Hackers believed to be working for Western intelligence agencies “broke into Russian internet search company Yandex from October to November 2018,” deploying a malware variant called Regin that is “known to be used by the ‘Five Eyes’ intelligence-sharing alliance of the United States, Britain, Australia, New Zealand and Canada,” Reuters reported on Friday, citing four people with knowledge of the incident.
Yandex, which has long since expanded beyond a search engine and now has footholds in industries from ridesharing to e-commerce, is Russia’s largest tech company and claims to serve approximately 75 percent of the Russian population. According to Reuters, it is unclear where the attack originated. Yandex confirmed that such an incident had occurred to the news agency, but claimed that its security personnel were able to prevent the loss of any user data.
“This particular attack was detected at a very early stage by the Yandex security team,” spokesman Ilya Grabovsky told Reuters. “It was fully neutralized before any damage was done. Yandex security team’s response ensured that no user data was compromised by the attack.”
Reuters wrote that the intent appears to have been to gather intelligence on user authentication on Yandex, which could be useful to anyone seeking to subsequently break into accounts:
The sources who described the attack to Reuters said the hackers appeared to be searching for technical information that could explain how Yandex authenticates user accounts. Such information could help a spy agency impersonate a Yandex user and access their private messages.
The hack of Yandex’s research and development unit was intended for espionage purposes rather than to disrupt or steal intellectual property, the sources said. The hackers covertly maintained access to Yandex for at least several weeks without being detected, they said.
Regin has previously been named by the Intercept as the malware involved in a long-term attack on Belgian telecom Belgacom in the early 2010s. Russian cybersecurity firm Kapersky Lab believes the Regin toolkit was developed by a nation state. As Reuters noted, the Intercept reported that the UK’s Government Communications Headquarters (GCHQ) and the U.S. National Security Agency were responsible for the Belgacom attack, though the GCHQ declined comment and the NSA denied responsibility.
Reuters further reported that sources said the Regin malware detected at Yandex contained new code. Symantec Security Response technical director Vikram Thakur confirmed to the news agency that the company had “seen different components of Regin in the past few months” and that the malware “came back on the radar in 2019.”
This isn’t the only recent report of foreign intrusion of computer systems based in Russia, which has been at increased tensions with much of the West over issues ranging from the geopolitical balance of power to more specific gripes like alleged Russian election interference. Earlier this month, accounts of U.S. penetration of the Russian electrical grid popped up in the New York Times; sources told the paper that it was carried out under new authority granted by the White House and Congress to the Pentagon that allows the secretary of defense to escalate cyber operations without presidential pre-clearance.
The Russian government told Reuters it was not aware of this specific incident, with Kremlin spokesman Dmitry Peskov saying, “Yandex and other Russian companies are attacked every day. Many attacks come from Western countries.”