Skip to main content

Former National Security Agency contractor Edward Snowden, who is seen on a giant screen during a video conference for an interview as part of Amnesty International’s Write for Rights campaign, leaked source code for a malicious program code-named QWERTY to Der Spiegel magazine.Charles Platiau/Reuters

Researchers have found new evidence that the Regin malware, a notorious, sophisticated malware that has been spying for years on businesses, governments and individuals, was created by American cyberspies at the National Security Agency.

The latest evidence comes from source code for a malicious program code-named QWERTY that was leaked to Der Spiegel magazine by former NSA contractor Edward Snowden.

After examining QWERTY's code, researchers at the cybersecurity firm Kaspersky Lab concluded that it can work only if it is plugged into Regin.

"Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together," analysts for Moscow-based Kaspersky said Tuesday on a company blog.

After Regin's existence first became widely known last fall, experts speculated that it came from the United States or one of the main Western spy agencies.

The latest corroboration has a Canadian connection since data from cyberspying is shared between agencies of the Five-Eyes alliance – made up of the United States, Britain, Canada, Australia and New Zealand.

Regin mainly targets private companies, small businesses and telecom companies, according to another cybersecurity firm, Symantec.

Victims were found mostly in 10 countries, with Russia and Saudi Arabia accounting for about half of the confirmed infections.

Users in Mexico, Iran, Pakistan, Afghanistan, India, Ireland, Austria and Belgium were also infected.

Regin is an "extremely complex software" that can operate covertly for years because it goes to great lengths to conceal its activities, Symantec said.

"Its stealth combines many of the most advanced techniques that we have ever seen in use," the Mountain View, Calif.-based company said in a report released last November.

"In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware."

Regin is structured in a way that allows remote controllers to change its spying functions depending on the target.

Its standard capabilities include snapping screenshots of the victim's computer, taking control of its mouse's point-and-click functions, intercepting passwords, recovering deleted files and monitoring network traffic.

The QWERTY malware, which operates onl as part of the Regin platform, is a key-logger, which records everything its victims type on their keyboards.

Der Spiegel, the German magazine that received leaked documents from Mr. Snowden, said QWERTY appears to be part of a large library of malware code-named Warriorpride, which is used by all Five-Eyes partners.