
Source Code Similarities Between NSA Malware and 'Regin' Trojan - Libertatea
http://www.spiegel.de/international/world/regin-malware-unmasked-as-nsa-tool-after-spiegel-publishes-source-code-a-1015255.html#ref=rss
======
cyphunk
It is worthwhile to apply the same scepticism for placement of attribution as
was applied with the Sony hack. In the latter many security analysts question
NK attribution based on the similarity of code argument given by the US --
pointing out that the code base was in the wild for a long time, could be
purchased on black market or reverse/reengineered after picking up the malware
from a vulnerable machine.

Shouldn't we also assume that this malware, having been in the wild for "10
years", could have simply been modified and thrown into the NSA tool chest?
When applying the same level of scepticism from the Sony hack, nothing in this
article represents real proof to counter relevant arguments against US
attribution.

Regardless, the Spiegel assumptions or slant is worthy if for nothing else
than to teach everyone the issues with attribution, whether applied to greater
or lesser evils.

~~~
k-mcgrady
>> "It is worthwhile to apply the same scepticism for placement of attribution
as was applied with the Sony hack."

Just playing devils advocate here.

The alternative is to do as the USG did and immediately jump to conclusions
based on not that great evidence. If they don't give others the benefit of the
doubt why should we give it to them?

~~~
dsjoerg
If your goal is to understand who is doing what, then you want to be smart
about how you draw conclusions.

If, on the other hand, your goal is to flame people who have done bad stuff
when the opportunity arises, then yeah, go for it.

------
jgrahamc
_There are also additional clues pointing to Regin being a Five Eyes tool: In
the QWERTY code, there are numerous references to cricket, a sport that enjoys
extreme popularity in the Commonwealth._

Given the relative popularity of cricket in the US vs. the rest of the world,
it's more likely that this was written outside the NSA.

~~~
coding4all
I don't think it's the sport. I think it's cricket = bug = spy tool.

~~~
ceejayoz
A spy tool that chirps every few seconds to announce its presence? There are
better insects to reference.

~~~
aesede
maybe because it jumps as malware usually does

------
jcfrei
Seeing that this is a keylogger, how complex would it be to enable a sort of
SSL protocol between the keyboard and a specific application? The
computational overhead should be manageable, the connector (USB) wouldn't need
to change and there should be a fallback for any applications which doesn't
support it. But if crucial applications like mail and the browser programs
could use it, it might deliver another blow to security companies.

The way I would implement it is that the keyboard has a switch to enable this
SSL type communication. Then the keyboard can perform a Diffie–Hellman key
exchange with the current process. As a result any other interaction with the
OS would become impossible until that process is terminated - basically
disabling all OS related shortcuts etc. This would allow true end to end
encryption - even on compromised systems (as long as the kernel code isn't
modified to allow accessing the memory of other processes).

~~~
MichaelGG
If the OS is compromised, then you can't work around that to secure a program
inside the OS. You can run the program somewhere else, like on the keyboard
itself. Some secure crypto devices have displays, so you can see what you're
signing.

The only similar thing I've heard of is the "Secure Attention Sequence" in
Windows. That is, pressing CtrlAltDel before entering credentials lets you be
sure an _application_ is not mimicking the logon prompt. But of course if the
OS is compromised (like by loading a driver that intercepts such keystrokes,
like VMware Enhanced Keyboard) all bets are off.

Think about it, the OS is executing all the code for the app, and storing all
the memory.

This is also why there is a push for trusted computing. Being able to have
your processor, OS, etc be able to verify they are running a trusted
configuration is a powerful thing. It makes the owner of the computer in
control. (The downside is when the user is not the owner, but would like to
be, then they get upset at restrictions.)

~~~
PeterisP
"Trusted computing" puts the controller of the trusted infrastructure in
control - the owner of the computer should expect that any NSA-approved
malware will be considered properly trusted, and being in control of a secure
OS doesn't help against attacks coming from the hardware (malware or backdoors
on firmware) with direct memory access.

------
rikkus
"Regin Malware Unmasked as NSA Tool" or NSA Tool found to contain part of
Regin malware?

------
LLWM
Published it where? The only link I can find is
[http://www.spiegel.de/media/media-35668.pdf](http://www.spiegel.de/media/media-35668.pdf),
and calling that source code is a bit generous to say the least.

~~~
caskance
Seriously. Did nobody else here actually come because they were interested in
seeing Regin's source code? I feel like I'm in crazy land.

