Things have been quiet on the NSA front, as the secret intelligence agencies demonstrate their abilities to both keep secrets and conceal through public information.
But this week we have a real security report from Semantec, describing “Regin”, a sophisticated covert spy tool (for Microsoft Windows, as far as I can tell). It has apparently been in use for 8 years or more.
Wow! A glance at the report [PDF] shows that this is an awesome piece of work. It’s really, really cool technology. It is exactly what you want secret spyware to be like! Clean, well built, flexible. Very difficult to detect. Difficult to just copy and reuse it. (The latter is a valuable attribute in a weapon!)
Whoever made this was very competent, well informed, and well funded.
And they have excellent OpSec: no boasting, no rumors, no copies for sale to script kiddies. For that matter, no silly signatures or accidental signatures in the code have been reported.
Professional.
This public report was immediately incorporated into “the NSA Narrative“, with the aid of the media. “Everyone knows” that this was probably the product of US/GCHQ and possibly Israel. Partly, this is inferred from the geography of the known infections, but mostly because it fits into the existing narrative.
So, The Intercept reports that it resembles Stuxnet, a widely reported cyberweapon deployed by the US and Israel. (The resemblance is in the architecture, though many other programs, including most operating systems and virtual machines share similar design, though uncloaked.)
More telling, The Intercept says that documents leaked by Edward Snowden, now residing in Russia, claimed something like this was in use. So, the reasoning goes, this must be the unknown thing the unverifiable Snowden documents refer to.
So we have two parts of the story. The technical facts, which are that we found something not unexpected. And a story explaining what it means. Both provided by “independent” sources.
Whoever has been using Regin may be disappointed to have it revealed, but this must have been a known risk. It had a good long run and is probably still usable until MS Windows goes away. (Noone knows exactly how it is introduced, so there is no “vaccine”. And the most easily detectable pieces can easily mutate, so there is no “penicillin” either.) And in any case, the successor is probably already in use, sneaking into mobile devices and cloud servers.
In any case, the NSA will certainly be pleased with the narrative: the NSA is watching you, using nearly magical levels of technology! Don’t trust the Internet and IT, especially to subvert the US/UK.
In addition, the narrative supports the NSA and other forces public campaigns pointing to sophisticated cyber attacks attributed to China and Russia, among others. A public awareness of just how sophisticated malware can be is vital for NSA’s defensive mission. Anyone looking at Regin knows that the Russians and Chinese can do something like this, too. An probably are doing so.
If this software is from the NSA or related groups, it is no less than I would expect from them. A beautiful piece of work.
And the media stories have fit NSA’s narrative pretty well, too. Another beautiful piece of work.
Robert McGrath's Blog 