NSA tied to Regin Malware

Late last November Symantec Security blog posted information about a new, very sophisticated piece of malware named 'Regin.'   They claimed that the malware had been in operation since 2008, and that it was being used to spy overwhelmingly on private individuals around the world, though governments and other organizations were as well targeted.  Most damning of the information Symantec released was the notion that "Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. "

Such statements immediately raised suspicions, and it was not long before accusations regarding who could have created such sophisticated started coming forth.  Notably, it was suspected that the recently discovered Regin malware might be the means by which the US was spying on the European Union, as whistle-blower Edward Snowden had revealed through leaked NSA documents.

This, of course, was interly speculative.  Until today.  By comparing Regin's code to that of the terribly named keylogging program Qwerty, researchers at Kaspersky Lab were able to find shared code between the two.   Qwerty, one of many files leaked by Edward Snowden, was recently made available by the German newspaper  Der Spiegel.  Once this was availble, the Kaspersky lab researchers were not only able to prove a link between the two programs, but as well proved Qwerty's dependence on Regin.  The researches conclude their blog post with;

Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform.  The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225.  Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.