A new and sophisticated piece of malware that targets infrastructure operators government organisations has been discovered by security firm Symantec.
Symantec describes the backdoor trojan, dubbed, Regin, as “a complex intelligence-gathering tool which has been engaged in long term systematic data collection and surveillance activities against government organisations, infrastructure operators, businesses, academics, and private individuals”.
Regin is a modular “spying tool framework”, which can be adapted to carry a variety of payloads to target specific tools or software programmes depending on the target, and has been in circulation since 2008.
It is currently unclear how Regin infects host computers, as the researchers were unable reliably reproduce a successful method of attack, but it is likely that it targets users by tricking them into visiting a compromised copy of a well known website and infects their computers through exploits in web browser software.
Symantec claims that the sophisticated methods utilised by the malware to cover its tracks means that it was likely developed over a period of many months by a nation state. The security company argues:
“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.”
Only 100 infections with the malware have been discovered, but the researchers say that the majority of compromised computers have been found in Russia and Saudi Arabia, pointing to a Western nation as the culprit.
The targets of the malware has drawn similarities with Stuxnet, which sabotaged the Iranian nuclear programme and was likely developed by teh US or Israel, but Regin appears to have been produced only to secretly collect data and not interfere with its host machines.
Photograph by Jeroen Bennink