Who created the Regin malware?

2

A few weeks ago, security vendor Symantec discovered an advanced piece of malware that it says has been used to conduct surveillance since at least 2008.

The Trojan, which the company named Regin, is an unusually sophisticated modular platform that has the ability to be tailored with different capabilities – including GSM network monitoring – depending upon its intended target.

A Symantec blog post says it has been used to snoop on “government organizations, infrastructure operators, businesses, researchers, and private individuals.”

The capabilities of Regin, according to Symantec, suggest that it was created by a nation state for the purpose of snooping on others.

That of course leads to several questions surrounding the newly discovered Trojan including how has it been able to evade detection for so long, who has it been used against and, most intriguingly, who created it?

As for how Regin has been able to evade detection for at least six years, the answer is surprisingly simple – while many readers may think every piece of malware in the wild is a complex mass of code the truth is, most malicious software is remarkably simple in design and easily detected. In the case of Regin, the opposite is true – the Trojan is a complex piece of work designed specifically to evade detection. Symantec even commented that, once detected, it is very difficult to determine what the malware is up to, making it an ideal candidate for long-term surveillance duties.

The second question, namely who has Regin been used against, is much harder to answer. Its stealthy nature, plus the likely unwillingness of targets to admit they have fallen victim to it, mean that conclusive data is impossible to obtain. That said, Symantec has concluded that almost half (48%) of the victims it has seen have been either private individuals or small businesses. A further 28% of targets have been in the telecoms sector while other targets have been in the research, hospitality, energy and airline industries.

A breakdown of infection by nation offers little help in identifying the likely source of Regin as it has been detected in many countries. Primary targets, based on current Symantec data, would appear to be the Russian Federation (28%) and Saudi Arabia (24%) though other nations such as Ireland, Mexico, Belgium and Austria have also been affected.

With little more to go on, the answer to who created Regin is hard to come by and speculation is rife.

Symantec quite sensibly fails to point fingers in any particular direction, save to say that “the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.”

Likewise, Russian vendor Kaspersky Lab is equally reticent to point fingers of blame in any particular direction. In its own write-up of Regin it actually muddies the water further by highlighting additional affected countries including Germany and Brazil while also pointing out how smaller nations such as Fiji and Kiribati appear to have been targeted.

The company, which suggests Regin may have been around since as early as 2003, has published development timestamps for the malware which suggest most activity was confined to the 10am to 9pm (GMT) period. While this could, along with British-sounding file names for the various modules (WILLISCHECK, LEGSPIN, HOPSCOTCH AND U-STARBUCKS) be reasonably interpreted as meaning development took place within the UK or another European country, Kaspersky quite rightly points out that such names and timestamps could quite easily signify “an intentional false flag or a non-critical indicator left by the developers.”

So, what we are left with is a puzzle, and one that may never be solved. Espionage is a serious business and no perpetrator ever wants to be caught in the act. Therefore it would be no surprise to learn that whoever created Regin would leave clues within its code and development timestamps that lead to completely the wrong place.

What is for sure though is the fact that Regin is yet another tool designed for snooping not only on governments and large corporations, but on smaller businesses and individuals too. So, regardless of who created it, we here at ExpressVPN do not like it: we believe that individuals have the right to personal freedom and privacy – that’s why we offer you, our users, a simple and easy to use service to achieve just that.

2 COMMENTS

  1. Not British – just as obviously. FTA: ‘…Kaspersky quite rightly points out that such names and timestamps could quite easily signify “an intentional false flag or a non-critical indicator left by the developers.”’

    Much more important question – how do you find out if your PC has been infested, and if so, how do you get rid of it?

LEAVE A REPLY