An extremely sophisticated computer spying program has been spying on computers in Saudi Arabia, Russia, and other countries since at least 2008, security company Symantec saSYMC -0.28%ys.
The software, called Regin, is similar in its complexity and the way it hides its presence, to Stuxnet, a computer virus that former U.S. officials say was created by the U.S. and Israel to attack Iran’s nuclear-enrichment facilities.
Symantec said Regin infections were observed between 2008 and 2011, after which it was abruptly withdrawn. A new version of the malware resurfaced from 2013 onwards. It is customizable, in that it deploys different capabilities for different targets.
The spyware targeted private companies, government entities, research institutes, and telecoms companies. The latter were targeted in a way designed to gain access to calls being routed through their infrastructure, Symantec said. The majority of targeted people and organizations were in Russia and Saudi Arabia.
Regin was created and deployed by a nation state, Symantec said, as its structure displays a degree of technical competence rarely seen. “It provides its controllers with a powerful framework for mass surveillance,” and has been used in data collection or intelligence gathering campaigns.
“Symantec believes that it’s likely a western intelligence agency is behind this. The only comparable threat that we’ve seen is Stuxnet – that’s the level of skill and expertise here,” the company told The Wall Street Journal. However, a cyber-security expert from a competing firm, who asked not to be named because he hadn’t seen the forensics on Regin yet, said it was impossible to definitely say who was behind the spy program based just on previous information, like Stuxnet.
Regin has dozens of “payloads” – specific programs meant to do specific things at specific targets. For instance, it has remote access capabilities which allow capturing a computer’s screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.
More specific and advanced payloads discovered include a program that monitors traffic on a Microsoft MSFT -1.50% Internet information server, popular with many web sites, as well as a program that monitors traffic at mobile telephone base stations.
Regin’s central power however is its stealth. Regin’s developers put considerable effort into making it highly inconspicuous, Symantec said, allowing the program to be used in espionage campaigns lasting several years.
It does this through several stealth features, including anti-forensics capabilities, a custom-built encrypted virtual file system and other encryption features.
Symantec said that many components of Regin probably remain undiscovered and additional functionality and versions may exist.
Authored by Amir Mizroch via wsj.com.