Group items tagged

Russian nuclear power plant was reportedly “badly infected” by the rogue Stuxnet virus, the same malware that reportedly disrupted Iran’s nuclear program several years ago. The virus then spread to the International Space Station via a Stuxnet-infected USB stick transported by Russian cosmonauts

Speaking to journalists in Canberra, Australia, last week, Eugene Kaspersky, head of the anti-virus and cyber protection firm that bears his name, said he had been tipped off about the damage by a friend who works at the Russian plant. Kaspersky did not say when the attacks took place, but implied that they occurred around the same time the Iranian infection was reported. He also did not comment on the impact of the infections on either the nuclear plant or the space station, but did say that the latter facility had been attacked several times. The revelation came during a question-and-answer period after a presentation on cyber-security. The point, Kaspersky told reporters at Australia’s National Press Club last week, was that not being connected to the Internet — the public web cannot be accessed at either the nuclear plant or on the ISS — is a guarantee that systems will remain safe. The identity of the entity that released Stuxnet into the “wild” is still unknown (although media speculation insists it was developed by Israel and the United States), but those who think they can control a released virus are mistaken, Kaspersky warned. “What goes around comes around,” Kaspersky said. “Everything you do will boomerang.”

The Stuxnet virus came to light in 2010, having attacked Iranian nuclear facilities by hitting the programmable logic control automation systems that control them. The PLC system, manufactured by German conglomerate Siemens, runs the centrifuges used to enrich uranium at Iran’s Natanz facility. Variants of Stuxnet have affected the facility’s centrifuges in various ways, mostly by changing the activity of valves controlled by the PLC software that feed the uranium to centrifuges at a specific rate required for enrichment, Kaspersky said in several presentations last year. It’s not known when Stuxnet began its activities, but researchers at anti-virus company Symantec said that they had gathered evidence that earlier versions of the code were already seen “in the wild” in 2005, although it wasn’t yet operational as a virus. Stuxnet, said Symantec, was the first virus known to attack national infrastructure projects, and according to the company, the groups behind Stuxnet were already seeking to compromise Iran’s nuclear program in 2007 — the year Iran’s Natanz nuclear facility, where much of the country’s uranium enrichment is taking place, went online. Now that the plague has been unleashed, said Kaspersky, no one is immune — and that includes its originators, who are no longer in control of it. “There are no borders” in cyberspace, and no one should be surprised at any reports of a virus attack, no matter how ostensibly secure the facility, he said.

When Israeli Prime Minister Benjamin Netanyahu met with Google chairman Eric Schmidt on Tuesday afternoon, he boasted about Israel’s “robust hi-tech and cyber industries.” According to The Jerusalem Post, “Netanyahu also noted that ‘Israel was making great efforts to diversify the markets with which it is trading in the technological field.'” Just how diversified and developed Israeli hi-tech innovation has become was revealed the very next morning, when the Russian cyber-security firm Kaspersky Labs, which claims more than 400 million users internationally, announced that sophisticated spyware with the hallmarks of Israeli origin (although no country was explicitly identified) had targeted three European hotels that had been venues for negotiations over Iran’s nuclear program.

Wednesday’s Wall Street Journal, one of the first news sources to break the story, reported that Kaspersky itself had been hacked by malware whose code was remarkably similar to that of a virus attributed to Israel. Code-named “Duqu” because it used the letters DQ in the names of the files it created, the malware had first been detected in 2011. On Thursday, Symantec, another cyber-security firm, announced it too had discovered Duqu 2 on its global network, striking undisclosed telecommunication sites in Europe, North Africa, Hong Kong, and  Southeast Asia. It said that Duqu 2 is much more difficult to detect that its predecessor because it lives exclusively in the memory of the computers it infects, rather than writing files to a drive or disk. The original Duqu shared coding with — and was written on the same platform as — Stuxnet, the computer worm  that partially disabled enrichment centrifuges in Iranian nuclear power plants, according to a 2012 report in The New York Times. Intelligence and military experts said that Stuxnet was first tested at Dimona, a nuclear-reactor complex in the Negev desert that houses Israel’s own clandestine nuclear weapons program. While Stuxnet is widely believed to have been a joint Israeli-U.S. operation, Israel seems to have developed and implemented Duqu on its own.

