Region virus - nation state developed - Ireland badly hit

r3nu4l

So Regin is the latest code that is suspected to have been developed by a nation state. Symantec think it had been developed by a Western power.

Get this. Saudi Arabia, Russia and Ireland are the most badly hit.

Is this a specific threat against Irish interests ora specific entity present in Ireland or is Ireland just a testing ground to inform further iterations of the code that were set against the real target?

http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance

Bloody phone corrected Regin to Region

syklops

r3nu4l wrote: »

So Regin is the latest code that is suspected to have been developed by a nation state. Symantec think it had been developed by a Western power.

Get this. Saudi Arabia, Russia and Ireland are the most badly hit.

Is this a specific threat against Irish interests ora specific entity present in Ireland or is Ireland just a testing ground to inform further iterations of the code that were set against the real target?

http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance

Bloody phone corrected Regin to Region

Is Ireland a testing ground for such a virus?

Or

Is Ireland's IT infrastructure so poor that it got hit with the virus once and it spread?


Speaking as someone who sees Ireland's IT infrastructure, from a security point of view on almost a daily basis I'd say its option 2.

Grab All Association

I will be called an Anti-Semite but I bet Israel and the US were behind this.

syklops

Chris___ wrote: »

I will be called an Anti-Semite but I bet Israel and the US were behind this.

Based on?

shedweller

syklops wrote: »

Based on?

Stuxnet?

SpaceTime

Ireland's home to a LOT of major IT companies' European operations.
Could be why.

braddun

probably Briton on behalf of usa


Russia goes with out saying

saudia because of oil

Ireland because of ira

mexico drug cartels

Red Alert

It was claimed by Symantec on Morning Ireland that one organisation, who are not a household name, are known to be infected in Ireland. Wonder who it is?

DipStick McSwindler

This post has been deleted.

SpaceTime

It's possible that they've a relatively small number of samples which is why Ireland might be raking highly. It could be a single large attack or something like that.

We have a lot of IT companies and hosting facilities here relative to the population size, so it could really be targeting any one of them.

There's also a possibility of something like a single brand of USB device or some driver that's somehow been used here and in those other countries more than elsewhere.

If it's a single organisation or several organisations, we'll eventually hear about it through the Data Protection Commissioner if personal data (likely) has been put at risk.

It could also be a particular choice of some piece or version of networking equipment in a telco or something like that too that's in common with all of those countries.

Whatever organisation(s) was/were hit by it really ought to come forward though. It's only reasonable that end users should be aware that they need to take immediate precautions as this could be anything from a hacker group to security services to corporate espionage of some sort. Not everything's about fighting terrorism, some of it is about stealing intellectual property or lifting cash out of accounts.

Skrynesaver

IrishFeeney92 wrote: »

Symantec have released a Whitepaper on the topic which can be found here --> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf

Very interesting indeed! Id love to know who the infected company in Ireland was, although I would like to hope whoever is was have been notified by now!

According to Symantec it was a customer of theirs and they uncovered the threat in that customer, the customer has since been protected, so we're unlikely to hear the customers name from Symantec...

industrialhorse

Skrynesaver wrote: »

According to Symantec it was a customer of theirs and they uncovered the threat in that customer, the customer has since been protected, so we're unlikely to hear the customers name from Symantec...

Having worked for two major organisations in this country who both use Symantec as their endpoint protection product of choice, my bet is that the infected company are not as little-known as people might think they are and something will turn up in the public domain very soon. It will take RTE much longer to report on this for obvious reasons (overpaid, off the ball journalists)

deceit

Just so you know I've been passing this malware onto Symantec for the last months for one of the customers of my employer.
They have been targeted for months now which is why Ireland ranks highly.
It was detected from manual intervention when coming onto the network and every precaution has been taking to protect against it with the customer which includes manually checking and submitting every suspected file to Symantec for Analysis before it gets near the companies network.
Its not a household name also but its clear the reason for the target if you know the customer.
I don't expect their to be any data protection issues as nothing was infected on their network as the threats where tested before they got near the network even though they where not detected.

