The Blog

“Groundbreaking” state spyware targeted airlines and energy firms

The security firm Symantec has detailed a highly sophisticated piece of spyware called Regin, which it reckons is probably a key intelligence-gathering tool in a nation state’s digital armory. Its targets have included individuals, small businesses, telecommunications firms, energy firms, airlines, research institutes and government agencies.

In a whitepaper, Symantec described Regin as “groundbreaking and almost peerless.” Regin comprises six stages, each triggered by the last, with each (barring the initial infection stage) remaining encrypted until called upon by the last. It can deploy modules that are “tailored to the target.” According to the firm, it was used between 2008 and 2011, when it disappeared before a new version appeared in 2013.

The targets fell victim to the malware in a variety of ways, including by being tricked into visiting phoney versions of well-known websites. “There are dozens of Regin payloads,” a Sunday blog post explained.

“The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.”

Symantec suggested that Regin has mostly been used to target entities in Russia and Saudi Arabia, but has also been found in Ireland, Mexico, India, Afghanistan, Iran, Belgium, Austria and Pakistan.

“The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible,” the post stated. “Its design makes it highly suited for persistent, long term surveillance operations against targets.”