25 Nov 2014

‘The new Stuxnet’ – is GCHQ linked to Regin hacking campaign?

Reports are emerging that link a global hacking campaign to an episode in which GCHQ is alleged to have accessed the networks of a Belgium telecoms company.

Over the weekend, the anti-virus company Symantec released details of a malicious piece of software called Regin, which the company claimed had hit computer users and small businesses, mainly in Russia and Saudi Arabia.

Symantec said the virus was as complex as Stuxnet, one of the most sophisticated hacking tools ever discovered and which appeared tailor-made for targeting a nuclear reactor in Iran.

Later media reports claimed Stuxnet was designed by the US Government, leading Symantec to brand Regin a “top tier” hacking tool (the implication being that it, too, was designed by government-funded technicians).


Online publication The Intercept has now claimed to have found a link between Regin and the software used to hack into a high-profile Belgian telecoms company. The twist being that the telecoms company in question served the European Parliament, Commission and Council, and is alleged to have been infiltrated by GCHQ.

Leaked documents from the whistleblower Edward Snowden revealed a 2010 mission codenamed Operation Socialist in which GCHQ was said to have targeted Belgacom employees and infected their computers, giving British spies access to the company’s networks.

The Intercept claims to have a copy of the software found at Belgacom (the file they have was uploaded to a public website immediately after the intrusion was spotted by Belgacom in June 2013), and a copy of Regin, and to have found a match between the two.

Not only was the Belgacom file uploaded on June 21st 2013, the date on which the company said it discovered the attack, but it also targets the company’s email system, which its head of security confirmed had been targeted in the attack.

Having compared the Belgacom uploaded file to a copy of Regin, The Intercept claims to have found a match in the “loader”: the part of the virus’s code that is triggered first, and then forces a victim’s computer to download further components of the virus.

Privacy campaigners are now focusing on the legal framework under which such advanced hacking tools are used.

Privacy International’s Eric King said: “Although we know more than ever before about the capabilities of British and American security services to conduct network exploitation and attacks, we still don’t know on what legal authority GCHQ and the NSA purport to act.

“There is no clear legal framework in either country that sanctions and regulates the deployment of these kinds of intrusive tools.”

For its part GCHQ has always stressed that its operations stay within the law, and told The Intercept that it operates within a “strict legal and policy framework”, but would not comment on specific intelligence matters.

Follow @geoffwhite247 on Twitter