The Curse of the Five Eyes – Regin and ‘QWERTY’ malware cut from the same cloth

28 Jan 2015

Kaspersky Labs has discovered remarkably similar codes in the recently revealed ‘QWERTY’ malware and Regin, an espionage tool discovered last year and linked to the Five Eyes Alliance.

Der Spiegel recently published a fresh trove of Edward Snowden documents, which included a new threat dubbed QWERTY – the German publication went so far as to reveal the source code of the program.

QWERTY is a keylogger, so in effect it can read what keys are being typed on a computer, compromising anything from private correspondence to passwords and confidential documents stored therein.

And now Kaspersky Labs – who along with Symantec revealed excellent background on last year’s Regin surveillance tool – has taken a look and directly relates QWERTY to Regin.

Five Eyes are watching you

“The QWERTY keylogger doesn’t function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225,” reads the report by Costing Raiu and Igor Soumenkov.

“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.”

Regin / QWERTY

According to Raiou and Soumenkov, using a binary diff it is easy to spot a significant part of code that is shared between both files. Via Securelist

This leads most right-thinking people to believe that the Five Eyes Alliance – the US, the UK, New Zealand, Australia and Canada allegedly have a joint agreement on signal intelligence which includes cyberespionage – are behind both.

Kaspersky Labs though – just like with Regin – don’t directly suggest where QWERTY originated. Yet elsewhere, there’s plenty of fingers pointing in one, well… five directions.

Coincidences, cyber links and cricket

Der Spiegel itself notes how an obvious link between Regin, QWERTY and the Five Eyes Alliance is the fact that the two pieces of malware stem from Snowden’s documents. Also, as reported pretty much everywhere, Regin was the tool most likely used by the GCHQ – the UK surveillance agency – to hack Belgacom in a truly bizarre international incident.

The German paper also points out the shared targets between Five Eyes, the similarities with ‘Warriorpride’, a cyber-weapons system discovered in Snowden leaks, and even the cricket references within QWERTY (the Five Eyes Alliance is fairly Commonwealth heavy).

Somewhat related, the latest Snowden documents showed that the NSA – the US surveillance agency – is planning ahead, gearing up for where it believes the next major world conflict will be, online. To prepare itself the NSA has projected it will need around US$1bn to increase the strength of its computer network attack operations.

Meanwhile you have remarkable statements coming from the leaders of both the US and UK calling for clearer access to ever more mounds of correspondence online. Although that makes sense, perhaps, as it would save an awful lot of money already earmarked for international surveillance…

Hacking image, via Shutterstock

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com