Courage our network

Regin malware linked to GCHQ’s Operation Socialist

24 November 2014 – Over the past 24 hours, security companies have released information about an advanced malware tool called Regin.

Symantec described Regin as “a complex piece of malware whose structure displays a degree of technical competence rarely seen”, concluding that the “capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.”

Securelist then confirmed that Regin – “one of the most sophisticated attack platforms we have ever analysed” – was the malware present on Belgian cryptographer Jean Jacques Quisquater’s computer.

Quisquater is a Belgian cryptographer and expert in data security. In February this year Belgian newspaper De Standaard reported that his computer had been compromised and that that compromise was linked to an attack revealed in the Snowden revelations – GCHQ’s intrusion into Belgian communications company Belgacom:

the Quisquater hacking was discovered during an investigation into the Belgacom hacking case. Also according to our sources, that malware or techniques similar to those used in the Belgacom hacking were used to hack into Quisquater’s computer.

The Intercept has now drawn these strands together, suggesting that Regin was indeed the “Quantum Insert” malware employed by GCHQ in Operation Socialist and presenting evidence from security researchers to support that claim. The article’s authors do not, however, state whether the link is confirmed in unpublished documents from Edward Snowden.

Subsequent articles have drawn connections to other aspects of Edward Snowden’s revelations. In Wired, Kim Zetter points to Regin’s GSM capabilities as a possible component of NSA’s SOMALGET and MYSTIC capabilities, which involve the collection metadata – and in some cases, full take audio – from national telephone networks.

In Der Spiegel Christian Stöcker and Marcel Rosenbach link aspects of Regin to items (UNITEDRAKE, STRAITBAZZARE) available in the NSA’s internal ANT catalogue, which was published at the end of 2013. The hacking of Belgacom and Professor Quisquater’s computer is currently being investigated by Belgian prosecutors.

The Austrian newspaper De Standart reports that Regin malware has also been discovered on the systems of the International Atomic Energy Authority, which was known to have come under attack in 2013.  We know from Edward Snowden’s revelations that the NSA have targeted the IAEA and that the FISA Court has issued a certification allowing them to do so.

Journalists at the Intercept have said that further information will shortly be published in De Staandard and the Dutch NRC Handelsblad.


Edward Snowden’s statement on the linking of Regin to GCHQ’s attack on Belgacom was published on 13 December 2015.