Coding of the spyware that targeted two Swiss hotels and one in Vienna—both sites where talks were held between the P5+1 and Iran—so closely resembled that of Duqu that Kaspersky has dubbed it “Duqu 2.” A Kaspersky report contends that the new and improved Duqu would have been almost impossible to create without access to the original Duqu code. Duqu 2’s one hundred “modules” enabled the cyber attackers to commandeer infected computers, compress video feeds  (including those from hotel surveillance cameras), monitor and disrupt telephone service and Wi-Fi, and steal electronic files. The hackers’ penetration of computers used by the front desk would have allowed them to determine the room numbers of negotiators and delegation members. Duqu 2 also gave the hackers the ability to operate two-way microphones in the hotels’ elevators and control their alarm systems.

Iran has claimed it has thwarted a number of sabotage attempts against the country's nulcear programme and infrastructure, including one at its heavy water reactor. Asghar Zarean, a senior official in charge of nuclear security at the Atomic Energy Organisation of Iran, said that Iran's intelligence agencies were instrumental in uncovering plots over the last few months. They included one at the Arak facility, according to a report from the Fars semi-official news agency quoted by the Associated Press.  The organisation said: "Several cases of industrial sabotage have been neutralized in the past few months before achieving the intended damage, including sabotage at a part of the IR-40 facility at Arak." It did not state the nature of the attacks, nor the suspected culprits, but the statements coincided with the launch of an intelligence team to fight cyber-attacks and industrial sabotage.

Another of Iran's nuclear facilities, the uranium enrichment plant at Natanz, was the target of the "Stuxnet" computer virus in 2010 which temporarily disrupted operation of centrifuges, a key component in nuclear fuel production. Tehran says Stuxnet and other computer virus attacks are part of a concerted campaign by Israel, the US and their allies to undermine its nuclear programme. Arak was central to a deal cut last year between Western powers and Iran that lifted some sanctions in return for concessions on Iran's nuclear programme. Tehran pledged it would stop developing the facility, which Western powers say could yield plutonium as an alternative fuel for weapons. Iran denies any such goal, and says the facility is for research and peaceful purposes only.

“Is this related to what we talked about before?” Bencsáth said, referring to a previous discussion they’d had about testing new services the company planned to offer customers. “No, something else,” Bartos said. “Can you come now? It’s important. But don’t tell anyone where you’re going.” Bencsáth wolfed down the rest of his lunch and told his colleagues in the lab that he had a “red alert” and had to go. “Don’t ask,” he said as he ran out the door. A while later, he was at Bartos’ office, where a triage team had been assembled to address the problem they wanted to discuss. “We think we’ve been hacked,” Bartos said.

They found a suspicious file on a developer’s machine that had been created late at night when no one was working. The file was encrypted and compressed so they had no idea what was inside, but they suspected it was data the attackers had copied from the machine and planned to retrieve later. A search of the company’s network found a few more machines that had been infected as well. The triage team felt confident they had contained the attack but wanted Bencsáth’s help determining how the intruders had broken in and what they were after. The company had all the right protections in place—firewalls, antivirus, intrusion-detection and -prevention systems—and still the attackers got in.

Bencsáth was a teacher, not a malware hunter, and had never done such forensic work before. At the CrySyS Lab, where he was one of four advisers working with a handful of grad students, he did academic research for the European Union and occasional hands-on consulting work for other clients, but the latter was mostly run-of-the-mill cleanup work—mopping up and restoring systems after random virus infections. He’d never investigated a targeted hack before, let alone one that was still live, and was thrilled to have the chance. The only catch was, he couldn’t tell anyone what he was doing. Bartos’ company depended on the trust of customers, and if word got out that the company had been hacked, they could lose clients. The triage team had taken mirror images of the infected hard drives, so they and Bencsáth spent the rest of the afternoon poring over the copies in search of anything suspicious. By the end of the day, they’d found what they were looking for—an “infostealer” string of code that was designed to record passwords and other keystrokes on infected machines, as well as steal documents and take screenshots. It also catalogued any devices or systems that were connected to the machines so the attackers could build a blueprint of the company’s network architecture. The malware didn’t immediately siphon the stolen data from infected machines but instead stored it in a temporary file, like the one the triage team had found. The file grew fatter each time the infostealer sucked up data, until at some point the attackers would reach out to the machine to retrieve it from a server in India that served as a command-and-control node for the malware.

