After six years of spying on the communications of private individuals around the globe and methodically concealing evidence of its existence, Regin, a backdoor Trojan, has been profiled by security firm Symantec.
Due to the sophistication of Regin, Symantec concludes the malware was created through significant funding from a nation-state. Regin took months or even years to build, which leads Symantec to believe the malware is one of a state's primary tools for cyber espionage.
"It is definitely a professionally written piece of software," said Orla Cox, a senior analyst for Symantec's Security Response division. "You would have to be well-funded and well-resourced to create and maintain it, which could probably only be afforded by a nation-state."
Regin infections have been primarily concentrated in Afghanistan, Austria, Belgium, Ireland, India, Iran, Mexico, Pakistan, Russia and Saudi Arabia. Approximately 28 percent of the infections were concentrated in Russia and about 24 percent targeted Saudi Arabia.
While security experts have quickly drawn up a list of suspects when other sophisticated tools for cyber espionage have been discovered, the tech sector is relatively quiet on Regin's origins.
About 48 percent of the Regin attacks targeted small businesses and private individuals. Roughly 28 percent of the Regin attacks went after telecommunications companies, an effort Symantec states was likely meant to find more information about the people and businesses it was already targeting.
Only about 100 small businesses and private individuals are known to have fallen prey to the Regin attacks, but the sheer sophistication and stealthiness of the malware indicates the true number of victims could be exponentially higher.
"Regin's developers put considerable effort into making it highly inconspicuous," states Symantec in a blog post. "Its low-key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing."
Evidence of Regin had been spotted several times between 2008 and 2011, but the malware was withdrawn. It wasn't seen again until 2013, at which point the malware had evolved.
Regin takes a modular approach to infecting its targets, exposing only puzzle pieces when the malware is detected. The malware begins infections by baiting targets into agreeing to use software infected with Regin's module, the only part of the malware that isn't encrypted.
Regin's subsequent modules are rolled out as desired, allowing the group behind the malware to scale its attacks to the degree necessary to collect information on each target. Each of the malware's five modules offers little detail about the full package, but Symantec was able to draw up a sketch of Regin after reviewing each of the toolkit's features.