Security researchers have discovered one of the most advanced pieces of malware ever created — and it's been in use since at least 2008. Symantec researchers published their findings today on a new Trojan they're calling "Regin."
The researchers say the tool is "a complex piece of malware whose structure displays a degree of technical competence rarely seen." It's been cleverly designed to spy on computer systems around the world while leaving hardly a trace behind. The software's "authors have gone to great lengths to cover its tracks," reports Symantec, by using multiple layers of complex encryption to mask spying activities. Even when Symantec's researchers did discover the presence of malware on clients' machines, they had to decrypt an entire sample package of files just to get some idea of what the tool was up to.
The espionage tool has been found primarily on systems in Russia and Saudi Arabia, though its presence has been detected in smaller numbers in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria, and Pakistan. Over half of all confirmed cases were on machines in Russia and Saudi Arabia.
"Its authors have gone to great lengths to cover its tracks."
Attacks on internet providers and telecom companies — with the goal of obtaining information from the small businesses and individuals that use their services — accounted for roughly 75 percent of infections. Airlines, energy utilities, research agencies, and hospitality companies were also targets of such attacks.
As you might expect, something this complex isn't designed to steal your credit card numbers. The sophistication of the software and its confirmed targets, according to Symantec, makes almost certain that the malware is state-sponsored. In fact, the researchers say that it is similar to the Stuxnet worm that was allegedly designed to sabotage Iran's nuclear program. They should know: this group of computer security experts are the same team that first discovered Stuxnet. The US, Israel, and China are believed to be among the nations with the funding and expertise to develop and execute such attacks.
"A huge spying campaign dating back at least to 2008."
Whichever nation-state sponsored this malware, it's believed that Regin is likely that government's primary means of executing cyber espionage around the world. One of the malware's fairly unique traits is that it is highly customizable. Different packages can be built into the payload that infects computer systems. Some of the typical tools the software has at its disposal is the ability to remotely control the mouse and keyboard, take screenshots, record key presses and network activity, and recover deleted files. But spies could also load more specialized functionality designed for specific monitoring of energy utility or telecom systems, according to researchers. Those custom payloads "exhibit a high degree of expertise in specialist sectors," according to researchers — another sign that a large state player is behind the software.
What's not clear is how the malware executes an attack. In just one single confirmed case, it exploited an undiscovered Yahoo Messenger vulnerability, but the researchers speculate that it can use spoofed versions of popular websites or other application holes to gain access to computer systems.
The pattern of attacks does show, however, that the software has been used for years. "This has been a huge spying campaign dating back at least to 2008 and maybe even as early as 2006," researcher Liam O’Murchu tells Recode. Attacks abruptly halted in 2011, before an updated version of the malware was introduced to the web in 2013. There's still much that's unknown, but now that Regin's existence has been publicized, we should expect more details to trickle out over the coming months.