Skip to content ↓ | Skip to navigation ↓

Recently, several leading security firms reported the existence of Regin, one of the most sophisticated malware ever discovered.

Symantec was the first to announce Regin’s discovery. A competing firm, Kaspersky Lab, published a white paper on the malware a day later.

Regin is already associated with a number of high-profile cyber attacks. For instance, Britain’s GCHQ is known to have used the malware to infiltrate Belgacom, a Belgian phone and Internet provider, in what came to be known as “Operation Socialist.”

Additionally, documents leaked by Edward Snowden show that the National Security Agency employed Regin as a means of conducting surveillance on European Union computer systems.

The malware’s sophistication comes from its multi-stage execution. Each stage plays a crucial role along a chain of decryption, yet none of them reveal information about any of the other stages. Regin’s authors likely employed this type of design in order to avoid getting caught.

Given the fact that it also follows a modular approach and possesses an array of anti-forensic capabilities, Regin is thought to be on a level of sophistication on par with Stuxnet, according to Symantec.

At this time, however, little is known about the malware’s authors.

Ronald Prins, Founder and CTO of Fox-IT, a company that was called in to analyze Belgacom’s computer systems, is convinced Regin was developed by U.S. and UK intelligence agencies.

By contrast, Symantec thinks a nation-state may be behind the malware, yet it has not elaborated any further.

Initial research suggests that nearly half (48%) of all Regin infections have been used to target private individuals and small businesses based in Saudi Arabia, Mexico, Ireland, as well as other areas across Europe and MENA.

Among the individuals affected is Jean Jacques Quisquater, a well-known Belgian cryptographer who provided a sample of the malware to Kaspersky Labs after being infected earlier this year.

Even though hackers could feasibly use Regin to target anyone, they would only do so if that person was of strategic value, according to Jim Penrose, who spent 17 years at the NSA and was involved in the much-feared Tailored Access Operations group (TAO).

“[Cybercriminals] don’t want to fire silver bullets unless it’s absolutely necessary,” explains Penrose. Malware types such as Regin “are really high quality. You want to save those for a time when it’s absolutely critical.”