Computer security researchers at Symantec say they have discovered a sophisticated piece of malware circulating the world that appears to be used for spying at Internet service and telecommunications companies, and was likely created by a government agency. And while its origin is unclear, a short list of capable countries would include the U.S., Israel and China.
The research, published today, comes from the same team at Symantec that four years ago helped discover and ferret out the capabilities of Stuxnet, the world’s first digital weapon. It is believed to have been created by the combined efforts of the U.S. and Israel and used to sabotage the Iranian nuclear research program.
The team has dubbed this newly found Trojan “Regin” according to a Symantec blog post, and they are describing it as a “complex piece of malware whose structure displays a degree of technical competence rarely seen.” They say the tool has an “extensive range of capabilities” that provides the people controlling it with “a powerful framework for mass surveillance.”
The researchers said Regin has been used in what appears to be an ongoing spying operation that started in 2008, stopped suddenly in 2011, and then resumed in 2013.
The campaign was carried out against government organizations, businesses, researchers and private individuals. About 100 Regin infections have been detected, the researchers said, with most — a combined 52 percent — in Russia and Saudi Arabia. The remainder have occurred in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. No infections have yet been detected in the U.S. or China.
Symantec was first made aware of Regin after customers discovered parts of it and sent the code for analysis. “We realized there was more to what was sent us than was readily apparent and went back to investigate further,” said Liam O’Murchu, one of the researchers. Symantec security software can now detect it, he said.
The quality of Regin’s design and the investment required to create it is such that it was almost certainly made by a nation-state, said O’Murchu. But asked to speculate which nation-state, he demurred. “The best clues we have are where the infections have occurred and where they have not,” he said in an interview with Re/code. “We know it was a government that is technically advanced. … This has been a huge spying campaign dating back at least to 2008 and maybe even as early as 2006.”
It doesn’t take much of a leap to wonder out loud if the U.S. National Security Agency or the Central Intelligence Agency, perhaps working with Israel, might be the source, especially given the list of countries targeted. However, there are other possible sources, including China.
There is still a lot about Regin that’s not known. (And for more technical detail on what is known, there’s a 21-page white paper here.) There are pieces of it, O’Murchu said, that haven’t yet been found and examined. But here’s what understood so far:
Regin attacks systems running Microsoft Windows. It attacks in stages and requires five pieces. Only the first stage is detectable– it opens the door for the subsequent stages, each of which decrypts and executes the following stage. In this way it’s similar to Stuxnet and its sibling Trojan, Duqu which was designed to gather intelligence on a target by stealing massive amounts of data.
Nearly half of all Regin infections occurred at Internet service providers, the targets being the customers of those companies. Other companies attacked included telecom providers, hospitality companies, energy companies, airlines and research organizations.
How the malware spreads is also a mystery. In one case — but only one — the infection was carried out by way of Yahoo Instant Messenger. In other cases, Symantec believes victims were tricked into visiting spoofed versions of well-known websites. “Other than that one example, we have no firm information on how it has been distributed,” O’Murchu said.
Once a computer has been compromised, Regin’s controllers can load it up with whatever payload is needed to carry out the spying operation. Said Symantec: “Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors,” say something that’s specifically geared toward spying on an airline or an energy company. This is “further evidence of the level of resources available to Regin’s authors,” the company said.
There are dozens of these payloads. One seen in several cases is a remote access tool, or RAT, which gives an attacker the ability to take control of a computer remotely — copy files from the hard drive, turn on the Web cam, turn on the microphone. RATs are also good for capturing keystrokes, a good way to steal passwords. Some of the more advanced payloads seen on machines compromised by Regin include software to monitor network traffic and a tool to manage mobile phone base stations.
Exceptional effort was made by its creators to prevent Regin and its communications to its handlers from being detected. “Even when its presence is detected, it is very difficult to ascertain what it is doing,” said Symantec.
Several pieces of Regin are still circulating and are as yet undiscovered, O’Murchu said. He hopes that with the publication of Symantec’s findings, more information from other researchers will come to light.