Symantec has uncovered a sophisticated new piece of malware—reminiscent of Stuxnet and Duqu—which bears the hallmarks of a state-sponsored operation and operates with a degree of technical competence rarely seen. The malware, dubbed “Regin,” appears to have been in use since at least 2008 and is likely used as an espionage and surveillance tool by intelligence agencies. Symantec says however, they have not enough evidence to attribute it to any particular state or agency.
In contrast to “traditional” APTs, which often seek specific information such as intellectual property, Regin is used for the broad collection of data and continuous monitoring of its targets. Regin’s overarching purpose is to act as a spying tool framework for intelligence agencies to customise, depending on the organisation, system or data they’re targeting. Notably, the majority of Regin’s code is not visible on infected computers, and it goes to great lengths to hide the data it’s stealing.
It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.
In a blog post, Symantec says "Regin infections have been observed in a variety of organizations between 2008 and 2011, after which it was abruptly withdrawn. A new version of the malware resurfaced from 2013 onwards. Targets include private companies, government entities and research institutes. Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure."