An “extremely complex” and “stealthy” spying program has been stealing data from ISPs, energy companies, airlines and research-
and-development labs, a security company has said.
With a “degree of technical competence rarely seen”, Regin had probably taken years to develop, Symantec said.
And a nation state may have written it to serve its spying agencies’ needs.
The program had been used in “systematic spying campaigns” over the past six years, Symantec said.
Regin slowly infiltrated its targets, taking care at each stage to hide its tracks, the company said.
“Many components of Regin remain undiscovered and additional functionality and versions may exist,” it added.
The Flame malware is also thought to have been written by a nation state
“Its design makes it highly suited for persistent, long-term surveillance operations against targets.”
Victims had been infected using spoofed versions of well-known websites, it said in a detailed analysis.
In a blogpost, security company F-Secure said it had first encountered Regin in 2009 after investigating what was making a server on the network of one of its customers crash repeatedly.
Chief research officer Mikko Hypponen said: “Finding malware of this calibre is very rare.
“We’re still missing big parts of the puzzle.”
“Nevertheless, it’s obvious this is a very complicated malware written by a well-equipped nation-state.” He added that the malware did not look like it originated in China or Russia – the usual places such programs are believed to originate from.
Symantec said it had captured the first copies of Regin in a small number of organisations between 2008 and 2011.
Soon after, the malware had appeared to have been withdrawn, but a new version found in 2013 was now being actively used.
Only about 100 victims of Regin have been identified.