An “extremely complex” and “stealthy” Stuxnet Equivalent spying program has been stealing data from ISPs, energy companies, airlines and research-and-development labs, a security company has said.
With a “degree of technical competence rarely seen”, Regin had probably taken years to develop, Symantec said.
“Regin” malware is thought to have been developed by a nation-state because of the financial clout needed to produce code of this complexity. The malware targets organisations in the telecommunications, energy and health sectors.
Symantec malware reversers found attackers have foisted Regin on targets using mixed attack vectors including one unconfirmed zero-day in Yahoo! Messenger.
“Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen,” Symantec’s researchers wrote.
“Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers, and private individuals.
“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state.”
The security firm did not name a nation as the source of Regin, but is willing to say most of its victims were from Russia and Saudi Arabia and were targeted between 2008 and 2011, with a since-decommissioned version of the malware that re-surfaced after 2013.