Regin Malware Likely Came From Western Intelligence Agency

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The Guardian reports that the Regin malware, recently uncovered by Symantec researchers, appears to have been created by a Western government intelligence agency.

The leading suspects, according to the Guardian, are the U.S., the U.K., or Israel.

According to Symantec, the highly targeted malware has been in use since at least 2008. "A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen," the researchers explained in a blog post. "Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals."

Different modules allow attackers to capture screenshots, take control of the mouse's point-and-click functions, steal passwords, monitor network traffic, recover deleted files, monitor Microsoft IIS Web server traffic, and monitor mobile phone base station controller traffic.

"Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state," the researchers added.

"Regin is the cyber equivalent of a specialist covert reconnaissance team," Malwarebytes director of special projects Pedro Bustamante told eSecurity Planet by email. "The analysis shows it to be highly adaptable, changing its method of attack depending on the target. It also has some very advanced evasion techniques that make it suitable for spending long periods carrying out undercover surveillance."

"The resource required to develop such an advanced piece of malware points towards an extremely specialized team of individuals with a very specific set of goals," Bustamante added.

According to Symantec, Regin's victims include private companies, government entities and research institutes. Most of the malware's victims are based in Russia and Saudia Arabia (28 percent and 24 percent, respectively) and none are in the U.S. or the U.K.

Belgian cryptographer Jean-Jacques Quisquater was apparently infected with the malware earlier this year while investigating an attack on the Belgian ISP Belgacom that was attributed to the U.K.'s GCHQ.

"As we've been following and analyzing Regin, the complexity and the level of sophistication in the attacks has become very evident," F-Secure chief research officer Mikko Hypponen told the Guardian. "We would place Regin in the category of highly sophisticated governmental espionage campaigns."

"We don't think Regin was made by Russia or China," Hypponen added.

Still, ZeroFOX vice president Ian Amit told eSecurity Planet by email that it's too early to pin down who's responsible. "Some of the attributes of the malware (namely using fairly detectable elements in the C&C protocol such as 'shit' and '31337') suggest it might have been developed through an 'outsourced' third party entity," he said. "This is common practice for nation states that do not have the capability to develop advanced malware by themselves or need to cover their tracks."

In a white paper [PDF] analyzing the threat, Symantec researchers wrote, "Threats of this nature are rare and are only comparable to the Stuxnet/Duqu family of malware. The discovery of Regin serves to highlight how significant investments continue to be made into the development of tools for use in intelligence gathering."

"Many components of Regin have still gone undiscovered and additional functionality and versions may exist," the researchers added.