Creepy 'Regin' spy cyberweapon reminds researchers of Stuxnet

Surveillance 'platform' targeted GSM networks, Russia and Saudi Arabia

Symantec and Kaspersky Lab have discovered another cyber-surveillance tool of the sort countries use to spy on each other. Called 'Regin' by Symantec, it's attracting a lot of attention because it is reminiscent of complex tools such as Duqu and Struxnet.

Both companies steer away from saying this is a US-created spy programme because neither has any hard evidence to show that but there are signs that on an Internet packed with Chinese and Russian state-sponsored malware this one is a bit different.

Boiling it down, there are several elements that make it look US or Israeli-authored, starting with its age, which in version 1.0 appears to go back to 2003 (according to Kaspersky Lab) and 2008-2011 (Symantec), sometimes called the 'stealth years' of cyberweapons because nobody in the security community knew these programmes existed until later on.

These dates means Regin would have been in development for some time before that, which narrows down the suspect list. A second version, 2.0, appeared in 2013, and also more rarely a 64-bit version. Regin 1.0 disappeared suddenly in 2011 around the time cyberweapons were starting to attract more attention.

Infections were detected mainly in the Russian Federation (28 percent), Saudi Arabia (24 percent), as well as smaller volumes in Mexico, Ireland and India, Afghanistan, Iran and Belgium, Symantec said. This looks like an open and shut on targeting US enemies, but is it as simple as that?

The most targeted group were private individuals and small businesses (48 percent) and backbone telecoms firms (28 percent) which on the face of it chimes with Five Eyes countries (US, UK, Canada) Australia, and New Zealand) and their obsession with spying on PSTN and mobile calls - according to the Snowden papers Belgium's state telecoms provider Belgacom was a major target for GCHQ around 2011 and individual Belgian IT experts were also allegedly targeted.

Sure enough, Kaspersky Lab confirmed that Regin has been used to spy on GSM networks, including one operation in 2008 that involved a Middle-Eastern country.

Symantec describes its structure as 'modular', which despite the fact that all malware works this way nowadays could be a coded way of suggesting a connection to programmes such as Stuxnet. Kaspersky believes that Regin is not so mucch a tool as a complete cyber-platform.

"Regin also uses a modular approach, allowing it to load custom features tailored to the target. This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil, while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats.," said Symantec.

Regin is complicated, uses fussy techniques such as encryption to hide some of its workings, and possibly manipulates undocumented (i.e. zero day) vulnerabilities. Whatever the superficial similarities to the MO of Stuxnet, Flame and Duqu, Regin is a still a data-stealer, harvesting documents, keystrokes, screengrabs, and even has the ability to lock the remote PC from a restart using ctrl-Alt-Del.

In conclusion, there is no smoking gun that connects Regin to Stuxnet or any other suspected US or Israeli programmes but the mere fact it has been meticulously written to hide its origins is odd enough on its own.

The Chinese write aggressive malware, more recently-discovered Russian malware has a paranoiac flair, but only US code is supernaturally complicated and inscrutable. As one security expert once described a US cyberweapon to Techworld off the record, "It could have been written in Narnia."

"Regin appears to be a very sophisticated piece of software. Unlike many other forms of malware that are designed for one job, this particular piece can adapt to many different jobs that include intelligence gathering, granting remote access or even taking screenshots," said Mark James of security firm, ESET.

"Regin almost certainly has been used for very large scale data gathering. It's taken a lot of resources to create and most probably will have many variants both waiting to be released and in the wild already. We would be naive to think that there aren't other very similar complex pieces of malware out there undetected, quietly sitting on hardware gathering data and sending it back for intelligence and malicious means."

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecuritymalwarekaspersky lab

More about GCHQKasperskySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts