Consumer Electronics Daily was a Warren News publication.
U.S. or Israel Backing?

Regin Malware Raises Civil Liberties Concerns

November 25, 2014 by Joe McKnight|Top News

A previously unidentified form of malware highlighted in a Symantec report Monday raised questions about the balance between a nation’s civil liberties and security concerns, said privacy and security experts in interviews. The cutting-edge malware, known as Regin, has the hallmarks of government-sponsored intelligence gathering software, they said. Regin’s use raises the specter of governments implementing the program against their citizens, said Cooper Quintin, Electronic Frontier Foundation staff technologist.

There wasn’t enough evidence to identify a particular country or countries behind Regin, said Vikram Thakur, Symantec Security Response senior manager and one of the report’s authors. Regin’s profile includes a “well funded and well organized” government-backed organization, he said. The report said Regin was located among industries and individuals in 10 countries, primarily Russia (28 percent of its industries) and Saudi Arabia (24 percent). Individuals and small businesses were 48 percent of Regin’s targets; telecom “backbones,” 28 percent, it said. Thakur said the program has been operational since at least 2008. That individuals and telecom networks were targeted led Symantec to believe the Regin backers were aware of a “larger mandate” than just trying to steal intellectual property, he said. That could mean Regin operated within a particular “jurisdictional or legal framework,” said Thakur.

Regin is “highly sophisticated” software that, unlike most malware, isn’t trying to gather financial or intellectual property information, said David Kennedy, president of TrustedSec, an information security consulting firm. Instead, Regin is designed to be “very, very stealthy” and gather general information on a specific target, he said. Regin communicates with its host through encryption, which is a sign of “government-sponsored electronic warfare,” said Kennedy. The malware could have originated from U.S. or Israeli government intelligence sources, he said, saying Regin appears similar to Stuxnet, an allegedly Israeli-created malware system that attacked Iranian power plants in 2010 (see 1209190083).

EFF’s Quintin said he wouldn’t “cast dispersions” on Kennedy’s speculation that the U.S. or Israel could be behind Regin. The malware was created with substantial resources, said Quintin. It could have taken as a long as a year to develop the malware, he said. There’s a “high degree of likelihood” that it was commissioned by a government or governments, said Quintin. Regin was used to “compromise” ISPs and telecom backbones, which points to its being used for espionage, he said. “The problem with this sort of malware is once you have this tool, there’s very little reason not to use it against your own citizens or dissidents.”

How Regin could affect civil liberties is “definitely questionable,” said Thakur. Data is being “stolen without consent,” he said. “That’s definitely a problem.” Countries must have these kinds of data-collecting tools, said Kennedy. War is no longer about having the most advanced military, but about having the ability to “take down a country without firing a missile,” he said, saying China and Russia have the ability to seriously damage the U.S. through similar programs. “But we have to make sure our constitutional rights are protected,” said Kennedy. “We don’t have a good handle on that right now.”

The use of sophisticated hacking tools like Regin typically relies on previously undisclosed security vulnerabilities,” known as “zero days,” said Alan Butler, Electronic Privacy Information Center senior counsel. Citing a 2013 White House report on intelligence gathering technologies, Butler said the U.S. should have a “policy to protect the privacy and security of Americans.” This "is an area where security and privacy are directly aligned, and it is necessary to root out these vulnerabilities in order to protect both,” he said. For such malware, a consumer’s “best option is to maintain up-to-date security software and to avoid using unknown USB keys and other potentially-infected devices,” said Butler.