Your IP access to will expire on June 15

To ensure uninterrupted reading, please contact Rachel Mines, sales director, at


This Malware May Have Gotten the NSA Caught With Its Hand in the Cookie Jar

In Norse mythology, Regin is a cunning dwarf who raises the hero Sigurd as his own son in order to use him as an instrument of revenge against Regin’s deceitful brother, Fafnir. Having become a dragon after stealing the family’s hoard of gold, Fafnir is killed by Sigurd, who then goes on to kill Regin ...

Sean Gallup/Getty Images
Sean Gallup/Getty Images

In Norse mythology, Regin is a cunning dwarf who raises the hero Sigurd as his own son in order to use him as an instrument of revenge against Regin’s deceitful brother, Fafnir. Having become a dragon after stealing the family’s hoard of gold, Fafnir is killed by Sigurd, who then goes on to kill Regin when he learns that his adopted father used him to avenge his brother’s crime.

Now, the old Norse dwarf has a second life as a newly discovered, highly advanced piece of malware, techspeak for software used to damage or infiltrate computers. On Sunday, researchers at Symantec, the computer security firm, released their findings on Regin, a piece of malware that bears the hallmarks of British and American government hackers and can be used to infiltrate computers, mine data, access file systems, hijack point and click functions, take screenshots, and carry out network surveillance. The bug is almost entirely encrypted, and its payload can be customized depending on the target.

Symantec’s report compares the bug to Stuxnet, the infamous Israeli-U.S. bug that was used to infiltrate and sabotage Iran’s nuclear program by causing Iranian centrifuges to spin at such excessive speeds that they ultimately broke down. "In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless," the researchers wrote in a white paper on the malware. "What we have seen in Regin is just such a class of malware."

The level of technical sophistication in the malware would appear to suggest that it is the work for a nation state, not a rogue hacker or collective. While a full list of its targets isn’t yet known, the Intercept reports that Regin has been "identified on the same European Union computer systems that were targeted for surveillance by the National Security Agency." Moreover, the site reports that the malware was used to attack a Belgium telecommunications company whose clients include key EU bodies such as the European Commission, the European Parliament, and the European Council. A security expert hired by the telecom company to remove the malware from its servers told the Intercept he is convinced the malware is either of British or American make.

Targeting such a body would certainly make sense from the perspective of both American and British spies. With U.S. policymakers engaged in negotiations with their European counterparts over a possible trade deal, EU officials have all but certainly become a target for American surveillance. Last year, Der Spiegel, citing information provided by Snowden, reported that EU offices in New York, Washington, and Brussels had been targeted by the NSA.

The Symantec cyber sleuths say Regin is stunningly advanced. The malware functions in a modular design that works at all points to hide its make. The only portion of the bug that is unencrypted is the initial deployment mechanism, which serves to trigger the other components, all of them encrypted. Targets can be infected with the malware through a variety of methods, including spoofed web pages and instant messaging systems.

Stuxnet, by contrast, is thought to have been introduced into Iran’s networks through an infected USB drive. An unnamed U.S. official quoted in a New York Times article about the secret program code-named "Olympic Games" told reporter David Sanger that "it turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand."

Regin’s technical features appear to indicate that it was created by British or American spies and not their Chinese or Russian counterparts, which also have the resources to possibly create a program of this nature. "This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask), while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats," the researchers write, referring to programs believed to have been created by the U.S. National Security Agency and its and its allies. The company was careful not to directly attribute the bug to Washington or London, however.

"Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals," the researchers wrote in a blog post. "Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state."

American and British spies aren’t commenting on the revelations about the bug, but if Symantec’s findings have indeed unmasked a piece of NSA malware, the researchers have stripped agency of an enormously powerful weapon. Regin, the researchers note, "can potentially be used in espionage campaigns lasting several years" due to its "low key nature."

"Even when its presence is detected, it is very difficult to ascertain what it is doing. Symantec was only able to analyze the payloads after it decrypted sample files," the researchers add.

The bug appears to have been in use from at least 2008 until 2011, when it was suddenly withdrawn. It reappeared last year.

Now that Regin has been discovered and outed, the program could face elimination, though not at the hand of Sigurd.     

Elias Groll is a staff writer at Foreign Policy. Twitter: @EliasGroll

Trending Now Sponsored Links by Taboola

By Taboola

More from Foreign Policy

By Taboola