Security researchers have unearthed a sophisticated piece of malware they believe has been created by a government entity and has been spying on private individuals for six years.
On Sunday, Symantec published a blog post and an accompanying technical document providing details about Regin (pronounced as reg-en), which the firm describes as "a complex piece of malware whose structure displays a degree of technical competence rarely seen." The researchers say Regin is a "powerful framework for mass surveillance," with most of its victims comprising private individuals, government agencies, private businesses and telecommunications and health infrastructure in Russia, Saudi Arabia, Mexico and Ireland. India, Afghanistan, Iran, Belgium, Austria and Pakistan are also affected.
"It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks," Symantec says. "Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state."
Part of what makes Regin difficult for cybersecurity experts to crack is its design. Regin is designed to have five attack stages, with the first stage called a Trojan or a backdoor being the only one easy to detect. Each of the succeeding four stages is fully hidden and encrypted, and can only be loaded once the previous stage has been executed. Researchers say that for them to understand how Regin works, each stage has to be decrypted since each one contains very little information on the malware.
Even then, Regin is composed of customizable modules which can be tailored toward the specific user being attacked. For instance, it can be deployed on a private user's system to capture screenshots, steal passwords and monitor network traffic. It can also accomplish more advanced tasks such as sneak into the traffic of mobile phone base station controllers and monitor web server traffic.
"One of the problems we have with analyzing is we don't have all the components. You only get the modules set on that victim," Liam O'Murchu, security researcher at Symantec, tells Fortune. "But we know there are far more modules than what we have here. We don't have enough information to understand."
O'Murchu says Regin was coded "in a very advanced way" that makes it difficult to detect further evidence to the length of time the researchers think the malware has been around. It uses several stealth features, including a custom-build encrypted virtual file system and an uncommon alternative encryption method called an RC5 variant.
The researchers believe Regin's complexity can only mean that massive resources were pooled into its development and operation, indicating that a nation state is responsible for Regin.
Symantec draws similarities to other sophisticated pieces of malware developed by governments in the past, such as the multi-stage loading Duqu and Stuxnet, believed to have been created by the United States and Israeli government to thwart Iran's nuclear research program in 2010. While Duqu and Stuxnet's purpose was to cause damage, the researchers believe Regin was created for mass surveillance purposes.