Follow Wired Twitter Facebook RSS Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer
It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion into the EU’s legislative body was sophisticated and widespread and used a zero-day exploit to get in. Once the attackers established a stronghold on the network, they were in for the long haul. They scouted the network architecture for additional victims and covered their tracks well. Eventually, they infected numerous systems belonging to the European Commission and the European Council before being discovered.
Two years later another big target was hacked. This time it was Belgacom, the partly state-owned Belgian telecom. In this case, too, the attack was sophisticated and complex. According to published news reports and documents leaked by Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials to gain access to routers controlling the telecom’s cellular network. Belgacom publicly acknowledged the hack, but has never provided details about the breach.
Then five months after that announcement, news of another high-profile breach emerged—this one another sophisticated hack targeting prominent Belgian cryptographer Jean-Jacques Quisquater.
Now it appears that security researchers have found the massive digital spy tool used in all three attacks. Dubbed “Regin” by Microsoft, more than a hundred victims have been found to date, but there are likely many others still unknown. That’s because the espionage tool—a malicious platform capable of taking over entire networks and infrastructures—has been around since at least 2008, possibly even earlier, and is built to remain stealth on a system for years.
The threat has been known since at least 2011, around the time the EU was hacked and some of the attack files made their way to Microsoft, who added detection for the component to its security software. Researchers with Kaspersky Lab only began tracking the threat in 2012, collecting bits and pieces of the massive threat. Symantec began investigating it in 2013 after some of its customers were infected. Putting together information from each, it’s clear the platform is highly complex and modulated and can be customized with a wide range of capabilities depending on the target and the attackers’ needs. Researchers have found 50 payloads so far for stealing files and other data, but have evidence that still more exist.