Were Israeli companies Verint and Narus the ones that collected information from the U.S. communications network for the National Security Agency? The question arises amid controversy over revelations that the NSA has been collecting the phone records of hundreds of millions of Americans every day, creating a database through which it can learn whether terror suspects have been in contact with people in the United States. It also was disclosed this week that the NSA has been gathering all Internet usage - audio, video, photographs, emails and searches - from nine major U.S. Internet providers, including Microsoft and Google, in hopes of detecting suspicious behavior that begins overseas.

According to an article in the American technology magazine "Wired" from April 2012, two Israeli companies – which the magazine describes as having close connections to the Israeli security community – conduct bugging and wiretapping for the NSA. Verint, which took over its parent company Comverse Technology earlier this year, is responsible for tapping the communication lines of the American telephone giant Verizon, according to a past Verizon employee sited by James Bamford in Wired. Neither Verint nor Verizon commented on the matter.

Natus, which was acquired in 2010 by the American company Boeing, supplied the software and hardware used at AT&T wiretapping rooms, according to whistleblower Mark Klein, who revealed the information in 2004. Klein, a past technician at AT&T who filed a suit against the company for spying on its customers, revealed a "secret room" in the company's San Fransisco office, where the NSA collected data on American citizens' telephone calls and Internet surfing. Klein's claims were reinforced by former NSA employee Thomas Drake who testified that the agency uses a program produced by Narus to save the personal electrical communications of AT&T customers.  Both Verint and Narus have ties to the Israeli intelligence agency and the Israel Defense Forces intelligence-gathering unit 8200. Hanan Gefen, a former commander of the 8200 unit, told Forbes magazine in 2007 that Comverse's technology, which was formerly the parent company of Verint and merged with it this year, was directly influenced by the technology of 8200. Ori Cohen, one of the founders of Narus, told Fortune magazine in 2001 that his partners had done technology work for the Israeli intelligence.

The U.S. Government often warns of increasingly sophisticated cyberattacks from adversaries, but it may have actually contributed to those capabilities in the case of Iran. A top secret National Security Agency document from April 2013 reveals that the U.S. intelligence community is worried that the West’s campaign of aggressive and sophisticated cyberattacks enabled Iran to improve its own capabilities by studying and then replicating those tactics. The NSA is specifically concerned that Iran’s cyberweapons will become increasingly potent and sophisticated by virtue of learning from the attacks that have been launched against that country. “Iran’s destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary,” the NSA document states. “Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.”

The document was provided to The Intercept by NSA whistleblower Edward Snowden, and was prepared in connection with a planned meeting with Government Communications Headquarters, the British surveillance agency. The document references joint surveillance successes such as “support to policymakers during the multiple rounds of P5 plus 1 negotiations,” referring to the ongoing talks between the five permanent members of the U.N. Security Council, Germany and Iran to forge an agreement over Iran’s nuclear program. The document suggests that Iran has become a much more formidable cyberforce by learning from the viruses injected into its systems—attacks which have been linked back to the United States and Israel. In June 2012, The New York Times reported that from “his first months in office, President Obama secretly ordered sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.” As part of that plan, the U.S. and Israel jointly unleashed the Stuxnet virus on Iranian nuclear facilities, but a programming error “allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.” Israel also deployed a second virus, called Flame, against Iran.

Obama ordered cyberattacks despite his awareness that they would likely unleash a wholly new form of warfare between states, similar to the “first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade,” according to the Times report. Obama “repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons—even under the most careful and limited circumstances—could enable other countries, terrorists or hackers to justify their own attacks.” The NSA’s concern of inadvertently aiding Iran’s cyberattack capabilities is striking given the government’s recent warning about the ability of adversaries to develop more advanced viruses. A top official at the Pentagon’s Defense Advanced Research Projects Agency’s (DARPA) appeared on 60 Minutes this Sunday and claimed that cyberattacks against the U.S. military are becoming more potent. “The sophistication of the attacks is increasing,” warned Dan Kaufman, director of DARPA’s Information Innovation Office.

