Article Lead Image

Researchers suspect a government’s hand in major new malware ‘Regin’

It’s being described in terms similar to Stuxnet.


Rob Price


Researchers have uncovered a highly-advanced, “top-tier” piece of malware that has targeted governments, businesses, and national infrastructure and is believed to have been created by a nation-state.

The malware, called “Regin,” was revealed in a blogpost by software security company Symantec on Nov. 23. It has been used “in systematic spying campaigns against a range of targets” since at least 2008, and potentially as early as 2006. 

The software exhibits “a degree of technical competence rarely seen,” and this sophistication has led Symantec to predict that its creator is likely a nation-state. Regin probably took months or even years to develop, the researchers said.

Customizable and almost impossible to detect due to its encrypted “multi-stage” nature, Regin usually targets governments, research institutes, infrastructure operators, and businesses, but it has also attacked individuals. “Attacks on telecoms companies appear to be designed to gain access to calls routed through their infrastructure,” Symantec reports.

The malware has also been adapted to infiltrate the systems of airlines and energy companies, and is capable of logging keystrokes, copying files off hard drives, accessing webcams, and monitoring network traffic.

Malware experts have already drawn parallels with Stuxnet, weaponized malware that degraded Iran’s nuclear capabilities in 2010 and is believed to have been created by Israel and the United States. Symantec, which discovered Stuxnet, suggested that the significance of Regin may be even greater, calling it “one of the main cyberespionage tools used by a nation state.”

Unlike Stuxnet, there is no sign that Regin was designed to damage computer systems. Its purposes appears to be purely to discretely surveil targets, leaving almost no trace of its presence.  

So who is behind this new malware? That’s not yet clear—no nation state is likely to claim responsibility for it—and in an interview with re/code, Symantec security researcher Liam O’Murchu declined to speculate about its origins.

One hint as to its origins comes from its targets: Of the 100 known infections, 52 percent originated in Saudi Arabia and Russia. Other infection sources include Mexico, India, Iran, Pakistan, Ireland and Afghanistan, reports re/code. Regin has not yet been detected in either China or the U.S.

Symantec’s researchers have not been able to figure out how Regin infects its targets, though the researchers speculate that it could work by spoofing websites. Only one method of infection, Yahoo Messenger, has been conclusively identified.

H/T BBC | Illustration by Rob Price

Share this article

*First Published:

The Daily Dot