L.Jenkins

To think, according to the report by Symantec, it's been on the go for around 6 years. Imagine the amount of data that has potentially stolen and this isn't any backroom/bedroom operation, someone had to finance it. If the rumors are true and it was developed by a Western power, there's only one Country with the neck to release something like Regin in to the wild.

SpaceTime

So it's proactive detection that's got us up the list?

deceit

SpaceTime wrote: »

So it's proactive detection that's got us up the list?

Manual detection of the threat is what has us so high up the list, at least with the customer I've been dealing with.
Each variant was not being detected by any anti virus vendor, a new signature was written for it each time the file was uploaded to be inspected.
Their may be other customers I'm not aware of that bring it up the list.

DipStick McSwindler

This post has been deleted.

syklops

IrishFeeney92 wrote: »

What truly amazes me about this whole thing is the standard of intelligence by the people who coded it. Its incredibly impressive!

Which is why I don't think it is from a nation state.

L.Jenkins

syklops wrote: »

Which is why I don't think it is from a nation state.

State funded then?

SpaceTime

syklops wrote: »

Which is why I don't think it is from a nation state.

Our lot would go massively over budget and return data in indecipherable code by carrier pigeon. Then they realize they had hacked themselves and it would cost billions and need several quangos...

Mike Litoris

deceit wrote: »

Its not a household name also but its clear the reason for the target if you know the customer.

Ah come one, Man. You can't do that to us! Spill :P

hooplah

seems like it was GCHQ who used it against a Belgian telco anyway: https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/

Standman

From the Symantec white paper:

The string ‘shit’ is scattered in the packet for data validation. In addition, CRC checks use the seed ‘31337’.

Someone involved had a sense of humour anyway. "31337" is gamer/hacker slang in case anyone didn't know (I didn't ).

Could possibly lend credence to the suggestion that it was constructed by someone in the West or at least English speakers.

syklops

Standman wrote: »

Someone involved had a sense of humour anyway. "31337" is gamer/hacker slang in case anyone didn't know (I didn't ).

.

:eek:

skimpydoo

I have a funny feeling that we were attacked because we have a few data centres in Ireland run by the likes of Amazon and Microsoft. Plus the American courts have recently told Microsoft that they have to allow the US access to their Irish Data Centres.

Mr. G

skimpydoo wrote: »

I have a funny feeling that we were attacked because we have a few data centres in Ireland run by the likes of Amazon and Microsoft. Plus the American courts have recently told Microsoft that they have to allow the US access to their Irish Data Centres.

Microsoft have still refused and breached contempt of court.

It's pretty real. I would imagine there is much much more sophisticated malware out there.

It aims to target countries such as Russia, Israel and Ireland. Hmm, I would believe it to be the NSA or the GCHQ.

I'm not surprised about this, though it highlights the importance of proper IT security and Ireland needs more stringent laws for IT security.

Mr. G

The "Irish Orgranisation" would be bigger than Belgacom looking at the percentages of where it was detected.. Correct?

SpaceTime

This stuff is REALLY souring relations with several EU countries, especially Germany.
Merkel is seeing parallels to this and what she had to put up with in her younger years with the East German secret police tapping calls and intercepting communications and she's apparently very, very unhappy about it.

I could see this scuppering the Transatlantic Trade Partnership agreement too as it's really starting to go beyond antiterrorism monitoring.

jmcc

SpaceTime wrote: »

This stuff is REALLY souring relations with several EU countries, especially Germany.
Merkel is seeing parallels to this and what she had to put up with in her younger years with the East German secret police tapping calls and intercepting communications and she's apparently very, very unhappy about it.

Wasn't she a good little Communist back then and member of all the approved state organisations? It is not the software that has been detected that is the problem. It is the as yet undetected software. I'm not sure that it really has had much of an effect on relations as the targets and the intelligence gathered have not been revealed.

Regards...jmcc

Impetus

Duplication of http://www.boards.ie/vbulletin/showthread.php?t=2057332653 thread

skimpydoo

Impetus wrote: »

Duplication of http://www.boards.ie/vbulletin/showthread.php?t=2057332653 thread

Actually the other thread is a duplicate as this thread was created Sunday Night.