GCHQ/NSA Data-Grabbing Malware Disguised Itself As Microsoft Drivers, Was Served Via Fake LinkedIn Pages

from the im-in-ur-internet-stealing-ur-files dept

Some nasty malware with a decade of history behind it has been uncovered and it has the fingerprints of two governments all over it.

Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.
Behind the malware -- which disguised itself as Microsoft drivers and was served via malicious, fake LinkedIn pages -- lies a cooperative effort between the NSA and GCHQ. Belgacom has long since ousted the intruding software and is now working with a federal prosecutor to pursue a criminal investigation. Belgacom's subversion by this malware -- comparable in sophistication to the infamous Stuxnet, according to Symantec (which published its findings last Sunday) -- led to the breach of EU offices.

Spying on foreign governments is what intelligence agencies are expected to do. But dumping malware into the operating systems of a communications provider generally isn't. Belgacom's infection is the only verified incident so far, but there are likely many, many more considering the Regin malware traces back nearly ten years.
Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent Hack.lu conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.
GCHQ has issued boilerplate in response to The Intercept's request for a comment. The NSA, on the other hand, apparently isn't going to dignify this story with a non-denial denial, opting instead for something much more brusque:
“We are not going to comment on The Intercept’s speculation.”
What's currently out there in the wild may not be as effective anymore. Belgacom discovered its infection around June 21, 2013, about a week before Der Spiegel published Snowden documents pointing to the digital infiltration of EU offices. The Intercept has made the malware available for download and states the following in its article.
Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.
If so, then the two agencies involved have likely moved on to something better and less detectable. Being outed is no reason to stop spying, especially in other nations where legal protections range from "thin" to "nonexistent."

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: gchq, malware, nsa, surveillance
Companies: belgacom, linkedin, microsoft


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 25 Nov 2014 @ 4:55pm

    And again the USG shows that when they're talking about the 'impending cyber Pearl Harbor'... the USG is the one playing the Japanese.

    link to this | view in thread ]

  2. identicon
    Whoever, 25 Nov 2014 @ 5:05pm

    European arrest warrant anyone?

    Perhaps this will kill the UK adoption of the European arrest warrant scheme.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 25 Nov 2014 @ 5:08pm

    No one would believe them if they did comment. Because they cannot possibly tell the truth. They are basically "inviting" the cyber pearl harbour their panties in such a bunch over due to their own illegal hacking.

    #building trust

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 25 Nov 2014 @ 5:26pm

    Re:

    That's just it though. We all know what happened next. That's why the US wants to shore up its cyber defenses so badly, because they know someone is about to drop the bomb on them.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 25 Nov 2014 @ 7:24pm

    "Disguised Itself As Microsoft Drivers"

    Was it digitally signed as such?

    link to this | view in thread ]

  6. identicon
    James, 25 Nov 2014 @ 8:04pm

    built in

    Who cares about malware when software like nepomuk are being built into your computer to monitor and index every thing

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 25 Nov 2014 @ 11:43pm

    Re: Re:

    Likely through their own pre-arranged backdoors.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 26 Nov 2014 @ 12:17am

    >"Spying on foreign governments is what intelligence agencies are expected to do"
    And foreign governments are expected to be very upset when their supposed allies constantly backstab them.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 26 Nov 2014 @ 1:28am

    Re: built in

    Only if you're silly enough to stick with Ubuntu after Canonical began embedding spyware and partnering with spammers.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 26 Nov 2014 @ 5:25am

    I've seen faked linked in emails before. The giveaway was claiming someone I had never heard of wanted to connect with me. I signed in the normal way, and sure enough there were zero new connection requests.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 26 Nov 2014 @ 5:44am

    Windows users must not get enough viruses and malware, they need governments to add to the supply.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 26 Nov 2014 @ 7:55am

    I find it interesting Regin infects cellphone tower base controller stations. Giving hackers access to all the E911 location tracking features built into smart phones.

    link to this | view in thread ]

  13. identicon
    Lurker Keith, 26 Nov 2014 @ 11:25am

    Re:

    I regularly see fake LinkedIn E-mails. I know their fake, because I don't think I've ever been to their site, much less have an account. So that's been the NSA/GCHQ this whole time? Glad I kept reporting them. Too bad it didn't do anything.

    link to this | view in thread ]

  14. identicon
    Rene Pilon, 26 Nov 2014 @ 11:25am

    Re:

    As per TheIntercept:

    The Intercept’s investigation revealed a sample uploaded on VirusTotal on March 14th 2012 that presents the unique 0xfedcbafe header, which is a sign that it might have been loaded by a Regin driver and it appears to provide stealth functionality for the tool kit.

    TDSSKiller.exe (distributed a while back to apparently ferret out a certain rootkit) has that 0xfedcbafe header.

    https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/

    link to this | view in thread ]

  15. icon
    Dana Bostick (profile), 26 Nov 2014 @ 11:53am

    Microsoft drivers on LinkedIn?

    Who would be stupid enough to download MS Drivers from LinkedIn? Am I missing something here?

    link to this | view in thread ]

  16. icon
    John Fenderson (profile), 1 Dec 2014 @ 9:48am

    Re: Re: built in

    nepomuk is used by KDE, so you can't avoid it just by avoiding Ubuntu or Debian. Fortunately, you can totally disable it (which I recommend you do, not just for privacy reasons but also because it puts a fairly large drain on system resources.)

    link to this | view in thread ]

  17. identicon
    Just Another Anonymous Troll, 2 Dec 2014 @ 4:52am

    Serves them right for using LinkedIn.

    link to this | view in thread ]

  18. identicon
    me, 6 Dec 2014 @ 7:52am

    its not faked linked-in emails they are using

    Look up QUANTUM INSERT. Your communications with actual, genuine site(s) are being played around with to deliver malware and even "cookies" (yahoo cookies are a favorite).

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.