The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm.In a presentation of its findings at a conference in Mexico on Monday, Kaspersky Lab, the Russian firm, said that the implants had been placed by what it called the “Equation Group,” which appears to be a veiled reference to the National Security Agency and its military counterpart, United States Cyber Command.

It linked the techniques to those used in Stuxnet, the computer worm that disabled about 1,000 centrifuges in Iran’s nuclear enrichment program. It was later revealed that Stuxnet was part of a program code-named Olympic Games and run jointly by Israel and the United States.Kaspersky’s report said that Olympic Games had similarities to a much broader effort to infect computers well beyond those in Iran. It detected particularly high infection rates in computers in Iran, Pakistan and Russia, three countries whose nuclear programs the United States routinely monitors.

Some of the implants burrow so deep into the computer systems, Kaspersky said, that they infect the “firmware,” the embedded software that preps the computer’s hardware before the operating system starts. It is beyond the reach of existing antivirus products and most security controls, Kaspersky reported, making it virtually impossible to wipe out.

Canada’s electronic surveillance agency has secretly developed an arsenal of cyberweapons capable of stealing data and destroying adversaries’ infrastructure, according to newly revealed classified documents. Communications Security Establishment, or CSE, has also covertly hacked into computers across the world to gather intelligence, breaking into networks in Europe, Mexico, the Middle East and North Africa, the documents show. The revelations, reported Monday by CBC News in collaboration with The Intercept, shine a light for the first time on how Canada has adopted aggressive tactics to attack, sabotage and infiltrate targeted computer systems. The latest disclosures come as the Canadian government debates whether to hand over more powers to its spies to disrupt threats as part of the controversial anti-terrorism law, Bill C-51.

Christopher Parsons, a surveillance expert at the University of Toronto’s Citizen Lab, told CBC News that the new revelations showed that Canada’s computer networks had already been “turned into a battlefield without any Canadian being asked: Should it be done? How should it be done?” According to documents obtained by The Intercept from National Security Agency whistleblower Edward Snowden, CSE has a wide range of powerful tools to perform “computer network exploitation” and “computer network attack” operations. These involve hacking into networks to either gather intelligence or to damage adversaries’ infrastructure, potentially including electricity, transportation or banking systems. The most well-known example of a state-sponsored “attack” operation involved the use of Stuxnet, a computer worm that was reportedly developed by the United States and Israel to sabotage Iranian nuclear facilities. One document from CSE, dated from 2011, outlines the range of methods the Canadian agency has at its disposal as part of a “cyber activity spectrum” to both defend against hacking attacks and to perpetrate them. CSE says in the document that it can “disable adversary infrastructure,” “control adversary infrastructure,” or “destroy adversary infrastructure” using the attack techniques. It can also insert malware “implants” on computers to steal data.

According to one top-secret NSA briefing paper, dated from 2013, Canada is considered an important player in global hacking operations. Under the heading “NSA and CSEC cooperate closely in the following areas,” the paper notes that the agencies work together on “active computer network access and exploitation on a variety of foreign intelligence targets, including CT [counter terrorism], Middle East, North Africa, Europe, and Mexico.” (The NSA had not responded to a request for comment at time of publication. The agency has previously told The Intercept that it “works with foreign partners to address a wide array of serious threats, including terrorist plots, the proliferation of weapons of mass destruction, and foreign aggression.”) Notably, CSE has gone beyond just adopting a range of tools to hack computers. According to the Snowden documents, it has a range of “deception techniques” in its toolbox. These include “false flag” operations to “create unrest,” and using so-called “effects” operations to “alter adversary perception.” A false-flag operation usually means carrying out an attack, but making it look like it was performed by another group — in this case, likely another government or hacker. Effects operations can involve sending out propaganda across social media or disrupting communications services. The newly revealed documents also reveal that CSE says it can plant a “honeypot” as part of its deception tactics, possibly a reference to some sort of bait posted online that lures in targets so that they can be hacked or monitored.

