Chuck Bednar for redOrbit.com – Your Universe Online
The same experts who helped discover Stuxnet four years ago have found a new advanced cyberespionage tool that they believe has been used to spy on governments, companies and researchers for over six years.
The malware program was discovered by security experts at Symantec, makers of the Norton antivirus suite of products, and has been identified as “Regin,” said Arik Hesseldahl of Re/Code. Its origins are unknown, but Symantec said that nearly 100 Regin infections have been detected to date, with more than half occurring in Russia and Saudi Arabia.
Regin is “a back door-type Trojan” that “has been used in systematic spying campaigns against a range of international targets since at least 2008,” researchers at the Mountain View, California-based company said in a blog post. They added that it is “a complex piece of malware whose structure displays a degree of technical competence rarely seen.”
“Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals,” the researchers said. “It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks.”
Symantec went on to note that the capabilities of the Trojan and the resources that would have been required to create it suggest that it is one of the primary cyberespionage tools used by an unknown country. Hesseldahl noted that, due to the complexity of the malware, only a handful of countries would be capable of developing such a program. Among the countries on that so-called short list are the US, China and Israel.
Regin “appears to have been aimed against particular individuals and small businesses,” said Gregory Wallace of CNN Money, and some telecommunications companies were also targeted in an apparent attempt to eavesdrop on phone calls made using those networks. Furthermore, the Trojan was also deployed in the hospitality and energy industries, he added.
Symantec also said the malware is able to conceal itself and has multiple layers of protection, including several types of encryption, Wallace added. Regin also uses a so-called modular structure that hides the deeper layers of the malware, making it extremely difficult to determine exactly what the program is doing at any given time. In those regards, it has drawn comparisons to the Stuxnet worm, the researchers noted.
“Regin’s highly customizable nature allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers,” CNET nighttime news editor Steven Musil said, adding that it was also observed monitoring network traffic and analyzing emails.
Symantec also believes that many components of this multi-layered Trojan remain undetected, and that there may be other versions that have not yet been detected. Reuters added that nearly half of all Regin infections occurred at the addresses of Internet service providers (ISPs), and that the Symantec report said customers of companies were more likely to be targeted than the companies themselves.
“The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering,” Symantec said. “The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.”
Image Above: Regin’s five stages. Credit: Symantec