Regin malware used in attacks since 2008, Symantec research finds


Symantec fears the Regin malware it's uncovered could have been created by an overseas government for the purpose of carrying out state-sponsored attacks against infrastructure providers and large enterprises.

The Regin malware has been picked up attacking firms across the globe and is described as one of the most sophisticated examples of malicious software ever seen.

At present, the majority of attacks are said to have taken place in Russia, Saudi Arabia and Mexico against telecommunications, energy and health companies, with Symantec describing the malware in a blog post as a backdoor-type Trojan with "a degree of technical competence rarely seen".

It added Regin has been used against a range of international targets since 2008, and can be used to spy on governments, infrastructure providers, businesses, research teams and individuals.

"It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber-espionage tools used by a nation state," the firm said.

Symantec did not name the likely geographical source of the attacks, but the victim nations suggest the source could a Western country with sufficient development resources.

Around half the total attacks were aimed at Russian and Saudi firms at 28 per cent and 24 per cent, respectively. Mexico and Ireland accounted for nine per cent each.

"Its design makes it highly suited for persistent, long term surveillance operations against targets," the researchers said.

In 2011 early versions of the malware were abruptly removed before it reappeared in a new form in 2013. This indicates an adversary had detected the software or was beginning analysis, causing its effectiveness to be reduced.

Symantec said "many components of Regin remain undiscovered and additional functionality and versions may exist." The firm said its investigations will continue and will provide updates as discoveries about the malware are made.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.