GCHQ/NSA Data-Grabbing Malware Disguised Itself As Microsoft Drivers, Was Served Via Fake LinkedIn Pages
from the im-in-ur-internet-stealing-ur-files dept
Some nasty malware with a decade of history behind it has been uncovered and it has the fingerprints of two governments all over it.
Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.
Behind the malware — which disguised itself as Microsoft drivers and was served via malicious, fake LinkedIn pages — lies a cooperative effort between the NSA and GCHQ. Belgacom has long since ousted the intruding software and is now working with a federal prosecutor to pursue a criminal investigation. Belgacom’s subversion by this malware — comparable in sophistication to the infamous Stuxnet, according to Symantec (which published its findings last Sunday) — led to the breach of EU offices.
Spying on foreign governments is what intelligence agencies are expected to do. But dumping malware into the operating systems of a communications provider generally isn’t. Belgacom’s infection is the only verified incident so far, but there are likely many, many more considering the Regin malware traces back nearly ten years.
Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent Hack.lu conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.
GCHQ has issued boilerplate in response to The Intercept’s request for a comment. The NSA, on the other hand, apparently isn’t going to dignify this story with a non-denial denial, opting instead for something much more brusque:
“We are not going to comment on The Intercept’s speculation.”
What’s currently out there in the wild may not be as effective anymore. Belgacom discovered its infection around June 21, 2013, about a week before Der Spiegel published Snowden documents pointing to the digital infiltration of EU offices. The Intercept has made the malware available for download and states the following in its article.
Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.
If so, then the two agencies involved have likely moved on to something better and less detectable. Being outed is no reason to stop spying, especially in other nations where legal protections range from “thin” to “nonexistent.”
Filed Under: gchq, malware, nsa, surveillance
Companies: belgacom, linkedin, microsoft
Comments on “GCHQ/NSA Data-Grabbing Malware Disguised Itself As Microsoft Drivers, Was Served Via Fake LinkedIn Pages”
And again the USG shows that when they’re talking about the ‘impending cyber Pearl Harbor’… the USG is the one playing the Japanese.
Re: Re:
That’s just it though. We all know what happened next. That’s why the US wants to shore up its cyber defenses so badly, because they know someone is about to drop the bomb on them.
Re: Re: Re:
Likely through their own pre-arranged backdoors.
European arrest warrant anyone?
Perhaps this will kill the UK adoption of the European arrest warrant scheme.
No one would believe them if they did comment. Because they cannot possibly tell the truth. They are basically “inviting” the cyber pearl harbour their panties in such a bunch over due to their own illegal hacking.
#building trust
“Disguised Itself As Microsoft Drivers”
Was it digitally signed as such?
Re: Re:
As per TheIntercept:
The Intercept’s investigation revealed a sample uploaded on VirusTotal on March 14th 2012 that presents the unique 0xfedcbafe header, which is a sign that it might have been loaded by a Regin driver and it appears to provide stealth functionality for the tool kit.
TDSSKiller.exe (distributed a while back to apparently ferret out a certain rootkit) has that 0xfedcbafe header.
https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/
built in
Who cares about malware when software like nepomuk are being built into your computer to monitor and index every thing
Re: built in
Only if you’re silly enough to stick with Ubuntu after Canonical began embedding spyware and partnering with spammers.
Re: Re: built in
nepomuk is used by KDE, so you can’t avoid it just by avoiding Ubuntu or Debian. Fortunately, you can totally disable it (which I recommend you do, not just for privacy reasons but also because it puts a fairly large drain on system resources.)
>”Spying on foreign governments is what intelligence agencies are expected to do”
And foreign governments are expected to be very upset when their supposed allies constantly backstab them.
I’ve seen faked linked in emails before. The giveaway was claiming someone I had never heard of wanted to connect with me. I signed in the normal way, and sure enough there were zero new connection requests.
Re: Re:
I regularly see fake LinkedIn E-mails. I know their fake, because I don’t think I’ve ever been to their site, much less have an account. So that’s been the NSA/GCHQ this whole time? Glad I kept reporting them. Too bad it didn’t do anything.
Windows users must not get enough viruses and malware, they need governments to add to the supply.
I find it interesting Regin infects cellphone tower base controller stations. Giving hackers access to all the E911 location tracking features built into smart phones.
Microsoft drivers on LinkedIn?
Who would be stupid enough to download MS Drivers from LinkedIn? Am I missing something here?
Serves them right for using LinkedIn.
its not faked linked-in emails they are using
Look up QUANTUM INSERT. Your communications with actual, genuine site(s) are being played around with to deliver malware and even “cookies” (yahoo cookies are a favorite).