Regin spy malware was used in Belgacom, EU government hacks

Which nation state is behind the sophisticated Regin espionage malware? According to The Intercept, it’s likely wielded by the UK spy agency GCHQ and/or the US NSA.

The publication has received confirmation that Regin is the malware that has been used late last year to breach Belgium’s primarily state owned Belgacom, which numbers among its customers the European Commission, Council and Parliament, and its subsidiary Belgacom International Carrier Services (BICS), a Global Roaming Exchange (GRX) provider.

Belgacom called in Dutch infosec consultancy Fox-IT to investigate the breach, but have declined to publicly identify the malware used or to speculate who might be behind the attack.

What they did say is that the malware was a previously unknown APT tool, that was was delivered onto the system via a dropper that “assembled the malware based on many small pieces of software hidden in dozens of databases,” and then deleted itself. Also, that the attack was first spotted on June 21, 2013.

Ronald Prins, founder and CTO of Fox-IT, says that after analyzing the malware and looking at previously published Snowden documents about the attack, he’s convinced that Regin is used by British and American intelligence services.

Another indication that the Belgin malware was the one used in the Belgacom breach is the fact that on the same day, a person based in Belgium who turned out to be a systems administrator at the company submitted a sample of the malware on VirusTotal, in an attempt to discover the file’s nature.

Belgin has also been used in the 2011 hack targeting the systems of the European Commission and European Council, and to target Belgian cryptographer Jean-Jacques Quisquater some five months after the Belgacom hack,” Wired reports.

Bits and pieces of the malware have been spotted by Microsoft, Kaspersky Lab, F-Secure and Symantec over the years, and detection for them has been added to the companies’ security solutions, but it took a long time for them to determine the real extent and nature of the threat.

Share this