Creepy 'Regin' spy cyberweapon reminds researchers of Stuxnet

Surveillance 'platform' targeted GSM networks, Russia and Saudi Arabia

Symantec and Kaspersky Lab have discovered another cyber-surveillance tool of the sort countries use to spy on each other. Called 'Regin' by Symantec, it's attracting a lot of attention because it is reminiscent of complex tools such as Duqu and Struxnet.

Both companies steer away from saying this is a US-created spy programme because neither has any hard evidence to show that but there are signs that on an Internet packed with Chinese and Russian state-sponsored malware this one is a bit different.

Boiling it down, there are several elements that make it look US or Israeli-authored, starting with its age, which in version 1.0 appears to go back to 2003 (according to Kaspersky Lab) and 2008-2011 (Symantec), sometimes called the 'stealth years' of cyberweapons because nobody in the security community knew these programmes existed until later on.

These dates means Regin would have been in development for some time before that, which narrows down the suspect list. A second version, 2.0, appeared in 2013, and also more rarely a 64-bit version. Regin 1.0 disappeared suddenly in 2011 around the time cyberweapons were starting to attract more attention.

Infections were detected mainly in the Russian Federation (28 percent), Saudi Arabia (24 percent), as well as smaller volumes in Mexico, Ireland and India, Afghanistan, Iran and Belgium, Symantec said. This looks like an open and shut on targeting US enemies, but is it as simple as that?

The most targeted group were private individuals and small businesses (48 percent) and backbone telecoms firms (28 percent) which on the face of it chimes with Five Eyes countries (US, UK, Canada) Australia, and New Zealand) and their obsession with spying on PSTN and mobile calls - according to the Snowden papers Belgium's state telecoms provider Belgacom was a major target for GCHQ around 2011 and individual Belgian IT experts were also allegedly targeted.

Sure enough, Kaspersky Lab confirmed that Regin has been used to spy on GSM networks, including one operation in 2008 that involved a Middle-Eastern country.

Symantec describes its structure as 'modular', which despite the fact that all malware works this way nowadays could be a coded way of suggesting a connection to programmes such as Stuxnet. Kaspersky believes that Regin is not so mucch a tool as a complete cyber-platform.

"Regin also uses a modular approach, allowing it to load custom features tailored to the target. This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil, while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats.," said Symantec.

Regin is complicated, uses fussy techniques such as encryption to hide some of its workings, and possibly manipulates undocumented (i.e. zero day) vulnerabilities. Whatever the superficial similarities to the MO of Stuxnet, Flame and Duqu, Regin is a still a data-stealer, harvesting documents, keystrokes, screengrabs, and even has the ability to lock the remote PC from a restart using ctrl-Alt-Del.

In conclusion, there is no smoking gun that connects Regin to Stuxnet or any other suspected US or Israeli programmes but the mere fact it has been meticulously written to hide its origins is odd enough on its own.

The Chinese write aggressive malware, more recently-discovered Russian malware has a paranoiac flair, but only US code is supernaturally complicated and inscrutable. As one security expert once described a US cyberweapon to Techworld off the record, "It could have been written in Narnia."

"Regin appears to be a very sophisticated piece of software. Unlike many other forms of malware that are designed for one job, this particular piece can adapt to many different jobs that include intelligence gathering, granting remote access or even taking screenshots," said Mark James of security firm, ESET.

"Regin almost certainly has been used for very large scale data gathering. It's taken a lot of resources to create and most probably will have many variants both waiting to be released and in the wild already. We would be naive to think that there aren't other very similar complex pieces of malware out there undetected, quietly sitting on hardware gathering data and sending it back for intelligence and malicious means."

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecuritymalwarekaspersky lab

More about GCHQKasperskySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place