U.S., the U.S. at least aided in its formulation.
After knowledge of Regin came forth in 2008, a few years before Edward Snowden leaked the National Security Agency (NSA) documents that showed the U.S. government was spying on almost everybody, literally. The documents stated the NSA utilized a virus, but it did not specify which one.
Regin is utilized as a data-gathering virus; one of the primary functions of the NSA. According to Symantec, a cyber-security company that studied Regin, the malware can take screenshots, steal passwords and even take control over the mouse cursor.
The virus disguises itself as a legitimate Microsoft software, coaxing the user into an unsuspecting demeanor.
“Regin’s developers put considerable effort into making it highly inconspicuous,” Symantec said upon their discovery. “Its low key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing.”
As for technical stealth features, Symantec claims Regin has “anti-forensics capabilities along with a custom built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies and custom TCP and UDP protocols.”
According to various reports, Regin may also be associated with the NSA’s British equivalent Government Communications Headquarters (GCHQ).
Images from Shutterstock.