Security Researchers Withheld Regin Malware Details For 'Global Security' Reasons

from the not-really-'global'-when-it's-just-the-Five-Eyes-then,-is-it? dept

Symantec's [Vikram]Thakur said that they had been investigating Regin since last year, but only felt "comfortable" publishing details of it now.



[Costen] Raiu, the researcher from Kaspersky, said they had been tracking Regin for "several years" but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.



For [Ronald] Prins [of Fox IT], the reason is completely different.



"We didn't want to interfere with NSA/GCHQ operations," he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to "global security."

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Who's going to let you know your communications and data have been compromised by state entities? Well, it seems to depend on who the state entity is. When it's a non-'Five Eyes' country involved, there's usually no hesitation. But the recent exposure of Regin malware's NSA/GCHQ origins (which both agencies deny originates with them despite leaked documents to the contrary) came belatedly, confirming details revealed more than a year ago. The malware appears to date back nearly a decade and yet, there has been little said about it over that period of time.Mashable looked into the malware further and received some surprising replies from security analysts as to why there's been little to no discussion of Regin up to this point.And so it goes. Everyone had the same suspicion as towas behind the malware, but everyone sat on it, hoping someone else would make the first move. The NSA and GCHQ may deny their involvement, but the list of countries with verified Regin infections notably doesinclude any of the "Five Eyes" countries. Microsoft -- whose software the malware was disguised as -- has refused to comment.It's no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn't be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU's chief technologist pointed out, there's no faster way to "destroy" your company's reputation as a "provider of trustworthy security consulting services." Who's going to want to hire someone that won't tell you your data and communications are compromised until it feels it's "safe" to do so?We already know that any security holes discovered (or purchased) by intelligence agencies won't be turned over to affected companies until they've been fully exploited . We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead. But security researchers shouldn't be withholding details on sophisticated malware out of deference to the intelligence agencies it believes are behind it.At this point, we have a security ecosystem greatly skewedthe exploitation of flaws and the distribution of malware, rather than the other way around. There's an entire industry that does nothing but find exploits and sell them to intelligence agencies -- only distinguishable from criminal enterprises by their clientele. Being silently complicit in these exploitsprevent operations from being compromised (and seems to confirm that Fox IT reached the same conclusion about the malware's origin as others), but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world.

Filed Under: malware, regin, security, security research

Companies: fox it, kaspersky, symantec