------
ufoolme
As a lazy person and Devil's advocate, why does anyone not think that the
various intelligence agencies copied the malware? Surely they would have
access to some of the best in all their various honeypots be it that they are
attacked by everyone and everything. "Good artists copy, great artists
steal."-PP

------
DavideNL
US spying on allies, what else is new? Wasn't most of this already known? From
wikipedia
[https://en.wikipedia.org/wiki/Regin_(malware)#Known_attacks_...](https://en.wikipedia.org/wiki/Regin_\(malware\)#Known_attacks_and_originator_of_malware)
:

`Der Spiegel reported in November 2014.......`

`Fox IT found Regin on the computers of one of its customers, and according to
their analysis parts of Regin are mentioned in the NSA ANT catalog under the
names "Straitbizarre" and "Unitedrake".`

~~~
happyscrappy
Has Speigel reported on the ubiquitous US spy stations peppered throughout
Europe? Have they speculated on why Europe does not close them?

~~~
UnoriginalGuy
Because the US shares intelligence with those governments. In some EU
countries it is illegal for the government to spy on its citizens (also see
the US pre-9/11), so the US spies on those countries and then relays the info
back.

Pre-9/11 this is also how the US worked. The UK spied on the US and the US
spied on the UK, thus both subverting national laws, they then shared
intelligence with one another (which is legal) and thus the loophole was born.

This is actually the system the US is going back to, it is becoming
politically unpopular for the NSA to spy on American Citizens, so GCHQ will
likely take over the majority again, the reasons they couldn't after 9/11 was
that the workload increase too much in too short a period, and the systems
didn't yet exist.

~~~
Lambdanaut
In my mind that's conspiracy-theory level claims. Got sources?

~~~
Someone1234
There's nothing conspiratorial about that one. Look up the echelon network and
the UKUSA Agreement (both on Wikipedia). It has also been talked about in
several books on the topic and discussed openly in the press. It is almost an
"open secret" at this point.

Heck you can almost read the above claims verbatim here:

[https://en.wikipedia.org/wiki/UKUSA_Agreement#Controversy](https://en.wikipedia.org/wiki/UKUSA_Agreement#Controversy)

> During the 2013 NSA leaks Internet spying scandal, the surveillance agencies
> of the "Five Eyes" have been accused of intentionally spying on one
> another's citizens and willingly sharing the collected information with each
> other, allegedly circumventing laws preventing each agency from spying on
> its own citizens

~~~
hansjorg
What would you call it when governments conspire against their populations to
subvert constitutional limits? It's literally conspiratorial.

~~~
Someone1234
Maybe, but I'm 99.99% sure that wasn't the person above's implication by
suggesting it was "just" a conspiracy theory. If it had have been their entire
point would be redundant, instead it is likely they were trying to suggest it
was a fiction or born out of paranoia.

I wouldn't go so far as to call it a "fact" but based on several leaks, books,
and news sources it is likely more fact than fiction.

------
peterwwillis
Many espionage tools are designed by organizations that then sell or license
their tools to 3rd parties. Just because the NSA used it doesn't mean they
wrote it.

 _' Some reporters were surprised to learn that the University of Maryland had
a "covert" NSA facility operating somewhere on or near the school grounds.
[..] "Which facility and exactly where it was Snowden worked is unknown, but
the NSA has connections to several university facilities, including the
Laboratory for Physical Sciences, the Office of Technology Commercialization
and the Lab for Telecommunication Science."'_

[http://www.motherjones.com/mojo/2013/06/university-
maryland-...](http://www.motherjones.com/mojo/2013/06/university-maryland-
edward-snowden-nsa)

Oh, and the University's college hacking team got 1st at the Major League
Hacking Championship in 2013, winning over MIT, Carnegie Mellon and Rutgers.
[https://www.umdrightnow.umd.edu/news/umd-students-win-
major-...](https://www.umdrightnow.umd.edu/news/umd-students-win-major-league-
hacking-championship)

There are probably hundreds of other organizations which work 'in partnership'
with the intelligence community to develop programs which are essentially used
to better their espionage and analysis capabilities. Almost all the
Virginia/DC/Maryland area's tech companies are employed in one way or another
by the federal government, usually for the military or an intelligence agency.

