Security Market Segment LS
Friday, 28 June 2019 10:20

Regin malware used in Western spying on Russian firm Featured

Regin malware used in Western spying on Russian firm Pixabay

Western intelligence agencies, which have been accusing China and Russia of spying on their nations, reportedly infiltrated the Russian search firm Yandex last year, using Windows malware known as Regin that has been identified as having been created and used by the NSA and Britain's GCHQ.

The use of Regin was first revealed by NSA whistleblower Edward Snowden and later described by Russian security firm Kaspersky and the American cyber security company Symantec.

The malware, which was described by Symantec in 2014 as "a complex piece of malware whose structure displays a degree of technical competence rarely seen", has also been used by other so-called Five Eyes countries Canada, Australia and New Zealand, a Reuters report said on Friday.

The Symantec analysis of 2014 said further, "It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state."

Kaspersky's analysis at the same time said: "Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels." The company identified victims of Regin in 14 countries at the time: Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia and Syria.

regin one

Yandex had more than 108 million monthly users in Belarus, Kazakhstan and Turkey, Reuters reported, citing anonymous sources.

The attackers hit Yandex between October and November 2018 and were said to be looking for the ways by which Yandex authenticates user accounts, apparently in order to pose as Yandex users and access other people's messages.

The Intercept reported about Regin back in 2014, based on information from Snowden which pointed to the malware being used against Belgian telco, Belgacom. The same malware was found on computers belonging to the EU and targeted by the NSA.

The version of Regin found on the Yandex systems had a good deal of new code and Kaspersky established its identity, the Reuters report said.

Kaspersky was contacted for its reaction, but the company said it had no comment to make.

regin two

A diagram of the Regin platform. Courtesy Kaspersky

Symantec said in the report that it had also found a new version of Regin. iTWire has contacted the company for comment.

It is rare for American advanced persistent threats to be identified in this manner. About the only company which did so was Kaspersky and, after it was barred from selling products to the US public sector, it too has maintained a veil of silence.

The last time Kaspersky revealed an American spy operation was at its annual Security Analyst Summit in 2018 when it revealed details of an operation known as Slingshot.

Sometime later, Slingshot was claimed to be an operation run by the Joint Special Operations Command, a part of the Special Operations Command. Slingshot was said to be used by US military and intelligence personnel to collect information about terrorists.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments