Californian cybersecurity company Symantec were the first to release a report detailing the discovery of the bug, known as ‘Regin’ which masqueraded as a Microsoft product to target the websites of governmental departments, telecom operators and financial institutions in a number of countries around the world from as early as 2008.
In the report Symantec stated that Regin “bears the hallmarks of a state-sponsored operation” that is “likely used as an espionage and surveillance tool by intelligence agencies.”
Symantec’s research showed that 28 percent of the attacks attributed to Regin occurred in Russia, and another 24 percent in Saudi Arabia, while other traces of the bug were found on targets in Mexico, Iran and Afghanistan.
Somewhat surprisingly, traces of the bug were found to have attacked organizations in European countries, Ireland, Belgium and Austria.
Internet providers and telecom companies accounted for about three-quarters of the infections, while partly-state owned Belgian phone and internet provider Belgacom is also believed to have been among the companies targeted.
What Does Regin Do?
Researchers have noted Regin’s complex nature, with Symantec releasing a statement describing Regin as one of the most complex forms of malware with “a degree of technical competence rarely seen.”
Reports suggest that Regin’s role was mostly focused on computer information gathering, password stealing, process and memory information gathering and file system crawling. The complexity of the virus enabled the intruder to create a framework for mass surveillance. Targets included private companies, government entities and research think tanks. Attacks on telecoms companies were also allegedly carried out to gain access to calls being routed through their infrastructure.
“It provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals", said a statement from Symantec. "It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.”
Where Did It Come From?
Speculation has quickly turned to the origin of the malware, with research by Russian computer security company, Kaspersky Lab, revealing that although 14 countries had been targeted by Regin, western powers such as the USA and UK were not affected.
Although Symantec and Kaspersky Lab haven’t commented on the source of the malware, Mikko Hypponen, chief research officer from online security company F-Secure tweeted: “We believe that the 'Regin' governmental espionage tool is not coming from Russia or China,” sparking further speculation that western intelligence organizations could be behind the bug.
We believe that the 'Regin' governmental espionage tool is NOT coming from Russia or China. https://t.co/x4qlpb6nnq pic.twitter.com/h5sn6yE7zn
— Mikko Hypponen (@mikko) November 24, 2014
F-Secure security advisor Sean Sullivan agrees that the bug would not have come from China or Russia, and says its origin is likely to be discovered as research continues.
“I suspect there will be stronger evidence of authorship soon, now that researchers can start making more connections. However, it is now too late to know what Regin does — only what it used to do. The publication of technical analysis undoubtedly means significant parts of Regin's platform will now be retired,” he added.
Symantec’s report drew parallels between Regin and another state-sponsored malware program known as Stuxnet, which was developed by US and Israeli officials to target computers at an Iranian nuclear facility.
Ronald Prins, a security expert from Dutch-based company Fox IT, who was hired to remove the malware from Belgacom’s systems told digital magazine The Intercept that he was “convinced Regin is used by British and American intelligence services.”