------
upofadown
OK, if you believe that there is actually such a thing as "Cyberwar" then this
means that the USA has attacked Belgium. Does this give Belgium the right to
physically blow up some important American infrastructure? ... or is Cyberwar
a type of cold war which would limit the response to some sort of hacking of
important American infrastructure?

~~~
atmosx
I don't know. We'll find out when the attacker will be Belgium and the
_victim_ the US.

------
beagle3
Assuming all of this is true, and the TPP leaks are indeed what they seem to
be - wouldn't the TPP let every corporation outside $COUNTRY sue the
government of $COUNTRY for malware? (e.g. for $COUNTRY in Five Eyes)?

First upside to the TPP that I've seen, if true.

~~~
grecy
If you or I wrote it we'd go to jail for a very, very long time.

When a government writes it, nothing happens.

~~~
MichaelGG
Really? Apart from France, do most countries prosecute the author of
computer/hacking tools? I was under the impression that the use of the tools
is what mattered. Just like BitTorrent itself has been fine, but any hints of
using it for copyright infringement get fire.

After all, you could use this malware to spy on your child's use of your PC,
which is legal, right?

~~~
pjc50
See Dmitry Sklyarov, among others.

------
hluska
Nothing like waking up to a story that makes you feel embarrassed by your
citizenship. Good job Canada, you're making a Maple Leaf a dangerous symbol
all around the world.

When I was a youngster, being Canadian meant that Incould travel anywhere and
be fine. Granted, there was a > 50% probability that the other Canadians I
would meet were really Americans, but that was nothing. My country had a solid
international reputation. Now???

~~~
NietTim
Just imagine being American and being full of false pride...

~~~
Deviant
How about being an American that has lived in the States, Aussie, and New
Zealand over the past five years - I can't escape the Five Eyes shame :(

------
bayesianhorse
My current opinion on government hacking is, that I actually want democratic
government to be the biggest meanest hackers of them all.

The alternative, unfortunately, is that either organized crime or non-
democratic governments (or a combination of both) would be the biggest meanest
hackers.

And hacking doesn't really scale. Mass surveillance just through attacking
individuals with malware isn't possible, because of limited "talent" and a
fear for exposing the tools, like just happened.

Building backdoors into systems or encryption schemes, on the other hand,
isn't exactly hacking but does scale well to undiscriminate spying on millions
of people.

The main issue is that intelligence and law enforcement agencies in the
western world aren't bound to judicial control as tightly as they should. It
also seems that a majority of voters either consent to these powers, or don't
care. When politicians want to appear "acting decisively" after terrorist
attacks, or foreign hacking incidents, it's not just because they like to do
so. They know that, if they don't, voters will disapprove.

~~~
teamhappy
Not sure why people vote you down for sharing your opinion. Having said that,
your logic is fundamentally flawed. Governments have to either focus on
attacking or defending. Focusing on attacking means keeping a lid on
vulnerabilities, which weakens the security of citizens and corporations
inside their own country. Focusing on defending means disclosing those
vulnerabilities in order to protect everybody, which also means those
vulnerabilities can't be used in attacks anymore. You can't really have both.

~~~
bayesianhorse
Not disclosing vulnerabilities is not a question of attacking or defending,
it's just stupid to keep vulnerabilities open.

I also didn't propose to uncompromisingly favor attack capabilities. I still
don't think effective cyber defense is possible on a national level without
leading the edge on offensive abilities as well.

~~~
teamhappy
I really don't want to explain it a third time, so let me just ask you a
question instead: How do you _lead the edge on offensive abilities_ without
keeping vulnerabilities/bugs secret? Let me rephrase that: How do you _lead
the edge on offensive abilities_ without weakening the security of the people
who are paying your salary; the very same people you swore an oath to protect?
Please explain to me how that is possible on a technical level. If you can't,
or you still don't really understand what I'm talking about, that's fine. Just
ask.

\---

I'm gonna explain it a third time. (Looks like you don't want to talk to me.)

Having offensive abilities means having one or more remote exploits ready to
use. Having remote exploits ready to use means sitting on undisclosed
vulnerabilities. Sitting on undisclosed vulnerabilities means weakening the
security of the people you're supposed to protect.

It's quite simple, really. You can't _remotely_ attack a computer without
remote exploits. I only count remote attacks as "cyber warfare".

~~~
bayesianhorse
Remote exploits work surprisingly well on unpatched systems, stupid users,
malconfigured hardware/software and if that doesn't work, maybe it's time for
a bit of oldfashioned humint.

------
thesmileyone
Right on the GCHQ website it states: "In addition, we are also pleased to
announce that GCHQ and MI5 are working with their US partners to further
strengthen UK-US collaboration on cyber security ..."

