This article is more than 1 year old

Researcher says Aussie spooks help code Five Eyes mega malware

QWERTY keylogger code alleged to name Defence Signals Directorate

The Australian Signals Directorate (ASD) has refused to comment on allegations it had a hand in the creation of a keylogging module used by global spookhauses and considered almost identical to parts of the complex Regin malware.

Security bods fingered its involvement due to a file path in the malware's code that referenced the agency and was hardcoded into parts of the QWERTY plugin used in the nation-state-coded malware known as WARRIORPRIDE.

Within that path lay a reference to WARRIORPRIDE, which was used at the time to tie QWERTY to that malware platform.

Subsequent analysis this week found parts of QWERTY referenced and were built on source code used in the nearly identical plugin 50251 designed for the Regin malware.

The ASD refused to comment when asked by Vulture South if it had played a part in the creation of Regin or QWERTY.

"Defence does not comment on intelligence matters," a spokesperson said.

DSD QWERTY reference. Credit: Claudio Guarnieri

Security bod Claudio Guarnieri, one of a team working on the original analysis of QWERTY, said the text reference to the agency's former name, the Defence Signals Directorate changed in 2013, suggested it played a role with other Five Eyes intelligence agencies in creating the malware.

"While we know that the Canadians (spy agencies) certainly make use of WARRIORPRIDE, strings in one of the QWERTY binaries suggest that the [ASD] might have had a part in the development," Guarnieri said.

"It is clear now that Five Eyes, especially other than the NSA I imagine, joined efforts to share resources and collectively develop a unified malware program."

The established commonality between QWERTY and Regin's 50251 meant the agency could have been behind both plugins, if indeed the malware platforms WARRIORPRIDE and Regin were different beasts and not iterations of the same Five Eyes project.

The link was no smoking gun as it could conceivably have been added for reasons unknown. Further information would be required to definitively pin the plugin as Australia's handiwork.


Regin surfaced in November last year as the latest highly-advanced attack tool fit to rival Stuxnet which wrought havoc through Iran's Natanz uranium enrichment facility in 2009.

It was described by Symantec malware reversers who spent years examining Regin's then disparate bread crumbs as being built with a "degree of technical competence rarely seen".

"Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers, and private individuals," Symantec bods said at the time.

The analysis was backed by Fox IT engineer Ronald Prins who plucked Regin from telco Belgacom's networks.

"I'm convinced Regin is used by British and American intelligence services," he told The Intercept November. ®

More about


Send us news

Other stories you might like