Is Regin the first example of a British cyberspying platform? Documented this week in some detail by Kaspersky Lab and to a lesser extent by Symantec, some experts privately think so even if getting them to say as much is proving difficult. In an area of software built on quicksand, nobody wants to sound too sure for fear of looking foolish later on.
The evidence for UK involvement in Regin is still highly circumstantial and built to a large extent on inference, but has some merit. Symantec decided to blow the cobwebs off its longstanding Regin research at the weekend to steal a march but it is Kaspersky Lab’s report from 24 November that makes more interesting reading, starting with its almost accusatory title, The Regin Platform – Nation State ownage of GSM Networks.
Traces of this highly-modular malware have been popping up in odd places for years, said Kaspersky Lab, with time stamps stretching back as far as 2003, making this possibly the oldest complex surveillance malware ever discovered. Sometimes Regin seemed to be stealing documents and credentials but in other cases it was connected to very specific and specialised hacking of GSM networks, for example a file logging base station activity during May 2008. They also retrieved a Regin sample from the computer of a Belgian cryptographer, Jean Jacques Quisquater – Regin is aimed at networks but also at individuals in a very specific and unusual way.
As it happens, a report emerged last year from Edward Snowden’s cache that mentioned the UK as using a programme called ‘Operation Socialist’ to hack Belgian state telco Belgacom in 2010 and 2011, which later caused a diplomatic fracas between the two countries. This was more recently connected to the targeting of Quisquater, which looks like more than coincidence.
Samples were detected in a curious range of countries, including Russia, Belgium, Iran, Pakistan, but also Fiji and Kirbati of all places. Regin’s creators didn’t target these locations by chance and probably had a very specific target in mind. Meanwhile, whomever built Regin had a quirky and probably English-language sense of humour, referencing Starbucks and the word ‘shit’ as plaintext comments inside the code on several occasions.
Tellingly, what Regin’s creators didn’t have was a kernel-level bypass for Microsoft’s PatchGuard in the 64-bit version of Windows. This type of exploit is highly unusual and complex US cyberweapons such as Stuxnet and Flame have deployed such finesse with an ease no other nation can match. In other words, would the US build such a complex malware platform and not use this kind of technique? On past evidence, probably not. Inference - somebody else made Regin.
So in its list of targets, its age, its sophistication - and in some details its lack of that - Britain looks like the most likely origin for Regin; Kaspersky even noticed that modules had timestamps that pointed to a development during office hours, GMT.
None of this is remotely conclusive and it could be decades or never before anyone knows who built Regin, by which time it won’t matter anyway.
Some will be unhappy at the thought that the UK and its allies has been using such malware (is it even legal to do so?) and five years ago there would have been some shock at such a suggestion. But times have changed and now we know all nations are at it, with China, Russia, Iran and even Syria connected to a variety of campaigns. Cyber-malware has become a mainstream geo-political requirement like any other, just one that nobody talks about, least of all lawyers.
Leaving aside arguments about legality, it is sensible to draw a distinction between tools used for spying and tools used to do real damage to the infrastructure of an enemy. So far, with the notable exception of Stuxnet, the state-created malware we know about has been built to spy on targets and to carry out using computer networks what once would have been done by human agents, cameras, and telephone taps. By contrast, the more threatening issue of offensive cyberweapons remains latent – for the time being.
But last week’s US House intelligence committee hearing in which cybercommand joint chief Admiral Michael Rogers warned that China has been carrying out reconnaissance of the US power grid using specialised tools is a reminder that cyberwarfare might one day have a more serious cost. He forgot to mention that the US has almost certainly done the same back because Chinese infrastructure is just as vulnerable.
If Cyberwar ever broke out in earnest, it wouldn't be zero sum game so much as a no sum game. Nobody would win, perhaps nobody could win. Regin tells us that even countries such as the UK can build complex weapons capable of advanced spying. But what darker programmes lurk in the cupboard that nobody will know about until they are used?
That is why understanding Regin, its origins and capabilities, should be a task of work for everyone interested in the unstable nature of Internet security and where it is leading us.