Which nation-state is behind the sophisticated, stealthy Regin malware?

Symantec researchers are impressed by Regin, which has been conducting high-level surveillance campaigns worldwide since 2008. Is it state-sponsored?
Written by Larry Seltzer, Contributor

Symantec Security Response has discovered a new malware called Regin which, they say, "...displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals."

This back-door trojan has been in use, according to the security company, since at least 2008, and has stayed under the radar since.

The level of quality and the amount of effort put into keeping it secret convinces Symantec that it is a primary cyberespionage tool of a nation state. 

Regin is a multi-stage attack, each stage but the first encrypted and none by themselves especially revealing about the overall attack. The picture only emerges when you have all five stages.

The five stages of Regin.
Image: Symantec

Attacks were committed between 2008 and 2011 (Regin 1.0), at which point the malware disappeared. It resurfaced in 2013 (Regin 2.0) with some significant differences: the new version is 64-bit, and may have lost a stage.

Symantec has not found a stage 3 for the 2.0 version, which may be explained by the fact that the 1.0 stage 3 is a device driver, and installing device drivers on 64-bit Windows surreptitiously is a difficult proposition even, it would seem, for the most sophisticated of attackers.

Symantec's description in their threat database of the threat, where they call it Backdoor.Trojan.GR, indicates that it was detected and protection provided on December 12, 2013. Presumably they did not know what they had until much more recently, and retrospective analysis revealed the true nature of the threat and its use prior years.

Even so, there is still much about Regin that they do not understand. They have, for example, not identified a reproducible infection vector, and these may have been customized for attacks. There are also "dozens of Regin payloads," providing for all the usual things like password stealing, captured screens, stolen files — including deleted files — and more.

The malware also makes use of non-standard and odd techniques as a means of stealth. For example, it has a custom-built encrypted virtual file system. Symantec believes that many components of Regin remain undiscovered.

Based on the sophistication of the threat and the substantial investment it would require, it's hard not to agree with Symantec that it appears to be nation state espionage tool. Symantec's charting of the infections by country also tells a tale that is, at the very least, atypical.

Regin infections by country.
Image: Symantec


Editorial standards