The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.

The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.

The N.S.A. and the Pentagon’s Cyber Command have implanted nearly 100,000 “computer network exploits” around the world, but the hardest problem is getting inside machines isolated from outside communications.

Matt Blaze has been pointing out that when you read the new White House intelligence task force report and its recommendations on how to reform the NSA and the wider intelligence community, that there may be hints to other excesses not yet revealed by the Snowden documents. Trevor Timm may have spotted a big one. In the recommendation concerning increasing security in online communications, the second sub-point sticks out like a sore thumb:

Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial system. While there have been plenty of reports about the US running hundreds of offensive cyberattacks on others, outside of things like Stuxnet, not many have been directly identified. And I'm unaware of any claims suggesting attempts to "manipulate the financial system" of any particular country and/or to "change the amounts held in financial accounts." It seems a bit odd to come out of the blue like that, and certainly suggests that this particular bullet point likely came as a result of a rather specific thing that came up during the task force's review. So, now we wait for the inevitable news of what sort of financial shenanigans the NSA was up to.

It's hardly news that the Obama administration is intensely and, in many respects, unprecedentedly hostile toward the news-gathering process. Even the most Obama-friendly journals have warned of what they call "Obama's war on whistleblowers". James Goodale, the former general counsel of the New York Times during its epic fights with the Nixon administration, recently observed that "President Obama wants to criminalize the reporting of national security information" and added: "President Obama will surely pass President Richard Nixon as the worst president ever on issues of national security and press freedom."Still, a new report released today by the highly respected Committee to Protect Journalists - its first-ever on press freedoms in the US - powerfully underscores just how extreme is the threat to press freedom posed by this administration. Written by former Washington Post executive editor Leonard Downie, Jr., the report offers a comprehensive survey of the multiple ways that the Obama presidency has ushered in a paralyzing climate of fear for journalists and sources alike, one that severely threatens the news-gathering process.The first sentence: "In the Obama administration's Washington, government officials are increasingly afraid to talk to the press."

It quotes New York Times national security reporter Scott Shane as saying that sources are "scared to death." It quotes New York Times reporter David Sanger as saying that "this is the most closed, control freak administration I've ever covered." And it notes that New York Times public editor Margaret Sullivan previously wrote that "it's turning out to be the administration of unprecedented secrecy and unprecedented attacks on a free press."Based on all this, Downie himself concludes:The administration's war on leaks and other efforts to control information are the most aggressive I've seen since the Nixon administration, when I was one of the editors involved in The Washington Post's investigation of Watergate. The 30 experienced Washington journalists at a variety of news organizations whom I interviewed for this report could not remember any precedent."And this pernicious dynamic extends far beyond national security: "Ellen Weiss, Washington bureau chief for E.W. Scripps newspapers and stations, said 'the Obama administration is far worse than the Bush administration' in trying to thwart accountability reporting about government agencies." It identifies at least a dozen other long-time journalists making similar observations.

The report ends by noting the glaring irony that Obama aggressively campaigned on a pledge to usher in The Most Transparent Administration Ever™. Instead, as the New Yorker's investigative reporter Jane Mayer recently said about the Obama administration's attacks: "It's a huge impediment to reporting, and so chilling isn't quite strong enough, it's more like freezing the whole process into a standstill."

Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.“This process is biased toward responsibly disclosing such vulnerabilities,” she said.

The N.S.A. made use of four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named “Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”

As fast as it can, Google is sealing up cracks in its systems that Edward J. Snowden revealed the N.S.A. had brilliantly exploited. It is encrypting more data as it moves among its servers and helping customers encode their own emails. Facebook, Microsoft and Yahoo are taking similar steps.

After years of cooperating with the government, the immediate goal now is to thwart Washington — as well as Beijing and Moscow. The strategy is also intended to preserve business overseas in places like Brazil and Germany that have threatened to entrust data only to local providers. Google, for example, is laying its own fiber optic cable under the world’s oceans, a project that began as an effort to cut costs and extend its influence, but now has an added purpose: to assure that the company will have more control over the movement of its customer data.