I think it is fair to say they all use the same tools!

------
rollthehard6
What's the feeling on the morality aspect of this? In a way it seems like the
same situation as if US designed and manufactured weaponry were used against a
US friendly power by some third party - is it analogous though?

------
alfiedotwtf
If so, can the people and companies that were affected file a class action?

~~~
teamhappy
Class action might be a solution for US citizens. The problem with malware
though is that you end up infecting a whole lot of innocent civilians all over
the place, which the people in Den Haag have slightly mixed feelings about. To
be honest, I'm a bit disappointed that these cases never end up in
international courts. The rules we have in place seem pretty clear to me.

~~~
coldcode
Unlikely, you can't sue the Federal Government without its permission. In any
case the NSA would simply say "national security" and boom you are done.

~~~
anonbanker
Then sue Alexander and Clapper for their roles, and lay the case that their
actions were not in the scope of the office they held.

Then the government says nothing, and bad people get prosecuted.

------
sudioStudio64
The NSA is tasked with doing signals intelligence so I get why they would
develop some hacking abilities but you have to wonder where the break over
point is with the money they are spending...at some point they are spending
enough money that they could actually make a difference in improving our
software and infrastructure. I mean, one of the reasons they say that they
need these capabilities is because we are so vulnerable...how about actually
helping out?

~~~
hox
They do. They have lots of documents and guidance on best practice for
security. As for code, they started the SELinux project.
[http://en.m.wikipedia.org/wiki/Security-
Enhanced_Linux](http://en.m.wikipedia.org/wiki/Security-Enhanced_Linux)

------
cyphunk
down voting on HN has become absurd. Also noticing this on other comments in
this thread.

~~~
anonbanker
I've been tracking the new downvoting trend for the last week or so. Seems
there's a lot of accounts downvoting everything that doesn't coincide with
Western Government sensibilities. The recent North Korea and LSD threads (not
just my replies, but you can get to the threads from my comment history) are
really interesting examples to trudge through and see how many valid replies
are sitting at -1 or worse.

~~~
rndn
I've experienced a couple of really bad downvotes as well lately, and they had
definitely no intention of editorial feedback, but it was quite obviously
mindless prejudice, almost on the level of /r/politics or /r/worldnews. I
wished HN would replace downvotes with a system for short and private
annotations, so that people could receive concrete feedback, not something
that is vaguely implied by a number. That would also remove the problem that
people mindlessly jump on the downvote bandwagon.

~~~
res0nat0r
Even better would be to turn on an option for a user to show/hide political
posts from the site all together

~~~
ptaipale
That would be nice, but in practice, there's no commonly accepted clear
criteria for what is "political" and what is not, and any attempts to enforce
some such criteria would likely bring arbitrary and unfair results.

------
madaxe_again
Uh, wasn't Regin apparently used in the Sony hack?

~~~
rndn
No?

~~~
madaxe_again
No, you're right, belgacom - it was all just reported at about the same time.

~~~
thomasmarcelis
There is more than a year difference between the two

~~~
danesparza
Agreed - more than a year between the two. Here is the full rundown if you're
interested:

Regin details:
[http://en.wikipedia.org/wiki/Regin_(malware)](http://en.wikipedia.org/wiki/Regin_\(malware\))

Sony hack details:
[http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hac...](http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack)

------
lsaferite
Tinfoil hat: Hypothetically, if the Russian government were angry with the US
government and wanted to give them a black eye, wouldn't having a Russian
security firm announce to the world that the NSA was responsible for Reign be
a good tactic?

Not saying NSA wasn't involved as I don't really trust my government, but when
I read the article and saw Kaspersky mentioned, that was the first thing that
popped into my head.

~~~
dubbel
I see your point.

In this specific case Fox-IT (Netherlands) said the same thing. They based the
claim not on the "source code" but on the fact that Regin was part of
programs/processes of the NSA department ANT and mentioned in some leaked
presentation slide of them (Source:
[http://www.spiegel.de/netzwelt/netzpolitik/trojaner-regin-
is...](http://www.spiegel.de/netzwelt/netzpolitik/trojaner-regin-ist-ein-
werkzeug-von-nsa-und-gchq-a-1004950.html) (German)).

Thinking about infosec companies that publish impactful findings from time to
time there is F-Secure from Finland, Fox-IT from the Netherlands, Symantec
from the US and Kaspersky from Russia. Does anyone know about important
Chinese/Japanese information security companies?

