The disclosure of the Regin APT malware campaign this week has spurred much speculation about the source of the attack, with many experts pointing the finger at either the NSA or GCHQ, the British spy agency. Though security researchers involved in uncovering the attack have remained mum on the attribution of Regin, privacy experts say that if one of the intelligence agencies is involved, there’s no legal basis for the operation.
Intelligence services such as the National Security Agency and England’s Government Communications Headquarters are tasked with conducting electronic surveillance and intelligence operations against foreign citizens, and for decades this has been done by tapping phone lines and intercepting other forms of communications. But those methods have given way to the broad use of exploits, malware and other computer intrusion techniques. Those tactics have been filed under the broad powers of intelligence agencies, but officials at Privacy International say that the deployment of malware such as Regin doesn’t have a specific legal authority, either in the United States or England.
“Although we know more than ever before about the capabilities of British and American security services to conduct network exploitation and attacks, we still don’t know on what legal authority GCHQ and the NSA purport to act. There is no clear legal framework in either country that sanctions and regulates the deployment of these kinds of intrusive tools,” Eric King, deputy director of Privacy International, wrote in an analysis.
“The malware at issue here, such as Regin, clearly impairs the operation of the target computers in multiple ways, including by draining battery life and using bandwidth and other computer resources. As such, the Computer Misuse Act means at least to the extent that such activities occur in England and Wales, any GCHQ activities that impair the operation of a computer are prima facie unlawful.”
One of the aspects of the Regin campaign that has drawn much of the attention is the attackers’ compromise of a Belgian telecom. The incident resulted in the attackers compromising a GSM base station controller and having the ability to execute commands. The Intercept has identified the attack as an incident last year at Belgacom that, at the time, was played as a typical malware attack. The Belgacom compromise was an interesting incident, as the company is responsible for handling some of the undersea cables that carry voice and data communications. Belgacom officials made no mention of who they might have suspected as the attackers, but the company’s statement at the time now looks slightly different.
“Belgacom strongly condemns the intrusion of which it has become a victim. The company has filed a complaint against an unknown third party and is granting its full support to the investigation that is being performed by the Federal Prosecutor,” the statement said.
Earlier this year Privacy International filed a lawsuit, along with seven telecoms, against GCHQ for computer exploitation and phone hacking. King said that without clear legal authorization, deployment of malware such as Regin is beyond the bounds of what GCHQ is allowed to do.
“There are no authorising powers in the UK sanctioning the deployment of malware like Regin that meet the Weber standards for authorisation, nor are there the safeguards in statute,” he said.