Symantec and Kaspersky Lab have discovered another cyber-surveillance tool of the sort countries use to spy on each other. Called 'Regin' by Symantec, it's attracting a lot of attention because it is reminiscent of complex tools such as Duqu and Struxnet.
Both companies steer away from saying this is a US-created spy programme because neither has any hard evidence to show that but there are signs that on an Internet packed with Chinese and Russian state-sponsored malware this one is a bit different.
Boiling it down, there are several elements that make it look US or Israeli-authored, starting with its age, which in version 1.0 appears to go back to 2003 (according to Kaspersky Lab) and 2008-2011 (Symantec), sometimes called the 'stealth years' of cyberweapons because nobody in the security community knew these programmes existed until later on.
These dates means Regin would have been in development for some time before that, which narrows down the suspect list. A second version, 2.0, appeared in 2013, and also more rarely a 64-bit version. Regin 1.0 disappeared suddenly in 2011 around the time cyberweapons were starting to attract more attention.
Infections were detected mainly in the Russian Federation (28 percent), Saudi Arabia (24 percent), as well as smaller volumes in Mexico, Ireland and India, Afghanistan, Iran and Belgium, Symantec said. This looks like an open and shut on targeting US enemies, but is it as simple as that?
The most targeted group were private individuals and small businesses (48 percent) and backbone telecoms firms (28 percent) which on the face of it chimes with Five Eyes countries (US, UK, Canada) Australia, and New Zealand) and their obsession with spying on PSTN and mobile calls - according to the Snowden papers Belgium's state telecoms provider Belgacom was a major target for GCHQ around 2011 and individual Belgian IT experts were also allegedly targeted.
Sure enough, Kaspersky Lab confirmed that Regin has been used to spy on GSM networks, including one operation in 2008 that involved a Middle-Eastern country.
Symantec describes its structure as 'modular', which despite the fact that all malware works this way nowadays could be a coded way of suggesting a connection to programmes such as Stuxnet. Kaspersky believes that Regin is not so mucch a tool as a complete cyber-platform.
"Regin also uses a modular approach, allowing it to load custom features tailored to the target. This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil, while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats.," said Symantec.
Regin is complicated, uses fussy techniques such as encryption to hide some of its workings, and possibly manipulates undocumented (i.e. zero day) vulnerabilities. Whatever the superficial similarities to the MO of Stuxnet, Flame and Duqu, Regin is a still a data-stealer, harvesting documents, keystrokes, screengrabs, and even has the ability to lock the remote PC from a restart using ctrl-Alt-Del.
Sign up for CIO Asia eNewsletters.