A year after Mr. Snowden’s revelations, the era of quiet cooperation is over. Telecommunications companies say they are denying requests to volunteer data not covered by existing law. A.T.&T., Verizon and others say that compared with a year ago, they are far more reluctant to cooperate with the United States government in “gray areas” where there is no explicit requirement for a legal warrant.

The National Security Agency and its British counterpart, Government Communications Headquarters, have worked to subvert anti-virus and other security software in order to track users and infiltrate networks, according to documents from NSA whistleblower Edward Snowden. The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software. One security software maker repeatedly singled out in the documents is Moscow-based Kaspersky Lab, which has a holding registered in the U.K., claims more than 270,000 corporate clients, and says it protects more than 400 million people with its products. British spies aimed to thwart Kaspersky software in part through a technique known as software reverse engineering, or SRE, according to a top-secret warrant renewal request. The NSA has also studied Kaspersky Lab’s software for weaknesses, obtaining sensitive customer information by monitoring communications between the software and Kaspersky servers, according to a draft top-secret report. The U.S. spy agency also appears to have examined emails inbound to security software companies flagging new viruses and vulnerabilities.

The efforts to compromise security software were of particular importance because such software is relied upon to defend against an array of digital threats and is typically more trusted by the operating system than other applications, running with elevated privileges that allow more vectors for surveillance and attack. Spy agencies seem to be engaged in a digital game of cat and mouse with anti-virus software companies; the U.S. and U.K. have aggressively probed for weaknesses in software deployed by the companies, which have themselves exposed sophisticated state-sponsored malware.

The requested warrant, provided under Section 5 of the U.K.’s 1994 Intelligence Services Act, must be renewed by a government minister every six months. The document published today is a renewal request for a warrant valid from July 7, 2008 until January 7, 2009. The request seeks authorization for GCHQ activities that “involve modifying commercially available software to enable interception, decryption and other related tasks, or ‘reverse engineering’ software.”

here’s yet another tantalizing clue that the National Security Agency and its “Five Eyes” allies are behind a poweful cyber-espionage tool called Regin, used to spy on friend and enemy alike. That’s the conclusion Russian cybersecurity firm Kaspersky drew after examining the source code of Regin and an innocuously-named spying tool called QWERTY. It’s an appropriate monicker. The malware, known as a keylogger,  vacuums up anything typed on a computer keyboard and sends it back to the programmer controlling it. The crucial clue Kaspersky found is that QWERTY “can only operate as part of the Regin platform.” After tracking Regin across 14 countries for years, Kaspersky and technology firm Symantec identified it in November 2014.  At the time, Symantec said Regin’s “capabilities and the level of resources behind [it] indicate that it is one of the main cyberespionage tools used by a nation state.” 

Though neither company said it, suspicion immediately arose that the NSA and its allies had created Regin. It immediately drew comparisons with Stuxnet, the joint U.S.-Israeli computer worm used to damage Iranian nuclear centrifuges in Natanz in 2009. Unlike Stuxnet’s narrow mission of sabotage, Regin is designed for spying in a wide set of environments. It hides in plain sight, disguised as ordinary Microsoft software.

The new evidence further points to the Five Eyes. The German news magazine Der Spiegel has a trove of documents from NSA whistleblower Edward Snowden, which included the source code. Der Spiegel gave Kaspersky the code to examine: The new analysis provides clear proof that Regin is in fact the cyber-attack platform belonging to the Five Eyes alliance, which includes the U.S., Britain, Canada, Australia and New Zealand. Neither Kaspersky nor Symantec commented directly on the likely creator of Regin. But there can be little room left for doubt regarding the malware’s origin. Der Spiegel pointed to five elements they believe suggest Five Eyes authorship: the presence of QWERTY in Snowden’s files, its use in the Belgacom hack by Britain’s GCHQ, references to the sport of cricket in the code, structural similarities to tools outlined in other Snowden documents, and targets consistent with other Five Eyes tools and campaigns.