The Australian Signals Directorate (ASD) has been linked to the development of a top-tier cyber espionage program, ‘Regin’ – a tool highly suited for high-level, continuous and long-term surveillance operations.
Regin, also known as WarriorPride, is a form of highly sophisticated trojan malware which is capable of stealing passwords, recovering deleted files, capturing screenshots, taking control of the mouse’s point-and-click functions, monitoring network traffic and enabling remote access.
The Regin cyber-weapons system has reportedly been used in dozens of high-level cyber attacks, including against European companies and a member of German Chancellor Angela Merkel’s staff. It has also been compared to the Stuxnet program thought to have been used against Iran’s nuclear facilities.
The ASD has now been implicated in Regin’s development, through information leaked by US National Security Agency (NSA) contractor Edward Snowden published by German magazine Der Spiegel, and subsequent research by experts including analysts at Kaspersky Lab.
As part of their report earlier this month, Der Spiegel published the source code of a program called QWERTY which was contained in the Snowden documents linked to the NSA and its other Five Eyes intelligence partners (Australia, Canada, New Zealand and the UK)
According to the magazine, this ‘key logger’ program is designed to intercept the keys pressed on a target computer’s keyboards and records them for analysis.
Strings in some of the QWERTY binaries refer to “DSD”, suggesting that the ASD – until 2013 known as the Australian ‘Defense Signals Directorate’ (DSD) – may have played a part in the program’s development, says digital security analyst Claudio Guarnieri who has been analysing the QWERTY code published by Der Spiegel.
“It is clear now that Five Eyes, especially other than the NSA I imagine, joined efforts to share resources and collectively develop a unified malware program,” he says.
Now, researchers at Kaspersky Lab say they have proof that the QWERTY plugin shares code with the Regin malware and operates as part of the platform.
“We conclude that the “QWERTY” malware is identical in functionality to the Regin 50251 plugin,” state Costin Raiu and Igor Soumenkov in their analysis.
“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” they said.
The ASD refused to comment when asked if it had played a part in the creation of Regin or QWERTY.
“Defence does not comment on intelligence matters,” an ASD spokesperson said when asked by Vulture South, according to TheRegister.co.uk.
By Katy Scott and Bryce Lowry