It looks like Chancellor Angela Merkel is not the only German official who might have been spied on by the nation’s allies. The head of a German Federal Chancellery unit reportedly had his laptop infected with Regin, a cyberespionage program believed to be used by the U.S. National Security Agency and its closest intelligence partners.
The German federal prosecutor’s office has opened an investigation into the breach, which came to light in 2014, German news magazine Der Spiegel reported Friday. The Chancellery is the federal agency that serves Merkel’s office.
Regin is one of the most sophisticated malware programs ever discovered. It has over 75 modules that enable a range of functionality, including password theft, network traffic capture, screen shot grabbing, recovery of deleted files and data exfiltration.
According to reports from several security companies, it was used to spy on Internet service providers, telecommunications backbone operators, energy firms, airlines, government entities, research institutes and private individuals around the world.
There are strong indications that Regin is a computer network exploitation (CNE) platform referred to as WARRIORPRIDE in documents leaked by former NSA contractor Edward Snowden and which is used by the intelligence agencies of the U.S., U.K., Canada, Australia and New Zealand — known as the Five Eyes intelligence partnership.
In January, Der Spiegel released a keylogger program dubbed QWERTY from the trove of files leaked by Snowden that the magazine believed was part of WARRIORPRIDE. Researchers from antivirus firm Kaspersky Lab later analyzed the program and concluded that it was identical to a known Regin plug-in and even had code referencing a different Regin module.
Previous reports that the NSA tapped Angela Merkel’s mobile phone strained relations between Germany and the U.S. Prosecutors in Germany launched an investigation into that claim, which was also based on documents leaked by Snowden, but it was later dropped due to insufficient evidence.
If Regin is indeed WARRIORPRIDE, as many security experts believe, the program’s presence on a German Chancellery official’s laptop is unlikely to be a coincidence. However, since the tool is used by the intelligence agencies of five different countries, identifying the perpetrator in this case might prove difficult.