An unusually sophisticated malware called “Regin” has attacked internet and telecommunications companies in 14 countries since 2008, Symantec and Kaspersky Labs said in separate reports.
Symantec believes Regin was likely created for cyber espionage purposes by a nation state, although it didn’t suggest which government was responsible for it.
“Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen,” Symantec wrote in a report published on Sunday. “Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.”
Symantec says Regin was first detected in 2008, but disappeared three years later, only to resurface in 2013. Regin has attacked all kinds of businesses, including telecoms, hospitality, and airlines, but nearly half of it targeted private individuals and small businesses. Russia and Saudi Arabia were the two hardest hit countries, each accounting for 28% and 24% of the attacks respectively, but it’s also been spotted in Mexico, Ireland, and India.
In a follow up report on Monday, another IT security lab, Kaspersky Labs, said it’s been tracking Regin for the past two years. It said the victims of Regin were mostly seen in telecom operators, government institutions, multinational political bodies, or financial/research institutions. It says the two main objectives of the attacks were “intelligence gathering” and “facilitating other types of attacks,” with 14 countries being identified as victims of Regin so far. Like Symantec, Kaspersky concluded, it’s likely Regin is “supported by a nation-state.”
Although none of the reports named which nation-state is likely responsible for Regin, Re/code pointed to a couple reports (by The Intercept and the Germany magazine Der Spiegel) as hinting that the NSA and the UK’s intelligence agency GCHQ may have a hand in it.
The Wall Street Journal also reported that the malware appears to be the tool used by GCHQ in an attack on a telecom company in Belgium which delivered lots of traffic between Asia, Africa, and the Middle East — areas of interest for western governments. The leak was exposed when emails provided by Edward Snowden showed spies at British intelligence agencies boasting about breaking into the telecom.