“Groundbreaking” state spyware targeted airlines and energy firms

The security firm Symantec has detailed a highly sophisticated piece of spyware called Regin, which it reckons is probably a key intelligence-gathering tool in a nation state’s digital armory. Its targets have included individuals, small businesses, telecommunications firms, energy firms, airlines, research institutes and government agencies.

In a whitepaper, Symantec described Regin as “groundbreaking and almost peerless.” Regin comprises six stages, each triggered by the last, with each (barring the initial infection stage) remaining encrypted until called upon by the last. It can deploy modules that are “tailored to the target.” According to the firm, it was used between 2008 and 2011, when it disappeared before a new version appeared in 2013.

The targets fell victim to the malware in a variety of ways, including by being tricked into visiting phoney versions of well-known websites. “There are dozens of Regin payloads,” a Sunday blog post explained.

“The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.”

Symantec suggested that Regin has mostly been used to target entities in Russia and Saudi Arabia, but has also been found in Ireland, Mexico, India, Afghanistan, Iran, Belgium, Austria and Pakistan.

Meanwhile, security firm Kaspersky has also written that Regin was used to target cryptographer Jean-Jacques Quisquater. As I reported in February, Belgian police discovered the likely hacking of Quisquater’s computer during the course of an investigation into the activities of the NSA and its British counterpart, GCHQ. That investigation was triggered by the hacking of telco Belgacom, which Edward Snowden’s leaks showed to be the work of GCHQ.

“The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible,” Symantec’s post stated. “Its design makes it highly suited for persistent, long term surveillance operations against targets.”

This article was updated at 7.50am to note the Quisquater connection.